CA ACF2 for z/VM is a systems software product that helps control the use of computer resources, including system access and data (for example, minidisks, CMS files, and MVS and VSE data sets). CA ACF2 for z/VM controls these resources by forcing you to enter a unique logonid and password to access the system. Your logonid can be up to eight characters long and identifies you to CA ACF2 for z/VM. You are assigned a unique logonid that you must enter every time you access the system. After you enter your logonid correctly, CA ACF2 for z/VM prompts you for your password. Passwords can be up to eight characters long. The difference between a logonid and a password is that any number of people can know your logonid, but only you and CA ACF2 for z/VM know your password. Never write down your password or share it with anyone. Keep it to yourself and change it often.
Your logonid and password are validated against a central CA ACF2 for z/VM database where a security administrator has previously defined one logonid record for every authorized user. A logonid record defines what you can and cannot do on the system. It also provides a history of what you have done so far, for example, how many password violations you have committed, and what types of data you have tried to access.
After you have successfully logged on, CA ACF2 for z/VM verifies that each data access request is authorized. CA ACF2 for z/VM determines whether a request is authorized by checking if:
If your request is not authorized, CA ACF2 for z/VM denies and logs the action by creating a System Management Facility (SMF) record. You can review and edit these records with the CA ACF2 for z/VM reports.
A number of options let you tailor CA ACF2 for z/VM controls to your needs. An important aspect of preplanning is to decide which options to use and how to migrate your system from its current level of security to one of full CA ACF2 for z/VM security where all data is protected by default.For additional information on the other CA ACF2 for z/VM features, see the Administrator Guide.
Correct implementation of CA ACF2 for z/VM provides a significant enhancement to data security because it greatly reduces unauthorized accesses and similar security exposures. Use CA ACF2 for z/VM as part of an overall approach to security. CA ACF2 for z/VM supports a number of management controls. These controls include:
For the VM environment, a proper installation of CA ACF2 for z/VM with appropriate rules and system options provides comprehensive protection. IBM has issued an integrity statement for the CP component of VM. As a result, CA ACF2 for z/VM uses the features of CP to secure data and resources. By controlling CP LINK and ATTACH commands, CA ACF2 for z/VM can tightly secure DASD accesses. CA ACF2 for z/VM offers further protection through the control of CP commands and diagnose instructions, and the control of the DASD Dump Restore (DDR) service program.
Under the constraints of the CMS environment, CA ACF2 for z/VM provides a high level of security. IBM has not yet issued an integrity statement for CMS and it is unlikely that they will issue such a statement. The CMS environment, with limited inherent security, lets the general user program execute in supervisor state, enter storage protect key zero, execute privileged instructions, issue input/output commands, and process interrupts independently of the CMS nucleus. The sophisticated user could use these CMS features to modify the CMS nucleus and compromise CMS and OS file‑level security. This lack of integrity in the CMS environment limits any security system from providing absolute file‑level protection. CA ACF2 for z/VM allows for separate READ and WRITE validations. WRITE does not imply READ. On the minidisk level, validations for read links (such as R, RR, and so on) are validated as READ, and write links (such as W, WR, MR, MW, and so on) are validated as WRITE. However, some write links can end up as R/O links (such as if another user has the disk linked R/W). Also, once a write link is allowed, CP establishes a R/W link. This means that CP, and CA ACF2 for z/VM allows data to be read and written at the minidisk level. File level security does allow for WRITE‑ONLY files in the constraints of the CMS operating system.
CA ACF2 for z/VM greatly improves the limited file‑level protection provided by CMS. When combined with CA ACF2 for z/VM DASD protection features, other features protect files against tampering and accidental data destruction. In addition, CA ACF2 for z/VM logs any attempts to violate security.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|