Analyzer SYSTEM security

HSISANP2 in the PARMLIB defines the system security settings for running the Analyzer.

The following system security settings are defined:

***********************************************************************
* IZSAM Analyzer on-line mode settings for z/OS SYSTEM security       *
*                                                                     * 
***********************************************************************
* SECURITY=SYSTEM - HTTPS (SSL encrypted) communications              *
*                     with z/OS system security (SAF/RACF).           *
*                     Refer to HSISANS1/2/3 in JCLLIB for sample JCL  *
*                     to define RACF profiles/certificates.           *
*                                                                     *
***********************************************************************
SECURITY = SYSTEM                                                      
                                                                       
***********************************************************************
* The following settings are only applicable for                      *
* SECURITY=SYSTEM:                                                    *
*                                                                     *
*   AUTH_HLQ         defines SAF/RACF profile high level qualifier    *
*                                                                     *
*   AUTH_UPPERCASE=Y Analyzer will uppercase passwords when           *
*                    invoking SAF/RACF password authentication.       *
*                    When password phrase support has been            *
*                    enabled AUTH_UPPERCASE=Y has no effect, and      *
*                    mixed case is used.                              *
*   AUTH_UPPERCASE=N Analyzer will pass through mixed case passwords  *
*                    when invoking SAF/RACF password authentication   *
*                                                                     *
*   GSK_KEYRING_FILE defines SAF/RACF Keyring name of SSL Certificate *
*   GSK_KEY_LABEL    defines SAF/RACF Label name of SSL Certificate   *
*   GSK_STATUS       defines status ON or OFF                         *
*   GSK_....         defines optional z/OS SSL environment variables. *
*                    The z/OS Cryptographic Services Secure Sockets   *
*                    Layer Programming manual explains the            *
*                    environment variables.                           *
*                    For example, define GSK_HW_CRYPTO = 32           *
*                    for SHA-256 digest generation.                   *
*                                                                     *
* JCLLIB(HSISANS1) contains sample JCL to define RACF profiles, using *
* a high level qualifier of 'IZSAM'. If you have changed HSISANS1,    *
* you may also need to change the AUTH_HLQ TPARAM setting.            *
*                                                                     *
* JCLLIB(HSISANS2/3) contains sample JCL to define RACF SSL           *
* Certificates.  If you have changes HSISANS2/3, you may also need to *
* change the GSK_KEYRING_FILE and GSK_KEY_LABEL TPARAM settings.      *
*                                                                     *
***********************************************************************
AUTH_HLQ         = IZSAM                                               
AUTH_UPPERCASE   = Y                                                   
GSK_KEYRING_FILE = ZSAM_KEYRING                                        
GSK_KEY_LABEL    = ZSAMCERT
GSK_STATUS       = OFF

HSISANS1 in the JCLLIB has sample JCL to define RACF® security profiles.

Note: The RACF ID can be an existing RACF group (which user IDs have been connected to) and/or existing RACF user IDs.

If your z/OS® system has been set up to use a third party alternative to RACF, you must define comparable settings in your third party security product.

/*--------------------------------------------------------------*/
/* IZSAM ANALYZER DATABASE PROFILES                             */
/*--------------------------------------------------------------*/
 RDELETE FACILITY  IZSAM.DB.AU*                                   
 RDEFINE FACILITY  IZSAM.DB.AU*          UACC(NONE)               
 PERMIT            IZSAM.DB.AU*          ACCESS(READ) -           
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR,AUID001)                  
                                                                  
 RDELETE FACILITY  IZSAM.DB.*                                     
 RDEFINE FACILITY  IZSAM.DB.*            UACC(NONE)               
 PERMIT            IZSAM.DB.*            ACCESS(READ) -           
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)                          
 PERMIT            IZSAM.DB.*            ACCESS(NONE) -           
   CLASS(FACILITY) ID(AUID001)                                    
/*--------------------------------------------------------------*
/* IZSAM ANALYZER MENU PROFILES                                 *
/*--------------------------------------------------------------*
 RDELETE FACILITY  IZSAM.MENU.ASSET                              
 RDEFINE FACILITY  IZSAM.MENU.ASSET      UACC(NONE)              
 PERMIT            IZSAM.MENU.ASSET      ACCESS(READ) -          
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR,AUID001)                 
                                                                 
 RDELETE FACILITY  IZSAM.MENU.DISC                               
 RDEFINE FACILITY  IZSAM.MENU.DISC       UACC(NONE)              
 PERMIT            IZSAM.MENU.DISC       ACCESS(READ) -          
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)
    
 RDELETE FACILITY  IZSAM.MENU.ADMINR
 RDEFINE FACILITY  IZSAM.MENU.ADMINR     UACC(NONE) 
 PERMIT            IZSAM.MENU.ADMINR     ACCESS(READ) -
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)                  
                                                              
 RDELETE FACILITY  IZSAM.MENU.ADMIN                              
 RDEFINE FACILITY  IZSAM.MENU.ADMIN      UACC(NONE)              
 PERMIT            IZSAM.MENU.ADMIN      ACCESS(READ) -          
   CLASS(FACILITY) ID(IZSAMADM)                                  
                                                                     
 RDELETE FACILITY  IZSAM.MENU.ADMIN.LIB_CLASSIFICATION               
 RDEFINE FACILITY  IZSAM.MENU.ADMIN.LIB_CLASSIFICATION UACC(NONE)    
 PERMIT            IZSAM.MENU.ADMIN.LIB_CLASSIFICATION ACCESS(READ) -
   CLASS(FACILITY) ID(IZSAMADM)                                      
                                                                     
 RDELETE FACILITY  IZSAM.MENU.CUSTOM                                 
 RDEFINE FACILITY  IZSAM.MENU.CUSTOM     UACC(NONE)                  
 PERMIT            IZSAM.MENU.CUSTOM     ACCESS(READ) -              
   CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)                             
                                                                     
  SETROPTS RACLIST(FACILITY) REFRESH