Security Considerations › System Authorization Facility (SAF) Interface

System Authorization Facility (SAF) Interface

Select the CA XCOM Data Transport System Authorization Facility (SAF) Interface by specifying SECURITY=SAF in the CA XCOM Data Transport Default Options, or specify SAF by overriding the SECURITY parameter on the CA XCOM Data Transport EXEC statement.

SECURITY=SAF requires:

• The CA XCOM Data Transport address space must be APF authorized.
• z/OS UNIX services must be available.

SECURITY=SAF causes the security context of the task that performs the transfer to change to the user specified by the transfer parameters. The new security context is used by z/OS and your security package to verify access to resources required by the transfer. This eliminates the need to give the CA XCOM Data Transport address space access to resources required by the transfer.

CA XCOM Data Transport creates the new security context by calling the BPX1SEC callable service from z/OS UNIX (also known as _login). The BPX1SEC callable service triggers the security checking of the environment by whichever security package is in control of the CA XCOM Data Transport address space.

Note: If the user specified by the transfer parameters is the same as the CA XCOM Data Transport address space, the call to the BPX1SEC callable service is bypassed.

SECURITY=SAF processing is the same regardless of how the transfer is initiated: XCOMJOB TYPE=EXECUTE, XCOMJOB TYPE=SCHEDULE, CA XCOM Data Transport ISPF interface, CA XCOM Data Transport API and remotely-initiated transfers.

Because SECURITY=SAF is used only for the actual transfer process, it should not be used with the CA XCOM Data Transport XCOMPLEX Admin Server (XCOMXADM).

BPX1SEC Callable Service Security Model

The security requirements for the BPX1SEC callable service depend on the z/OS UNIX security model:

• If the BPX.DAEMON resource in the FACILITY class is not defined, then CA XCOM Data Transport is under the native UNIX security model.
• If the BPX.DAEMON resource in the FACILITY class is defined, then CA XCOM Data Transport is under the z/OS UNIX security model.

BPX1SEC Callable Service Native Security Requirements

Under the native UNIX security model, the CA XCOM Data Transport server (XCOMXFER) address space needs to be a UNIX superuser. This means that, in its OMVS segment, it needs to have a UID of 0 (zero).

See the IBM z/OS UNIX Security Fundamentals Redpaper for more details on z/OS UNIX Security.

BPX1SEC Callable Service z/OS UNIX Security Requirements

Under the z/OS UNIX security model, the CA XCOM Data Transport address space must be a 'clean' (not dirty) environment in terms of program control. The libraries and programs must be defined to the security product and the CA XCOM Data Transport address space needs access to them.

The CA XCOM Data Transport server (XCOMXFER) address space requires one of the following:

• READ access to the profile for the user that the transfer parameters in the SURROGAT class specifies.
• READ access to BPX.DAEMON and a UNIX superuser (in its OMVS segment, a UID of 0).

See the IBM z/OS UNIX Security Fundamentals Redpaper for more details on z/OS UNIX Security.