Preparing security for servers

You will read about security for your server applications. The word "server" is taken to mean "server application" , which is an application that provides a service for clients. This server could be part of a software product that will run on any company's z/OS® computing environment, or it might be written by your application programmers for your own company's use. This topic is for both audiences:

The application programmers designing the server. They must decide what kind of security the server is to have so they can code for it and provide documentation (either verbally or in writing) for those who will run the server.
The security administrator at the company that runs the server. They must set up the profiles based on the documentation provided with the server.

Security administrators, who might not be versed in developing programs, will learn the rationale for setting up profiles in certain ways, and application programmers writing the servers will be able to document the security requirements of their products.

Appropriate decisions need to be made regarding server security. In the past, applications had to run APF-authorized in order to be able to call RACF® to build task-level security. z/OS UNIX provides services for servers written in C to create task-level security without being APF-authorized. A server can create a thread-level security environment and control which servers have the ability to do so. You can prepare a z/OS system for a server that uses thread-level security for its clients. (Note that a thread on UNIX systems corresponds to a task on MVS™; so, thread-level security is the same as task-level security.)