1 securitre an interface between the adabas/natural environment and a system security facility...
TRANSCRIPT
1 SECURITRE
An interface between the ADABAS/NATURAL environment and a System Security Facility (SSF),
such as RACF, ACF2, or TOP SECRET
SECURITRE is a product of
Treehouse Software, Inc. (TSI) All rights reserved.
SECURITRE
2 SECURITRE
What is SECURITRE?
A security interface Comprehensive controls for:
- ADABAS- NATURAL- Utilities- Internal Application Functions
3 SECURITRE
Why SECURITRE?
RACF, ACF2, and TOP SECRET (SSFs) do not secure ADABAS/NATURAL resources
ADABAS password mechanism lacks accountability
ADAESI does not secure NATURAL or Utilities
NATURAL Security does not interface to the SSFs
Security coded in applications can be costly and difficult to maintain
“Orange Book” places higher trust in systems with single security rule base
4 SECURITRE
Control without SECURITRE
RACF, ACF2, or TOP SECRET
Non-ADABAS dataNon-NATURAL programs
NATURAL Security System
NATURALNATURAL programs
ADABASPassword Security
ADABAS data
ADABAS Utilities
NATURAL Utilities
Application Functions, Menus, etc.
5 SECURITRE
Control with SECURITRE
RACF, ACF2, or TOP SECRET with SECURITRE
Non-ADABAS Data
Non-NATURAL Programs
ADABAS Data
NATURAL
NATURAL Programs
ADABAS Utilities
NATURAL Utilities
Application Functions, Menus, etc.
6 SECURITRE
SECURITRE Components
SECURITRE for ADABAS
SECURITRE for NATURAL
NSS Conversion Facility
SECURITRE for Utilities
SECURITRE Real-time Monitor
SECURITRE Internal Application Security
7 SECURITRE
SECURITRE for ADABAS
Implemented as a User-Exit-1 to the ADABAS nucleus
Co-exists with other ADABAS User-Exits
Security on these levels: Database File Level Field Level
Unauthorized access returns Response Code 200 (ADABAS Security Violation)
Includes intelligent table mechanism
ADABAS utility tables for use by the newest releases of ADABAS (i.e., V6.x, V7.x and V8.x)
8 SECURITRE
Overview of SECURITRE for ADABAS
User
RACF
SECURITREUser-Exit-1/4
ADABASNucleus
SYS1.PROCLIBADABAS.PROD.PAYROLLNATURAL.LOGON.BENE1...
LinkRoutine SVC
ADABASDataSECURITRE
User-Exit-B/A
SVC
9 SECURITRE
Program Pathing
Ensures that access comes not only from authorized users, but through authorized “routes”
Limits access by combinations of: Filename MVS Jobname Node or SMFID of calling program NATURAL Library Program name (NATURAL or Non-NATURAL) FUSER DBID/FNR of calling program CICS Tranid and/or Termid ADABAS Command Code (e.g., S1)
10 SECURITRE
SECURITRE for NATURAL
Implemented as a set of exits to the NATURAL nucleus
Security at these levels:NATURAL Session InitializationLibrary (Logon)Program (EDIT, SAVE, CAT, or STOW)Program Execution (RUN)DDM Access
8-Steplib support for NATURAL V2.2, V2.3 and higher
11 SECURITRE
NATURAL Security Conversion Facility
Implemented as a NATURAL application which reads the FSEC file
Allows for a smooth transition from Software AG’s NATURAL Security System to SECURITRE for NATURAL
Aids in building the necessary SSF rules based on site standards
Aids in configuring SECURITRE for NATURAL
12 SECURITRE
SECURITRE for ADABAS Utilities
Implemented as a statically linked front-end to ADARUN module
Controls, for each user, access by:
ADABAS Utility
ADABAS Utility Function
DBID
File
13 SECURITRE
SECURITRE for NATURAL Utilities
Implemented through User-Exits to the NATURAL nucleus
Integrated with SECURITRE for NATURAL
Controls access for each user by:
NATURAL Utility
NATURAL Library
14 SECURITRE
SECURITRE Real-time Monitor Implemented as a standard NATURAL application which
communicates with SECURITRE
Access is co ntrolled by SECURITRE
