PRODSECURITY parameter group

Specifies how Data Virtualization will deal with unprotected resources. When set to NO, Data Virtualization will fail unprotected resources with a resource not defined to RACF message. When set to YES, Data Virtualization will allow access to unprotected resources.

If set to YES, this parameter causes the SDBECURE API routines to automatically retrieve and supply a VOLSER for data set authorization requests. This is done only when a VOLSER is not already supplied by the caller. Supplying a VOLSER on data set authorization checking requests prevents access to data sets which have a RACF discrete security profile. Without the VOLSER, RACF may indicate that authorization to a data set is allowed, even though a subsequent OPEN attempt may fail with ABEND S913. In the absence of a caller-provided VOLSER, the system supplies this information automatically.

Controls whether SEF are invoked when a client reconnects to the Data Virtualization Server. This is a performance enhancement used to speed up processing when an ODBC client reconnects to the server. This is important if VCF is in use. This parameter cannot be changed after product initialization because of security restrictions.

Indicates whether display of various API data is restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of out-bound response data are restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of various API data for SSL sessions are restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of inbound authorization data for SSL sessions are restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of outbound response data for SSL sessions are restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of inbound URL query data for SSL sessions are restricted to authorized users. If set to NO, display of the data is unrestricted.

If set to YES, all potentially sensitive data is censored from trace data before it is written. In this situation, it is impossible to review trace data and obtain sensitive data from it. It may also make problem determination more difficult, because all data may be censored from certain records.

Indicates whether display of in-bound authorization data are restricted to authorized users. If set to NO, display of the data is unrestricted.

Indicates whether display of inbound URL query data are restricted to authorized users. If set to NO, display of the data is un-restricted.

Indicates whether display of in-bound Web Service authentication data are restricted to authorized users. If set to NO, display of the data is unrestricted.

If set to ASIS, normal client logon is issued with LOG=ASIS in effect. If set to ALL, then normal client logon is issued with LOG=ALL in effect. If set to NONE, then normal client logon is issued with LOG=NONE in effect. This option applies only to RACF systems and is also used for client logoff operations.

If set to ASIS, normal client logons are issued with STAT=ASIS in effect. If set to NO, then normal client logons are issued with STAT=NO in effect. This option applies only to RACF systems.

The DISABLEFASTAUTH parameter disables the use of SAF REQUEST=FASTAUTH resource checking and usesREQUEST=AUTH when issuing RACROUTE calls.

Allows IOCTL access to collect USERID and UTOKEN information about driver connections when the driver and the server are executing in the same SYSPLEX environment. This will allow driver clients on the same SYSPLEX to choose to use the active z/OS authentication, by not providing the USERID and PASSWORD. When a USERID and a PASSWORD or other authentication are provided, the supplied credentials take priority over active client driver SYSPLEX authentication for the current TCP/IP connection.

Causes all SOM cache entries on this Data Virtualization Server to be marked expired. This produces a processing delay for the next remote support task that performs a logon or logoff.

Controls whether client passwords provided by the HTTP request Authorization: header are instantiated in clear text form as the runtime variable WWW.PASSWORD. The default setting NO is recommended because otherwise, any Web transaction program has access to client passwords.

Controls whether all of the messages from SAF LOGON processing should be obtained. If set to YES, all of the messages are obtained. Note that setting this parameter to YES forces the security control blocks to be located below the 16 MB line. If set to NO, only a subset of the SAF LOGON messages are obtained from the SAF interface; however, it is possible to locate the security control blocks above the 16 MB line.

Indicates that the SOURCE for SAF calls are set to the hexadecimal form of the IP address for clients connected using TCP/IP. This flag only applies to TCP/IP connections. The four-byte binary IP address is converted to an eight-byte upper case hexadecimal string. This string is used as the SOURCE for SAF calls. The SOURCE is where the SAF request is presumed to have come from. This used to mean terminal name and now has other meanings as well.

Determines how security authorization processing is performed when serving HFS-resident files. HFSAUTHMODE(GLOBAL) specifies that ALL accesses to any HFS-resident file or directory paths are made using the authorizations granted to the Server’s default Runtime userid (the Userid specified by the WWWDEFAULTRUNAUTH parameter). The Server switches to this Userid before any access to an HFS-resident file is made and restores the pre-existing security environment after each access. HFSAUTHMODE(THREAD) specifies that all accesses to any HFS-resident file or directory paths are made using the authorizations granted to the transaction thread userid.

