IBM z/OS Management Facility (z/OSMF) - Group home

Simplify your product’s security configuration with z/OSMF Security Configuration Assistant

By River JIA posted Mon July 26, 2021 01:08 AM

  

What's z/OSMF Security Configuration Assistant

z/OSMF Security Configuration Assistant (SCA) is one service (or plugin) of z/OSMF, it was introduced in z/OS V2R4 and rolled back to z/OS V2R3.

The basic idea of z/OSMF SCA is to provide a graphic user interface to describe the product's security configuration and give user a friendly way to check whether the product’s security configuration is setup correctly or not.

You must experience the nightmare that the application couldn't work correctly due to some pieces of security configuration missing, or your system was on the hazard because of the over-authorized applications. This would always take a lot time to diagnose, sometimes, it needs the application developer, system programmer and security administrator to work together to get the problem solved. With z/OSMF SCA, system programmer and application developer can submit their security requirements clearly to security administrator, and what's more convenience, that security administrator can verify the result after they are setup directly, this would guarantee the security setup is precise. 

Why you want to use z/OSMF Security Configuration Assistant

The purpose of z/OSMF SCA is to ease the burden of z/OS products' security, have you ever experienced any of the pain points below:

  • Low efficient and error-prone to find required security configuration from books with hundreds of pages. Sometimes, there are several books for one product, it is very hard to know which book and chapter documents the security requirements.
  • Hard to associate required security setup for the specific function of the product. When specific function failed, it is hard to find which security requirement is related with the failure.
  • Low efficiency communication between system administrator and security administrator. System administrator doesn't know if individual security requirement has been really fixed until security administrator notifies him.
  • The security setup doesn't really reflect whether the security requirement has really been satisfied precisely. It could be caused by the generic resource, user group, etc.

 z/OSMF SCA is trying to help with experience above, specifically, SCA provides benefits below:

  • Easy to create a product's security descriptor file. z/OSMF SCA use JSON format to describe the security requirement, this makes it easy to understand both by human and machine, and give the flexibility to describe different security requirement
  • Render security requirements by product or function in Web UI. z/OSMF SCA is browser-based Web UI, the security requirements were organized for human-readable, and it also give the statistic of the validation result.
  • Validate security setup automatically by different granularity. z/OSMF SCA can validate the security setup by product or by individual SAF resource, you can validate these resources which are just updated
  • Validate if a user or user group was authorized to product or function.
  • Validation result is displayed in graphic chart
  • Support all external security manager products, such as RACF, ACF2, Top Secret

How to use z/OSMF Security Configuration Assistant

z/OSMF SCA is easy to use, you could open SCA from z/OSMF Desktop App Center by double-click its icon.

You can select the checkbox of the specific service (product) to check the product only, or check all the services without anyone selected, you could see the statistics of the validation result.

By clicking the Action icon of the specific resource item, you will check that resource item only.


The initial version of z/OSMF Security Configuration Assistant just supported z/OSMF security configuration check, with APAR PH29907, z/OSMF SCA supports to check the other z/OS products' security configuration check, therefore, the other z/OS products could ship their JSON security descriptor files, then their customers can import that JSON security descriptor file into z/OSMF SCA to perform the security configuration check. Our first exploiter is z/OS DFSMShsm, if you install DFSMShsm APAR OA59962, you will find that their JSON security descriptor file was in /usr/lpp/dfsms/hsm/samples.

To import DFSMShsm JSON security descriptor files into z/OSM SCA for validation, this first thing is to copy their JSON files into z/OSMF configuration directory after your z/OSMF server is up, (but this only need to do once -:). With the default z/OSMF configuration directory /global/zosmf, you need copy these files (DFSMShsm_Admin.json and DFSMShsm_User.json) from directory /usr/lpp/dfsms/hsm/samples to directory /global/zosmf/configuration/security.

P.S. In case you didn't install APAR OA59962, you can get these JSON files from GitHub repository https://github.com/IBM/IBM-Z-zOS/tree/main/zOSMF/Zosmf-SCA 

When you open z/OSMF SCA after copy the JSON security descriptor file, selected "imported product" view, click "Import", z/OSMF SCA will discover these files. After clicking "Load", you find that it is almost same as you check z/OSMF service.


How to create your own JSON security descriptor file

IBM or the other 3rd parties could ship their products' JSON security descriptor files, then you authorized administrator can check their product's security configuration with z/OSMF SCA as shown above, another common case of z/OSMF SCA usage is that you can create your own JSON security descriptor file for your own solution’s security requirements, that's, the JSON security descriptor file is not a product's security requirements description, but a set of resources for your own solution’s security requirements, for example, you may have a couple of user IDs who need to activate the extended MCS console and retrieve messages from OPERLOG, in order to do that your IDs need READ access to CONSOLE and SYSPLEX.OPERLOG resources (profiles), therefor, you can create the following JSON file

{

  "ServiceId": "123A123MYID",

  "ServiceName": "My Service",

  "MetaValidationItemVersion": 1.0,

  "Vendor": "My Company",

  "SecurityValidationItems": [

    {

      "ItemID": "123A123MYID0000001",

      "ItemType": "PROGRAMMABLE",

      "ItemCategory": "Special Authority",

      "ResourceProfile": "CONSOLE",

      "ResourceClass": "TSOAUTH",

      "WhoNeedsAccess": "<user or your group name>",

      "LevelOfAccessRequired": "READ",

      "ItemDescription": "Allow the user to activate the extended MCS console."    

    },

    {

      "ItemID": "123A123MYID0000002",

      "ItemType": "PROGRAMMABLE",

      "ItemCategory": "Special Authority",

      "ResourceProfile": "SYSPLEX.OPERLOG",

      "ResourceClass": "LOGSTRM",

      "WhoNeedsAccess": "<user or your group name>",

      "LevelOfAccessRequired": "READ",

      "ItemDescription": "Allow the user to retrieve messages from OPERLOG."    

    }

  ]

}

Then you can upload it into the security sub-directory of z/OSMF configuration directory, by default, it is /global/zosmf/configuration/security, (or you can create the JSON in this directory directly), I named this JSON file as myservice.json. At this time when you click "Import" in the "Imported Products", Security Configuration Assistant will find it automatically, then click "load", you will find that it is almost same as you check z/OSMF service.

Suppose you want to know if your ID debug1 has the authority to activate the extended MCS console and retrieve messages from OPERLOG, you can check it by filling the "Validate for ID" box.



Regarding of how to create JSON security descriptor file, you can refer to a few samples here:

For details, please refer to <IBM z/OS Management Facility Configuration Guide> (https://www.ibm.com/docs/en/zos/2.4.0?topic=SSLTBW_2.4.0/com.ibm.zos.v2r4.izua300/V2R4/zosmf/izua300/izuconfig_SecurityDescriptorFile.htm

 

Other z/OSMF resources links

You may find the following links are useful when using z/OSMF Security Configuration Assistant

https://mediacenter.ibm.com/media/Use+z+OSMF+to+validate+security+of+DFSMS/1_17jzrqtg/101043781

https://www-01.ibm.com/servers/resourcelink/svc00100.nsf/pages/zosV2R4SC278419/$file/izua300_v2r4.pdf

 

You can try z/OSMF SCA on z/OSMF trial system here

https://www.ibm.com/account/reg/us-en/signup?formid=urx-34578

Or refer to this blog for more details of how to apply z/OSMF trial system

https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/andrii-vasylchenko1/2018/11/11/a-public-free-on-demand-zosmf-system

 

0 comments
6 views