Security

To implement security, work with your Security Administrator to define any required classes and profiles, and then secure your Classic data servers.

Use these different layers to secure your replication environment:

z/OS-level security

The System Authorization Facility (SAF) is a z/OS® interface that programs use to communicate with an external security manager (ESM), such as the Resource Access Control Facility (RACF®). SAF and your ESM work together to grant access rights to system resources, such as the following:

  • Classic data servers
  • Services

RACF classes organize profiles into groupings of related system resources. Profiles define security for specific users, groups, and protected resources. Your security administrator creates classes and profiles, then grants users or groups READ or CONTROL access to the resources in the profiles.

For more information about z/OS security, see the z/OS Security Server RACF Security Administrator's Guide.

Server security

The following table describes specific tasks on a Classic data server and the required SAF access that a user needs to perform them. A user with CONTROL access automatically has READ access.

Table 1. Tasks and required user access
Task Service to configure Minimum required access
View subscriptions Administration service READ
Create, update, and delete subscriptions Administration service CONTROL
Manage replication (start, stop, change state) Administration or Operator service CONTROL
Monitor metrics Monitoring service READ
Issue remote console commands Operator service READ
The SAFEXIT service parameter

Secure your Classic data server by using the SAFEXIT service parameter. The following services have a SAFEXIT parameter:

  • Administration service (PAA)
  • Monitoring service (MAA)
  • Operator service (OPER)
SAFEXIT and protected resources

If you define the SAFEXIT parameter by specifying the SAFEXIT value CACSX04,VALIDATE=N the Classic data server performs user ID and password or password phrase authentication only. No other user validation takes place.

Use the SAFEXIT value CACSX04,VALIDATE=Y to grant multiple users different levels of access to system resources based on classes and profiles. For each of these services, you can override the default class and profile by specifying different z/OS class or profile names as values for service parameters. Your ESM then authenticates user access by checking the specified profiles.

Table 2. Default classes and profiles per service, with override service parameters
Service name Default class Default profile Override class parameter Override profile parameter
Administration service SERVAUTH CEC.ADMIN ADMCLASS ADMPROF
Monitoring service*

SERVAUTH

CEC.MONITOR

MONCLASS

MONPROF

Operator service SERVAUTH CEC.OPER OPRCLASS OPRPROF
You can supply values for these parameters during the installation customization process or by setting them in the Console Explorer in the Classic Data Architect. For example:
SAFEXIT="CACSX04,VALIDATE=Y,ADMCLASS=xxxxxxxx,ADMPROF=yyyy.yyyyy"
Administration service

The administration service secures user connections to the Classic data server by checking z/OS credentials and access rights to protected resources.

Monitoring service

The monitoring service secures access to subscription states, statuses, and metrics.

A Classic data server provides different ways of accessing monitoring information, depending on your solution. Data Replication for VSAM uses the Classic Data Architect to display subscription status and metrics.

The Classic Data Architect accesses monitoring information by using the same user account that logged in to the administration service and connected with the Classic data server.

Operator service

The operator service authenticates users who run remote console commands on the Classic data server, including the MTO command files run from the Classic Data Architect. Console users are generally system operators who make z/OS system console requests to a Classic data server.

The operator service does not secure operator commands that you enter from a z/OS console or equivalent interface, such as the System Display and Search Facility (SDSF). When you issue commands to the console you have implied authority to issue commands to the Classic data server, so you must secure these command interfaces to prevent unrestricted access. Ensure that users who run remote operator commands have READ access to connect the data server and to issue the DISPLAY command, and CONTROL access for all other commands.