Specifies the minimum authentication level that can be used when a client connects to the IDF DRDA Application Server.

YES- Indicates that userid-only logons are supported with authentication already performed by the connecting DRDA client requestor.

NO (DEFAULT VALUE) - Indicates that both a userid and a password or other supported authentication mechanism is required and will be verified by IDF.

Activates the Kerberos Security API for the server. The default value is NO, and setting a value of YES will allow Kerberos secured object processing to occur. The Kerberos server DAEMON will be accessed to verify the Kerberos configuration. The Kerberos API LOAD module will be LOADED from the STEPLIB to perform initialization of the Kerberos API. Once all steps are completed, the active server will process Kerberos security requests. If the DAEMON is not active, the server will continue to attempt contact with the Kerberos server DAEMON on every secured object request until the Kerberos DAEMON becomes active. Kerberos Token or Ticket Object processing will not be available until the Kerberos DAEMON has fully initialized. All Kerberos secured object processing will fail with Security Errors until the value of KERBEROSAPIACTIVE is set to YES. In addition, other information Kerberos settings will not be updated until the Kerberos API is active and the configuration is verified.

Activates Kerberos Security API for the server. Setting this parameter allows Kerberos Secured Object processing to occur. The Kerberos Server DAEMON will be accessed to verify Kerberos configuration. The Kerberos API LOAD module will be loaded from STEPLIB to perform initialization of Kerberos API. Once the necessary steps are completed, the active server will process Kerberos security requests. If the DAEMON is not active, the server will continue to attempt to contact with the Kerberos Server DAEMON on every secured object request until the DAEMON becomes active. Kerberos Token or Ticket Object processing will not be available until the DAEMON is fully initialized. All Kerberos Secured Object processing will fail with security errors until the value of KERBEROSAPIACTIVE is set to YES. In addition, other information Kerberos settings will not be updated until the Kerberos API is active and the configuration is verified.

Use the xVZyIN00 PARAM to modify this parameter.

Specifies the Kerberos API Version/Build information collected after initialization of Kerberos API. This option is Server modified and informational only.

Allows only Kerberos authentication when this parameter is set to Yes. If this parameter is set to No, the Server will allow both legacy z/OS USERID/PASSWORD authentication and Kerberos authentication. The value of No allows a transition from legacy z/OS USERID/PASSWORD authentication to Kerberos.

Allows Kerberos authentication when the parameter is set to Yes. if the parameter is set to No, the server will not activate inbound Kerberos client authentication.

This optional parameter verifies the Kerberos DAEMON SPN Alias after the server verifies the DAEMON SPN against the value supplied. If the supplied Alias is valid, processing will continue. If the supplied Alias is invalid, Kerberos Security will be disabled and all Ticket/Token Object request will fail.

The default value for this parameter is an empty string of blanks/nulls to allow the server to discover the DAEMON SPN value, provided that the optional value informs the Server to verify the DAEMON SPN Alias.

Enables collection of Kerberos DAEMON Version/Build information from the DAEMON server during Kerberos configuration process.

If this parameter is set to YES, the Server will use Kerberos authentication while performing attach/bind/logon authentication to TYPE(SERVER) with SECMEC(KERBEROS). The requesting server will send the Kerberos token to the target Server for authentication.

This option is set only when the KERBEROSACTIVATE parameter is set to YES and the configuration is invalid or the API LOAD module was not found in the STEPLIB.

This parameter value is set to YES when the Kerberos API initialization is failed, and it remains NO until a failure occurs.

This option is set to Yes when the KERBEROSACTIVATE is YES and the module defined in KERBEROSLOAD is defined as an AMODE64 module.

This option remains as No when AMODE31 processing is assumed.

Provides the host ip address/domain of Kerberos ticket server DAEMON. The default value of this parameter is 127.0.0.1.

Provides the Kerberos API LOAD module name that processes Kerberos ticket object requests for the active server.

Specifies the maximum size of Kerberos ticket/token objects. The value of the default maximum is 1024*2 or 2K. Setting the value may reduce storage requirements when Kerberos Ticket/Token Objects are much smaller than the system default

Provides the port number used to access the Kerberos ticket server DAEMON.

Defines an override of the standard Kerberos API TCP/IP time out value. The default value of -1 indicates no override of API TCPIP timeout is required. Setting the value to 0 will negate timeout processing. The range of values for this parameter is from 0 to 120.

Defines the type of traces Kerberos processing will create during execution of Kerberos requests. The default value of -1 indicates quiet tracing with 0 through 6 providing an increasing level of trace from 0 failures to 6 debug.