Provides these important functions: Purges one or all users from internal tables Displays current SECURITRE parameter settings and table
sizes Reloads parameters for SECURITRE for ADABAS Reloads SECURITRE User-Exits Activates/Deactivates SECURITRE Trace Facility Invokes the TRIM RTM
15 SECURITRE
SECURITRE RTM Main Menu
12/31/99 S E C U R I T R E V E R S I O N 3 . 1 . 0 CEW111:38:00 R E A L - T I M E M O N I T O R STRV310
Code Function ---- ----------------------------------
A Force one user from table (FRC1) B Force all users from table (FRCA) C Display SECURITRE parms (PARM) D Reload user exit(s) (REXT) E Reload SECURITRE parms (RPRM) F SECURITRE trace facility (TRAC) G Invoke the TRIM RTM (TRIM) H Display SECURITRE/NAT parms (NPRM) I Display current table sizes (TBLS) . Exit Real-time Monitor (STOP) ---- ----------------------------------
Code: _ DBID : 1000 TEST-DB
Direct Command: ____ MENUEnter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10---PF11---PF12 HELP MENU EXIT
16 SECURITRE
Display SECURITRE Parameters
12/31/99 PARM S E C U R I T R E CEW1 11:38:00 DISPLAY STRDEF PARAMETER STRV310 DBID : 202 TEST-DB File : 0
CLASS : DATASET PURINTT : 1 USERID : TRIMV5 CMDLOG : OFF PURINTV : 100 USERID2 : TRIMV5 DELIM : . QUALIFY : EDTST USERS : 10 DSNORDR: FILE CMD DBID RACHECK : RACHECK UTMODE : WARN JOB NPGM RTMORDR : FUNC DBID UTPREF : UTPREF PROCCL : OFF UTORDER : FILE UTIL EX1ALL : OFF PROCEX2 : OFF FLSDEL : DELETE SECURE : RACF FORCE : 18 STREX1 : FORMAT : NEW STREX2 : LOGVIOL: FIRST STREX3 : MODE : FAIL STRRTM : ADABAS.STR NOIDRED: ACCEPT TERM : S NOIDUPD: ACCEPT TRACE : ON N20PREF: CONTROL.N2O TRMRTM : ADABAS.TRM PREFIX : TSI.SECURTRE UEXIT1
Enter-PF1---PF2---PF3---PF4---PF5---PF6---PF7---PF8---PF9---PF10---PF11---PF12 HELP ---- MENU ---- ---- ---- ---- ---- ---- ---- ---- EXIT
17 SECURITRE
Application Function Security
Implemented as two subprograms: STRNAT for NATURAL applications STRASM for Non-NATURAL applications
Used by sites to add special controls to applications
Example: Limit items displayed on an application’s menus to those the user is authorized to execute
Uses SECURITRE as a “Security Server” for applications
Can replace existing security functions embedded in applications
18 SECURITRE
Interface to SSF
Uses SAF protocol (RACROUTE macro)
Translates ADABAS/NATURAL entities into “pseudo dataset names”:
ADABAS.D110.F123 ADABAS.PROD.PAYROLL NATURAL.LOGON.HRLIB NAT.PROD.EDIT.PAYLIB.PAYPGM ADABAS.UTIL.DBS.RESETDIB PAYAPP.FUNCTION.PRTCHECK
Violations are logged by the SSF
19 SECURITRE
Defining ADABAS Resources to the SSF
ADABAS/NATURAL resources are defined just like any MVS dataset:
RACFPERMIT ‘ADABAS.PROD.PAYROLL’ID(DBAGROUP) ACCESS(ALTER)
ACF2$KEY(ADABAS)PROD.PAYROLL UID(CHFSPPRG) R(A) W(A)
TOP SECRETTSS PERMIT (DBAGROUP)DSN(‘ADABAS.PROD.PAYROLL’)ACC(UPDATE)
20 SECURITRE
Operating Environment
Supports MVS/ESA, MVS/XA, OS/390 (MVS), and OS/VS1
Runs under any TP system which supports ADABAS and NATURAL
Conforms to the site’s SSF dataset naming conventions
Integrated with TRIM and N2O from Treehouse Software
Supports calls originating from other platforms
21 SECURITRE
Conclusion
Comprehensive
Powerful
Flexible
Efficient, minimal impact on performance or response times
Promotes single security rule base
Improves accountability
22 SECURITRE
Conclusion (continued)
Requires no changes to applications or data
Reduces training costs
Simplifies security administration and reporting
Protects against accidental or intentional sabotage of data and programs
Eliminates the need for separate security options/packages