Security overview

Edit online

The security overview covers how secure communication is established between different IBM® Unified Management Server for z/OS® components.

You can restrict access to Unified Management Server 1.2 by selecting one of the following security models:
  • IBM® System Authentication Facility (SAF)-based security
  • Data set-based security
Note: Only one security model can be active at a time. It is recommended to configure SAF-based security because data set-based security, although supported, will be deprecated in a future release. For details, see Deprecated and removed functions in Unified Management Server.
You can enable the SAF-based security by specifying the following in your ZWEYAML member: 
components:
  izp:
    security:
      useSAFOnly: true
For details, see Setting up users and teams.

The following figure illustrates a high-level security architectural overview for Unified Management Server 1.2.

Figure 1. Security architecture for IBM Unified Management Server for z/OS

This diagram illustrates a high-level security architecture of IBM Unified Management Server for z/OS and data management experiences.
The following steps list the relationship of the IBM Unified Management Server for z/OS security components.
  • The end user uses the Zowe login process for authentication. The Unified Management Server Web App passes the user request over HTTPS to the Zowe server, which is a Node.js component.
  • The Node.js component communicates with the UMS server over HTTPS.
  • The UMS server securely communicates with the backend services provided by Db2 subsystem tools, which include the following:
    Table 1. Db2 subsystem tools for Unified Management Server
    Product name Note
    IBM SQL Tuning Services Before tuning a SQL query in UMS, you must install and activate at least one Db2 experience product and configure the UMS server for IBM SQL Tuning Services. UMS uses HTTPS to communicate with IBM SQL Tuning Services.
    IBM Db2 Analytics Accelerator for z/OS Before using the accelerator feature for Db2 queries, you must install and activate at least one Db2 experience product and configure the UMS Java™ Server for Db2 accelerator services. UMS uses HTTPS to communicate with IBM Db2 Analytics Accelerator for z/OS.
  • The network communication between Zowe and ZSS Server is secured using HTTPS.
  • The ZSS Server initiates a program call to the Zowe Cross-Memory (ZIS) Server.
  • The ZIS Server communicates with SAF, for example, RACF, ACF2, or Top Secret.
  • The ZIS Server auxiliary address space communicates with the Db2 subsystem or the IMS subsystem.
  • The UMS server communicates with the Db2 subsystem over JDBC.
  • The UMS server communicates with the z/OSMF component over HTTPS.
  • The end user can also communicate with the UMS server using REST API calls over HTTPS.