Set the MAXSECURITYMSGRATE to zeroes to turn off message suppression rate for RACF resource checking in the product. If non-zero, and SECURITYMSGSUPP is set to NO, the rate is used to determine if resource check validation failures, should be notified to TSO user.

Specifies whether a SAF-based RACROUTE REQUEST=VERIFY call passes a NULL group name on the request. Passing a NULL group name allows a user-written SAF exit routine, such as ICHRTX00, to manipulate the group name, even though Data Virtualization does not furnish or otherwise process RACF-type group names.

Specifies whether to pass the SAF group name to IMS. Passing the SAF group name in the PROFILE parameter allows the group name, associated with the USERID, to appear in the I/O PCB of the IMS transaction.

Specifies the 1 to 8-character application name to be used in PTKTDATA profiles.

Specifies whether passwords are used exactly as received (ASIS) or should be translated to upper (UPPER) case.

Controls whether passwords are provided to LOGON rules. If this parameter is set to YES, passwords are provided to LOGON rules. If set to NO, passwords are not provided to LOGON rules. If set to CHANGE, passwords can be changed in LOGON ATH rules. Changing a password in a LOGON ATH rule does not change the password in the security product. It only changes the password used for the current connection to the host. For security reasons, this parameter cannot be changed after product initialization. Note that passwords are provided as cleartext strings or they are set to blanks.

Used when authorizing J2CA publishing of events. When set to YES, causes the use of detailed security profiles when authorizing a J2CA user to monitor changes to tables. Detailed profiles are of the form PUBLISHJ2CA.source.tablename.

If set to ASIS, the VCF-reconnect logon is issued with LOG=ASIS in effect. If set to ALL, then VCF-reconnect logon is issued with LOG=ALL in effect. If the parameter is set to NONE, then reconnect client logon is issued with LOG=NONE in effect. This option applies only to RACF systems and is also used for client logoff operations.

If set to ASIS, the VCF-reconnect logons are issued with STAT=ASIS in effect. When set to NO, then VCF-reconnect logons are issued with STAT=NO in effect. This option applies only to RACF systems.

Indicates whether the SEFAUTH() settings for individual rulesets are honored or overridden on a global basis. If NOOVERRIDE is set, each individual ruleset’s SEFAUTH() setting is honored. If NONE, READ, UPDATE, or ALL is set, all ruleset level SEFAUTH settings are ignored and this setting is used instead. The ruleset SEFAUTH() setting determines whether SEF directly checks each command request to see if the end user has MVS authorization to the underlying ruleset before performing an operation on behalf of the user. Examples of such operations are enabling a rule, setting a rule’s auto-enable flag, or putting a ruleset in offline status. Note that this checking is in addition to checking the end user’s authorization to use SEF facilities. The SEF facility check is always performed using the "SEF" resource in the Server’s resource class list. SEFAUTH specifies the level of operation that does not require authorization to proceed. A lower level of SEFAUTH means that less control is exerted over the operations on rules.

• SEFAUTH(NONE) specifies that SEF never checks the end user’s authorization for any operation.
• SEFAUTH(UPDATE) specifies that SEF does not check authorization for read-only and single-member-update operations, such as enabling a rule or setting a rule’s auto-enable flag. SEF checks the end user’s authorization for mass member updates or for changing the status of an entire ruleset.
• SEFAUTH(READ) specifies that SEF does not check the end user’s authorization when performing a read-only operation such a displaying a ruleset member list or status of an individual rule. SEF checks the end user’s authorization for single-member-update operations or for mass member updates.
• SEFAUTH(ALL) specifies that SEF always checks the end user’s authorization for each operation. Note that MVS always performs an authorization check if an end-user attempts to browse, edit or delete a ruleset member under ISPF. This option specifies only how requests are handled when they are processed in the SEF subtask inside the server on behalf of a user-originated command.

Specifies the amount of time in seconds that a cached security environment (ACEE) is to remain valid. When the time limit is reached, the cached security environment is invalidated. A value of zero means that cache entries are retained indefinitely. The default value is 28800 seconds (8 hours). This option only has meaning when the SECURITYOPTIMIZATION option is set to YES.

Specifies the target number of user security environments (ACEE) to keep in the user security cache. The value can be from 500 to 100,000. Note that this target number increases if there are not enough available cache entries to maintain an entry for all currently logged on users. This option only has meaning when the SECURITYOPTIMIZATION option is set to YES.

