IBM z/OSMF - Group home

An easy way to drive automatic security validation

  

Have you often spent lot time to figure out what SAF based security requirements are required for specific function to work? Have you spent a lot of effort to investigate why a function stop working but later found it's caused by missing or broken security setup? Have you spent a lot of time to investigate the differences between different security products?

z/OSMF Security Configuration Assistant (SCA) is one of z/OSMF services (or plugins) which intends to help with above challenge. It allows user to use JSON format which is easy to understand to describe SAF resource based security requirements. With such JSON format descriptor file, SCA provides graphic user interface to present security requirements by function or product. It drives SAF interface to automatically validate security requirements, therefore, hides differences between different security products. For details about SCA, please refer to our earlier blog


With PH41248 which is recently available on z/OS V2R4 and above, SCA now exposes its capability of automatic security validation via REST API. REST API is lightweight web service and easy to drive either locally or remotely.

You can use the SCA REST API to validate security requirements by specifying the JSON format of security requirements either in the HTTP request body, or alternatively, in a static JSON security descriptor file. This new REST service allows you to focus on security requirements that could be organized by product or function, instead of the need to understand complex command syntax and differences among various security products.

Here is how the REST API looks like:

If the security requirements are described in the HTTP request body:

POST /zosmf/config/security/v1/validate?userid=<userid>

If the security requirements are described in a standalone USS file:

POST /zosmf/config/security/v1/validate/descriptor?userid=<user-id>

In the above APIs:

<userid> identifies the user ID or group ID to be validated for.

No matter if the security requirements are specified directly in the HTTP request body or in a separate USS file, the format of requirements is in JSON which is easy to understand and code. Here is an example (for details about the JSON format SCA is using, please refer to z/OSMF Programming Guide.

{

"resourceItems":[

{

    "resourceProfile": "IRR.DIGTCERT.LISTRING",

    "resourceClass": "FACILITY",

    "access": "READ"

},

{

    "resourceProfile": "CEA.SIGNAL.ENF83",

    "resourceClass": "SERVAUTH",

    "access": "READ"

}  ]

}

The SCA REST APIs accepts the above security requirements and then automatically validates if the target user or group (specified by <userid>) has access to the specified security requirements. Once the validation is done, the API returns result via HTTP response body like below:

{

"resourceItems": [

{

"resourceProfile": "IRR.DIGTCERT.LISTRING",

"resourceClass": "FACILITY",

"access": "READ",

"action": "validate",

"validatedId": "izusvr3",

"status": "Passed"

},

{

"resourceProfile": "CEA.SIGNAL.ENF83",

"resourceClass": "SERVAUTH",

"access": "READ",

"action":"validate",

"validatedId": "izusvr3",

"status": "Passed"

}]

}

As you can see, the REST API as well as the JSON format to describe security requirements are easy to understand. Besides, if you are using Ansible for z/OS automation, SCA also provides a Ansible module in the latest version of z/OSMF Ansible collection so that you can use Ansible to drive automatic security validation.

In Summary, z/OSMF Security Configuration Assistant provides REST API to simplify security validation on z/OS. Security requirement is described in JSON format which is easy to understand. The validation drives SAF validation directly without affected by different ESMs.