Guidelines for using APF

Installations using APF authorization must control which programs are stored in authorized libraries and in the link pack area (pageable LPA, modified LPA, fixed LPA, and dynamic LPA). If the first module in a program sequence is authorized, the system assumes that the flow of control to all subsequent modules is known and secure as long as these subsequent modules come from authorized libraries or the link pack area. To ensure that this assumption is valid, the installation should:
  • Ensure that all programs that run as authorized programs adhere to the installation's integrity guidelines.
  • Ensure that no two load modules with the same name exist across the set of authorized libraries or the link pack area. Two modules with the same name could lead to accidental or deliberate mix-up in module flow, possibly introducing an integrity exposure.
  • Link edit with the authorization code (AC=1) only the first load module in a program sequence. Do not use the authorization code for subsequent load modules, thus ensuring that a user cannot call modules out of sequence, or bypass validity checking or critical logic flow.

IBM® recommends that you protect the libraries in the APF list with a security product, such as RACF®, and ensure that only appropriate users with system maintenance responsibilities can update these libraries. You should also apply similar controls to any library that contributes modules to the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) and to any libraries specified in RACF PROGRAM profiles.

Parent topic: Using APF to restrict access to system functions