Specifies the interval, in seconds, that SOM cache is scanned to find entries eligible for deletion from the cache. The interval value is specified in seconds and should be a factor of one hour. In other words the value should divide evenly into 3600. This option only has meaning when the SECURITYOPTIMIZATION option is set to YES.

Specifies the target number of SOM cache entries that are to be made available by SOM threshold interval processing, expressed as a percentage of the current number of allocated cache entries. The value can be from 5 to 100 percent. The default value is 25 percent.

Specifying a small percent saves CPU time, but increases the number of expired, unused ACEEs that are kept in storage. Specifying a larger percent will reduce the number of expired and unused ACEEs kept in storage.

Controls how security environments are shared. If this parameter is set to NONE, then security environments cannot be shared. If this parameter is set to BASIC, then some sharing of security environments is possible. This field cannot be changed after product initialization because of security restrictions. The server ignores this parameter when SOM is active (SECURITYOPTIMIZATION is set to YES).

If set to YES, the product issues RACF security resource check requests with MSGSUPP=YES specified. If resource validation fails, a TSO user is not notified of the authorization failure.

Specifies whether Data Virtualization caches the security environments (ACEE) created for successful remote user logons.

Contains the name of the security server's class (or resource type for ACF2) that is used to perform authorization checks for SQL access to meta data and virtual tables in the SQL engine.

If set to YES, SSL connections to the server are supported. If set to NO, SSL sessions are not supported.

If set to YES, the server auto-detects SSL connections which are sent on the port normally used for clear-text connections. If this option is set to NO, only cleartext connections can be handled on the cleartext port.

The SSLCLIENTAUTH parameter activates optional SSL Client certificate processing in the Server, and also selects the means by which SSL Client certificates are authenticated when received. The values valid for this parameter are:

• NONE: The Server does not make SSL client certificate processing active and will not request client certificates. This is the default setting.
• LOCAL: The Server requests a client certificate during the SSL connection setup handshake. Certificates sent by the client are authenticated using the certificate store designated by other SSL startup parameters: Either a GSK SSL key database, or a RACF keyring.
• PASSTHRU: The Server requests a client certificate during the SSL connection setup handshake. Certificates sent by the client are not authenticated upon receipt but are available for inspection by the transaction.

Configuration of SSL support for use in Data Virtualization Server requires that you designate the location of the certificate and key store that the IBM-supplied SSL components will use. The server's SSL support may be configured to use a pair of “native” IBM SSL key database and key stash files. These files are maintained by the GSKKYMAN utility; a part of the IBM System SSL component. Alternatively, SSL may be configured to rely upon RACF (or SAF) digital certificate support which utilizes a designated RACF keyring as the store for the information.

The designation of a certificate/key store, and the active content of the store have special impacts upon client certificate processing; impacts not always discussed nor easily located in the available documentation

A client may possess a separate certificate issued and signed by each of the most secure and well-known CA signing authorities. However, if none of those CA certificates are defined as trusted within the active database or keyring, then none will be sent to the client as an acceptable signer.

Such a scenario would result in a client finding no acceptable alternatives and failing to return any certificate. Be aware that client's may fail to transmit any certificate, precisely because the list of trusted signers, at the host, is incomplete or deliberately and selectively limited.

The second impact that SSL key storage configuration values affect is the ability of the Server to “convert” a valid certificate into a client logon to the z/OS system.

When a RACF keyring is used as the SSL database, client certificates may optionally be used to drive the Init_ACEE callable service. The service may be able, if properly configured, to “map” the certificate received to produce an associated RACF userid logon. “Conversion” of client digital certificates into a RACF client logon can only be done when the SSL configuration settings designate a RACF keyring for the SSL key store.

This parameter is ignored unless SSL Client certificate processing is activated (SSLCLIENTAUTH). This parameter setting indicates the action to be taken if an SSL client fails to provide a valid x501 certificate during session establishment. Note that a Client's failure to provide a certificate may be due to the lack of mutually trusted signing authority. Lack of a certificate does not prevent the SSL session from being established and used. The following values can be coded, each designating the action taken if the condition occurs.

If set to ALLOW, the Server continues processing, ignoring the Client's failure or inability to provide a certificate.

If set to FAIL, the Server terminates its session with the client at the earliest possible opportunity.

Displays YES if SSL support was initialized.

Specifies a highly-privileged userid under which the SSL resource manager subtask operates. If not specified, the SSL resource manager operates using the subsystem's address-space-level userid. This userid must be authorized to open and read the SSL Private Key and Certificate files. Use of a separate userid for this task prevents other transaction subtasks, and prevents the server from accessing this highly confidential information.

