IBM z/OSMF

IBM z/OSMF

IBM z/OSMF

The IBM z/OS Management Facility framework improves programmer productivity by using simplified, streamlined and automated tasks. This easier-to-use functionality reduces both programmer training time and the learning curve.

 View Only

Introducing zOSMF Security Validation Utility

By ZHI LI posted Tue February 28, 2023 10:16 PM

  

Security Configuration Assistant (SCA) is great tool to help user review and fix security issues of z/OSMF. SCA has covered almost every aspect of security problems user may experience but not all of them. One gap that SCA was not able to help is that if there's a security issue in z/OSMF nucleus, user would not be able to login z/OSMF, which prevents user getting to the SCA task. Now this is no longer a problem to user since z/OSMF has delivered a new security utility to run outside of z/OSMF, which helps you review required security for z/OSMF Nucleus and SCA. To run that utility, you don't even need to configure z/OSMF. The utility will tell you know which security definition or authorization is missing after you run it.

Security validation utility is designed to validate required security for z/OSMF nucleus which is enabled through running IZUNUSEC. As it requires the user to modify and customize value properties in the job before running it, this process could be error-prone which results in security failures. And with one or more security failures, user may get a z/OSMF initialization error or a login error. In a better case, the user may get an ICH408I error which explains what permission is desired, but user still needs to determine if it's adequate to permit the authorization. For most of the cases, user may not be able to determine the exact security error, due to the very limited information reported in the logs or on z/OSMF interface. These challenges would be all gone with the new utility.

The utility will help you do many things that could only be done in SCA in the past. For instance, you will be able to validate if z/OSMF started task ID has the right authorization. You will be able to validate if a specific user has the right authorization to z/OSMF Nucleus or Security Configuration Assistant.

There are two available methods to run security validation utility on your system:

  • You can run the job IZUSECJL which calls the procedure IZUSECSV to do security validation. Job IZUSECJL is available from SYS1.SAMPLIB.

//IZUSECJL JOB MSGCLASS=C,MSGLEVEL=(1,1

//DO      EXEC PROC=IZUSECSV,

//             USERID='IBMUSER', /* User ID validated */

//             SVRID='IZUSVR'   /* Server ID validated */
  • Alternatively, you can run the procedure IZUSECSV as a started task to do security validation. 

After the job is successfully performed, you can view the validation result in the joblog.

NP   DDNAME   StepName ProcStep DSID Owner    C Dest               Rec-Cnt Page-Cnt Byte-Cnt CC   Rmt  Node O-Grp-N  SecLabel PrMod

     JESMSGLG JES2                 2 IBMUSER  H LOCAL                   14               532  1           1 1                 LINE

     JESJCL   JES2                 3 IBMUSER  H LOCAL                   76             4,673  1           1 1                 LINE

     JESYSMSG JES2                 4 IBMUSER  H LOCAL                   61             3,444  1           1 1                 LINE

     STDOUT   DO       SECVAL    107 IBMUSER  H LOCAL                   11               565  1           1 1                 LINE

     REPORT   DO       COPYRPT   111 IBMUSER  H LOCAL                   40             3,017  1           1 1                 LINE

     SECCFG   DO       COPYRPT   112 IBMUSER  H LOCAL                  131             4,242  1           1 1                 LINE

The DD:REPORT is generated for the validation report, as shown in the example below. If all the validations are with status of “SUCC”, it means your security setup for z/OSMF nucleus is all good. You can now start z/OSMF and navigate to SCA to do further security validations.

 SUCC: Class APPL is activated.

 SUCC: Class SERVER is activated.

 SUCC: Class FACILITY is activated.

 SUCC: Class SERVAUTH is activated.

 SUCC: Class ACCTNUM is activated.

 SUCC: Class TSOPROC is activated.

 SUCC: Class TSOAUTH is activated.

 SUCC: Class OPERCMDS is activated.

 SUCC: Class EJBROLE is activated.

 SUCC: Class ZMFAPLA is activated.

 SUCC: Class STARTED is activated.

 SUCC: Server IZUSVR has READ access to resource BBG.ANGEL.IZUANG31 in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.AUTHMOD.BBGZSAFM in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.AUTHMOD.BBGZSAFM.SAFCRED in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.AUTHMOD.BBGZSAFM.ZOSWLM in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.AUTHMOD.BBGZSAFM.TXRRS in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.AUTHMOD.BBGZSAFM.ZOSDUMP in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECPFX.IZUDFLT in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.ZMFAPLA in SERVER class.

 SUCC: Server IZUSVR has CONTROL access to resource BBG.SYNC.IZUDFLT in FACILITY class.

 SUCC: Server IZUSVR has READ access to resource BPX.WLMSERVER in FACILITY class.

 SUCC: Server IZUSVR has READ access to resource BPX.CONSOLE in FACILITY class.

 SUCC: Server IZUGUEST has READ access to resource IZUDFLT in APPL class.

 SUCC: Server IZUSVR has READ access to resource IRR.DIGTCERT.LISTRING in FACILITY class.

 SUCC: Server IZUSVR has READ access to resource CEA.SIGNAL.ENF83 in SERVAUTH class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.SERVER in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.APPL in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.FACILITY in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.EJBROLE in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.SERVAUTH in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.STARTED in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.ZMFCLOUD in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.ACCTNUM in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.TSOPROC in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.TSOAUTH in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.OPERCMDS in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.CSFSERV in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.JESSPOOL in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.LOGSTRM in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.UNIXPRIV in SERVER class.

 SUCC: Server IZUSVR has READ access to resource BBG.SECCLASS.RDATALIB in SERVER class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT in APPL class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.IzuManagementFacility.izuUsers in EJBROLE class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.IzuManagementFacilityHelpApp.izuUsers in EJBROLE class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.IzuManagementFacilityImportUtility.izuUsers in EJBROLE class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.ZOSMF in ZMFAPLA class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT in ZMFAPLA class.

 SUCC: User IBMUSER has READ access to resource IZUDFLT.IzuManagementFacilitySecurityConfigurationAssistant.izuUsers in EJBROLE class

Disclaimer: This document intends to represent the views of the author rather than IBM. Please contact the author lilzhi@cn.ibm.com instead of IBM service for any questions.

0 comments
14 views

Permalink

https://community.ibm.com/community/user/blogs/zhi-li1/2023/02/28/introducing-zosmf-security-validation-utility