ISPF client security

The ISPF client must be secure so that only authorized users can access stored files.

The IBM® Engineering Workflow Management ISPF client provides mainframe access to source code that is stored in an Engineering Workflow Management repository that might or might not be on the z/OS® machine to which the user is already authenticated. Therefore, the ISPF daemon needs to validate connection requests and provide secure communication between the host and the repository.

The security mechanism used by the Engineering Workflow Management ISPF daemon relies on the file system where it resides to be secure. This implies that only trusted system administrators should be able to update the program libraries and configuration files.

To create ISPF client security definitions, customize and submit sample member BLZRACFT, which has sample RACF and z/OS UNIX commands, to create the basic security definitions for Engineering Workflow Management. BLZRACFT is located in hlq.SBLZSAMP, unless you have copied it to another library for customization.The user submitting this job must have security administrator privileges, such as being RACF SPECIAL.
Note: The sample BLZRACFT job holds more than just RACF commands. The last step of the security definitions consists of making various z/OS UNIX files program controlled. Depending on the policies at your site, this might be a task for the system programmer and not the security administrator.
Refer to the RACF Command Language Reference (SA22–7687) for more information about RACF commands.

The user ID under which the ISPF daemon runs (as defined in BLZRACFT) should be added to the SAF Group that has write access to the Engineering Workflow Management working directories when sample configuration JOB BLZCPBTK was submitted.

Through the ISPF client, you provide the user's Engineering Workflow Management userid and password to the ISPF daemon through the dialogs. The authentication data provided by the client is only used once, during initial connection login. Once a user ID is authenticated, the user ID and self-generated PassTickets are used for all actions that require authentication. When you log out or exit the ISPF client, the authentication connection is lost and you must authenticate again the next time you use the ISPF client. Using PassTickets provides an explanation of the ISPF daemon security process.

Sample RACF commands for these steps are provided in sample job BLZRACFT, but they are discussed in more detail in the topics included in the following list:
Note: Refer to the RACF Command Language Reference (SA22–7687) for more information about RACF commands.