Specifies the MVS userid under which all work is run. The userid specified is made the effective userid for Web transactions unless WWW rules override this value. If the parameter is set to NONE, then the subsystem’s userid is used.

Causes the usage of detailed security profiles while authorizing a J2CA user to monitor changes to tables. Detailed profiles are in the form PUBLISHJ2CA.source.tablename.

Causes SOM to terminate. If set to YES, SOM ends and cannot be restarted. This parameter can be set at any time. Terminating SOM has an impact on Data Virtualization and overall system performance.

Controls whether the generic userids supplied by a TLS-enabled connection are made active prior to most operations in Data Virtualization. The SEF logon rule sets the TLS-enabled option and this option determines if the supplied generic userid is used for RPC invocations, DB2 threads (only for RRSAF), CICS transactions, and so on.

If set to NO, unauthorized users’ view of trace messages is censored. Authorized users see the view uncensored. If set to YES, both unauthorized and authorized user’s view of the trace data appears censored; however, authorized users may still view the uncensored data by displaying the underlying binary information.

Indicates that the remote computer’s host name is to be used as the port of entry for user authentication. The port of entry can be used to restrict the computers from which a user can connect.

Allows USERID provided by drivers to be ENCODED during authentication when this parameter is set to YES. When set to YES the Server will allow, but not require ENCODED USERID values. This setting provides the ability for new drivers to send USERID values that are ENCODED or Clear text, provides toleration for older Drivers which do not support encoded USERID.

Specifies that the USERID provided by drivers should be encoded during authentication when this parameter is set to Yes. For drivers that do not have encoding support, the corresponding USERID will not be allowed to authenticate. If older driver support is required, use USERIDENCODEALLOW.

Client connections that request the use of Diffie-Hellman key exchange for encryption of logon credentials require an extra round trip during session establishment to exchange public keys. For clients using the PERMANENT connection mode, the overhead entailed by the extra round trip is usually negligible in comparison to the total number of round trips made throughout the session. For non-permanent connection mode (VCF TRANSBLOCK or TRANSACT mode), in which a new connection is established for each client request, the ratio of key exchange round trips is much higher; often as high as 50% of all network trips. To avoid extra round trips, VCF can cache Diffie-Hellman key exchange information during the initial connection and recall the information when each VCF reconnection occurs. For this, the server creates a cache VCF security artifact at the host. Note that VCF security artifacts are only used when clients request the use of Diffie-Hellman key exchange for encryption of logon credentials, and only for clients making non-PERMANENT (VCF) mode session connections. If set to 0, no VCF security artifacts are created and each VCF connection or reconnection makes the extra round trip needed for Diffie-Hellman key exchange. When this parameter is set to a non-zero value, VCF security artifacts are created at the host and used to avoid the extra round trip for key exchange. The server substitutes 60 seconds if the value specified is in the range from 1 to 59. A non-zero value specifies the total time, in seconds, that a cached VCF security artifact remains valid. VCF security artifacts are aged from the time they are created up to this limit, and are unconditionally expired once this period has ended. Unreferenced VCF artifacts may time out and be expired (see VCFTIMEOUT) sooner than the lifetime limit imposed by this parameter.

This parameter is not used when VCFMAXLIFETIME has been set to zero. See the explanation for the VCFMAXLIFETIME parameter for a description of VCF security artifacts. This parameter specifies, in seconds, the time period in which a VCF security artifact must be re-referenced to remain active. Any VCF artifact that goes unreferred to for longer than the time period specified is considered expired and are deleted. The time limit value specified for this parameter should not exceed the value set for the VCFMAXLIFETIME parameter. If an invalid value is specified, the server substitutes the same value set for VCFMAXLIFETIME.

Specifies the default WWW AUTHREQ value under which Web transactions run. The AUTHREQ specification can be overridden through matching to WWW rules.

Specifies the MVS user ID under which Web transactions, by default, run. The user ID specified is made the effective userid for Web transactions unless WWW rules override this value. If set to NONE, then the subsystem’s user ID is used. The user ID must have the authority to logon to the server.

Used to limit the allowed operand formats. If set to RESTRICTED, RUNAUTH cannot be used to specify third-party userids.

Specifies where the RUNAUTH parameter may be coded for /*WWW rules. It may be restricted to the master WWW ruleset only, or disabled using this parameter.

Specifies the name of the security server's class (or resource type for ACF2) that is used to perform access authorization checks for z/Events resources.