Start of change

Creating security descriptor files for the Security Configuration Assistant task

In the Security Configuration Assistant task, you can check the security configuration for external products on your z/OS system. This option requires a security descriptor file, which is typically provided by the product vendor. A security descriptor file is a flat file, such as a text file, that contains security information about the product.

You can create your own security descriptor files or obtain them from a provider, such as IBM®, another vendor, or a third party. IBM supplies security descriptor files for the z/OSMF functions and services at the following location: /usr/lpp/zosmf/configuration. You can refer to the IBM-supplied files as examples for creating your own security descriptor files.

Syntax for security descriptor files

The security descriptor file format is JSON. This file must comply with the following syntax:
{
  "ServiceId": "service-identifier",
  "ServiceName": "service-name",
  "MetaValidationItemVersion": "validation-version",
  "Vendor": "vendor-name",
  "SecurityValidationItems": [
    {
      "ItemID": "item-identifier",
      "ItemType": "item-type",
      "ItemCategory": "item-category",
      "ResourceProfile": "resource-profile",
      "ResourceClass": "resource-class",
      "WhoNeedsAccess": "user name or group name",
      "LevelOfAccessRequired": "access-level",
      "ItemDescription": "item-description"     
    }
  ]
}
Where:
ServiceId
An identifier that represents the specific product to be evaluated by the Security Configuration Assistant task. This value must be unique.
For reference, each z/OSMF core service is associated with a security descriptor file and is assigned a unique service identifier as follows:
  • 5655S28SM00 - z/OSMF Nucleus
  • 5655S28SM01 - z/OSMF Security Configuration Assistant
  • 5655S28SM02 - z/OSMF AUTOSTART function
  • 5655S28SM03 - z/OSMF Notification function
  • 5655S28SM04 - z/OSMF Workflow Editor
  • 5655S28SM05 - z/OSMF Configuration workflow
ServiceName
Service name. This value is displayed for the product in the Security Configuration Assistant task user interface (UI).
MetaValidationItemVersion
Version identifier for the security descriptor file, for example 1.0. The provider of the security descriptor file can increment this value to indicate a new version of the file.
Vendor
The provider of the security descriptor file, for example, IBM.
SecurityValidationItems
An array in which each element contains the following key value pairs:
ItemID
A unique identifier to represent the resource to be protected (the security item). This value can be used to control the order in which items are listed in the Security Configuration Assistant task UI. It is recommended that nnnnnnnn is a discontinuous number so that new items can be inserted in the future.

As an example, the item ID for a z/OSMF service consists of ServiceID+I+nnnnnnnn.

ItemType
One of the following values:
  • PROGRAMMABLE indicates that the security item can be verified automatically by the Security Configuration Assistant task.
  • MANUAL indicates that the security administrator must verify the security item manually.
  • SEMI-PROGRAMMABLE indicates that the security item depends on configurable settings, which require input from the security administrator. For example, a RACF resource profile name with one or more variables. In the following example, the security administrator must provide the values for sysname and tcpname: 
    Resource EZB.INITSTACK.<sysname>.<tcpname>

    When you add values to a resource profile, you are replacing the variable portion with an actual value. You must ensure that the resource profile is correct for your system.

ItemCategory
An optional value that can be used to group related security items in the Security Configuration Assistant task UI. For example, you might assign an item category to security items that are used to protect the same function.
ResourceProfile
SAF resource profile name. You can specify a generic profile.
ResourceClass
SAF resource class.
WhoNeedsAccess
Users (security groups) who require access to this resource. The Security Configuration Assistant task does not verify that security groups are defined for the external product. The security administrator must verify that the groups exist.
LevelOfAccessRequired
Level of access that is required, such as READ, UPDATE, ALTER, or CONTROL.
ItemDescription
Descriptive text. For example, an explanation of why the authorization is needed.

The information for each product must be contained within separate braces ({ }) inside the brackets ([ ]), and each set of braces must be comma-separated. For an example file that contains the information for the z/OSMF ISPF plug-in, see Sample security descriptor file.

Sample security descriptor file

Figure 1 shows the contents of the security descriptor file for the z/OSMF ISPF service.

Figure 1. Security descriptor file for the z/OSMF ISPF service
{
  "ServiceId": "5655S280100",
  "ServiceName": "z/OSMF ISPF",
  "MetaValidationItemVersion": 1.01,
  "Vendor": "IBM",
  "SecurityValidationItems": [
    {
      "ItemID": "5655S280100I0001000",
      "ItemType": "PROGRAMMABLE",
      "ItemCategory": "z/OSMF ISPF functions",
      "ResourceProfile": "IZUDLFT.ZOSMF.ISPF.ISPF",
      "ResourceClass": "ZMFAPLA",
      "WhoNeedsAccess": "<user or your group name>",
      "LevelOfAccessRequired": "READ",
      "ItemDescription": "Allow the user to access the ISPF task."     
    }
  ]
}

Working with a security descriptor file

Do the following:
  1. Obtain the security descriptor file from the product vendor.
  2. Install the security descriptor file in the following z/OSMF directory: <IZU_CONFIG_DIR>/configuration/security. By default, this directory is named /global/zosmf/configuration/security.

    The Security Configuration Assistant task can access and display the security descriptor files in this directory.

    Ensure that the z/OSMF server ID (by default, IZUSVR) has at least READ permission to the security descriptor file. On start-up, the z/OSMF server checks the files in the z/OSMF configuration directory. You can avoid a warning message or error message from the server if you set the file permissions to read/write: 660 (rw--rw----).

    Also, to avoid errors, if you transfer the file from a workstation to the z/OSMF directory, be sure to convert the file to the EBCDIC character set on the host system.

  3. In the Security Configuration Assistant task, in the Imported Products view, click Import. This action displays a list of the available security descriptor files.
  4. Select the security descriptor file for the product that you want to verify and click OK. If the file contains an error that prevents it from being loaded, an error message is displayed. For more details, such as the line number of the error, click the information icon for the file name.
In general, configuring the security for a product involves the following activities:
  • Creating security profiles for the product.
  • Performing the various z/OS system customization updates, if any, that are required by the product.
  • Creating a security descriptor file for the product and using the Security Configuration Assistant to validate its security configuration.

For more information, see the online help for the Security Configuration Assistant task.

End of change