Security considerations

This topic highlights some of the security limitations that you might encounter with this application. To help ensure the security of your installation, customize your security settings and set up user access controls.

Enabling security during the installation process

Security configuration for Developer for z/OS® is addressed in Security definitions. More details on all security aspects can be found in Security considerations.

Security considerations for Developer for z/OS:

  • Installing Developer for z/OS results in a basic configuration with default settings for a basic, secure setup. Extra configuration tasks, such as configuring secure, allow for tighter controls. This information is covered in detail in Security considerations.
    Note: Security is not fully enabled during the installation process and must be enabled during customization after installation is complete. The customization of some security-related aspects must be completed for the product to work and for certain security features to be enabled. This limitation applies to silent installations.
  • Security for Developer for z/OS on the host is configured through a combination of Developer for z/OS configuration files and RACF® commands (or other similar security products).
  • Developer for z/OS does not provide a login option when the Developer for z/OS host is used as an LDAP client that accesses a customer-specific LDAP server to get group membership information that is used to enforce wanted client behavior. LDAP logon information can be provided in a configuration file when the Developer for z/OS host is used as an LDAP client that accesses public certificate revocation lists (CRLs).
  • Security for Developer for z/OS database authentication is enabled through RACF commands.
  • For information about setting up secure and installing a custom certificate, see these topics in the IBM® Explorer for z/OS documentation: (Optional) ssl.properties, the RSE encrypted communication, RSE - ssl.properties, and Setting up encrypted communication and X.509 authentication.
  • For information about enabling security between the client and server or web client and server, see Connection flow.
  • To configure the security settings of other applications that communicate with Developer for z/OS (Db2® Connect, Debug Tool, Fault Analyzer, File Manager), use the security configuration options available in those products.
  • To verify that you correctly configured the security settings, see Verify the security settings.
  • More information:
    • With the host connection in Enterprise Service Tools, you can set up a terminal session with a remote z/OS system. You can configure the session to use TLS, client authentication, and host authentication.

      You can use the IBM Key Management tool iKeyman to create a key database file, to create or request certificates, and to import and export certificates.

    Note: Developer for z/OS also uses REXEC, or the more secure SSH, to compile UNIX System Services projects. For more information, see z/OS UNIX subprojects.

Enabling secure communication between multiple applications

For integrated products, Developer for z/OS provides security for the communications between the products through the Developer for z/OS communication configuration by using Developer for z/OS tools. The communication is host only, so there is no encryption.

To handle user access controls between products in Developer for z/OS, the receiving application (for example, JMON) requires authentication, which is done by the calling application (RSE) on the user’s behalf. Where possible (for example, JMON or CARMA), Developer for z/OS binds to the loopback stack only, which can be reached only from the same system.

For single-sign on, the user authenticates with RSE. RSE then does authentications on the user’s behalf for other servers. While the user stays within Developer for z/OS, it all looks like one server, but this situation is not true for other servers. Users must manually authenticate for other servers outside of Developer for z/OS.

Ports, protocols, and services

Developer for z/OS internal processes, tasks, or services do not require a fixed user ID. You can create your own user ID for these processes, tasks, or services, and associate the user ID with them by using RACF commands. For more information about what ports, protocols, and services Developer for z/OS uses, see Planning and TCP/IP considerations.

Before you can connect to a remote system from the Developer for z/OS client, you must define a connection for the remote system and specify connection properties. For more information about connecting to a remote system and the ports that are used for a connection, see Creating a connection to a z/OS system.

Customizing your security settings

Customizing your security settings is covered in Security considerations. For more information about setting and changing passwords, and client certificate authentication, see these topics:
Note: Developer for z/OS uses generated PassTickets and does not store passwords on the host. The Remote Connection Emulator (RCE) stores TLS-related passwords in the Eclipse Secure Storage. For more information, see Secure storage in the Eclipse documentation. Clients mask password fields with ***, and a password that is provided by a client during logon is always transmitted in a masked format, even for secure encrypted communication.

To enable multiple levels of security, and determine the implications of each, see the various chapters about security in the host configuration documentation. Each chapter addresses a specific aspect of security configuration.

Developer for z/OS relies on the options that are offered by TCP/IP to set up notifications of security breaches or attempts.

Note: Information about login attempts is stored in the Developer for z/OS server logs, and in various other places (for example, server log, user logs, audit log, syslog).

Multi-Factor Authentication

Developer for z/OS relies on IBM Explorer for z/OS for multi-factor authentication (MFA) support. For information about configuring MFA in IBM Explorer for z/OS, see Using Multi-Factor Authentication.

Setting up user roles and access

RACF commands are used for the following purposes:
  • Create and delete users and set their access levels.
  • Create groups and assign them privileges.
  • Establish password rules for users (such as no reuse, minimum length, or character requirements).
  • Setup superuser IDs or IDs with special security privileges.

For more information about RACF, see the Security Server RACF Security Administrator's Guide, SA23-2289.

Privacy policy considerations

This software offering does not use cookies or other technologies to collect personally identifiable information.