zSecure Installation and Operation

zSecure is a suite of security products to improve management of System z security environment. zSecure Admin and zSecure Visual components are the ones I installed and reconfigured recently.

zSecure Admin lets security administrator perform more productive and zSecure Visual allows to perform these in MS Windows workstations.

Installation is pretty straightforward. There are SMP/E datasets, target libraries, distribution libraries and configuration datasets. After APF (Authorized Program Facility), TSO (Time Sharing Option) command authorization and PARMLIB enablement it is ready to use.

To start using execute CKR command list in SCKRSAMP library. It would be useful to add it as an option in ISPF/PDF (Interactive System Productivity Facility/ Program Development Facility) system administration panels.

One of very useful facilities of zSecure is it has a set of profiles to allow regular users to perform security administration. You can authorize a regular user just to create users and reset passwords. This is very useful for service desk applications. There is no need to give high grade system-special or group-special authorities to service operation staff.

Another useful facility is Collect function. It allows to collect and keep status of all data sets (Freeze data set) together with RACF (Resource Access Control Facility) database periodically. Daily, weekly or monthly information lets auditors to observe access information in the past practically.

zSecure Visual is not a long running task like other zOS address spaces. It is started by a started task but, works as a set of OMVS (Open MVS) USS (Unix System Services) processes. After some time “Accepting Logons” message is issued and Visual is operational. zSecure Visual behaves like other zOS subsystems in parallel sysplex (Systems Complex) environment. To access Visual, it is necessary to access the TCP/IP environment of the sysplex member Visual is started.

zSecure Visual server is generally started when system started through automation and up all the time. Default port Visual server uses is 8000. Client user should be identified by server before usage. Client user logs on zSecure Admin first using a TN3270 terminal. A token is created by server on 3270 terminal. This token is pasted in client logon panel and saved in client. After this process client can use Visual server.

Authorities issued in System z environment tend to grow in time. After some time some of authorities are never used and become garbage. But it is very difficult to differentiate accessed and not accessed authorizations. traditional SMF (System Management Facility) records data is huge and very difficult to manage for this reason. zSecure supplies Access Monitor facility to address this problem. Access monitor is executed in all members of sysplex and all accesses are captured in datasets. Those datasets are consolidated daily, weekly, monthly and even yearly. So they do not take much space. Least used authorizations are authorizations related with yearly applications. After two years of monitoring, it would be safe to remove never accessed authorizations and resources related with them.

Final facility I will tell is CARLA language embedded in the product. Most of the functions are implemented using this language and it is very easy to customize zSecure using CARLA language.

This entry was posted in IBM zEnterprise Servers, IT Service Management and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s