Security
To implement security, work with your Security Administrator to define any required classes and profiles, and then secure your Classic data servers.
Use these different layers to secure your replication environment:
z/OS-level security
The System Authorization Facility (SAF) is a z/OS® interface that programs use to communicate with an external security manager (ESM), such as the Resource Access Control Facility (RACF®). SAF and your ESM work together to grant access rights to system resources, such as the following:
- Classic data servers
- Services
RACF classes organize profiles into groupings of related system resources. Profiles define security for specific users, groups, and protected resources. Your security administrator creates classes and profiles, then grants users or groups READ or CONTROL access to the resources in the profiles.
For more information about z/OS security, see the z/OS Security Server RACF Security Administrator's Guide.
Server security
The following table describes specific tasks on a Classic data server and the required SAF access that a user needs to perform them. A user with CONTROL access automatically has READ access.
Task | Service to configure | Minimum required access |
---|---|---|
View subscriptions | Administration service | READ |
Create, update, and delete subscriptions | Administration service | CONTROL |
Manage replication (start, stop, change state) | Administration or Operator service | CONTROL |
Monitor metrics | Monitoring service | READ |
Issue remote console commands | Operator service | READ |
- The SAFEXIT service parameter
Secure your Classic data server by using the SAFEXIT service parameter. The following services have a SAFEXIT parameter:
- Administration service (PAA)
- Monitoring service (MAA)
- Operator service (OPER)
- SAFEXIT and protected resources
If you define the SAFEXIT parameter by specifying the SAFEXIT value
CACSX04,VALIDATE=N
the Classic data server performs user ID and password or password phrase authentication only. No other user validation takes place.Use the SAFEXIT value
CACSX04,VALIDATE=Y
to grant multiple users different levels of access to system resources based on classes and profiles. For each of these services, you can override the default class and profile by specifying different z/OS class or profile names as values for service parameters. Your ESM then authenticates user access by checking the specified profiles.Table 2. Default classes and profiles per service, with override service parameters Service name Default class Default profile Override class parameter Override profile parameter Administration service SERVAUTH CEC.ADMIN ADMCLASS ADMPROF Monitoring service* SERVAUTH
CEC.MONITOR
MONCLASS
MONPROF
Operator service SERVAUTH CEC.OPER OPRCLASS OPRPROF You can supply values for these parameters during the installation customization process or by setting them in the Console Explorer in the Classic Data Architect. For example:SAFEXIT="CACSX04,VALIDATE=Y,ADMCLASS=xxxxxxxx,ADMPROF=yyyy.yyyyy"
- Administration service
The administration service secures user connections to the Classic data server by checking z/OS credentials and access rights to protected resources.
- Monitoring service
The monitoring service secures access to subscription states, statuses, and metrics.
A Classic data server provides different ways of accessing monitoring information, depending on your solution. Data Replication for VSAM uses the Classic Data Architect to display subscription status and metrics.
The Classic Data Architect accesses monitoring information by using the same user account that logged in to the administration service and connected with the Classic data server.
- Operator service
The operator service authenticates users who run remote console commands on the Classic data server, including the MTO command files run from the Classic Data Architect. Console users are generally system operators who make z/OS system console requests to a Classic data server.
The operator service does not secure operator commands that you enter from a z/OS console or equivalent interface, such as the System Display and Search Facility (SDSF). When you issue commands to the console you have implied authority to issue commands to the Classic data server, so you must secure these command interfaces to prevent unrestricted access. Ensure that users who run remote operator commands have READ access to connect the data server and to issue the DISPLAY command, and CONTROL access for all other commands.