Upgrading from HFS to ZFS
Article ID: 110875
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
1. Are there 2 security checks coming to the saf interface , one for hfs and one for zfs ?
2. With the new release of z/os that is dropping hfs will those hfs saf calls not be made by the OS any more ?
3. Will TSS process a zfs secrurity call against the hfs rules ? Which take precedence ? Will both be evaluated as if they were one resource type and best match applied ?
4. What if both hfs and zfs rules are written ?
5. Will TSS be dropping the hfs stuff in a near future release since z/os is not supporting hfs ?
6. What happens if a customer has both options enabled for hfs and zfs ?
2. With the new release of z/os that is dropping hfs will those hfs saf calls not be made by the OS any more ?
3. Will TSS process a zfs secrurity call against the hfs rules ? Which take precedence ? Will both be evaluated as if they were one resource type and best match applied ?
4. What if both hfs and zfs rules are written ?
5. Will TSS be dropping the hfs stuff in a near future release since z/os is not supporting hfs ?
6. What happens if a customer has both options enabled for hfs and zfs ?
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
The answer seemed overly simplistic because it really is a simple answer.
1. Are there 2 security checks coming to the saf interface , one for hfs and one for zfs ?
A1. No. The same security point issues a single check for the file name regardless of whether it is a HFS or ZFS file.
2. With the new release of z/os that is dropping hfs will those hfs saf calls not be made by the OS any more ?
A2. Same answer. File system checks will continue to occur.
3. Will TSS process a zfs secrurity call against the hfs rules ? Which take precedence ? Will both be evaluated as if they were one resource type and best match applied ?
Yes. All calls for USS HFS or ZFS file accesses occur under the HFSSEC resource class.
4. What if both hfs and zfs rules are written ?
A4. There are no separate ZFS rules to be written.
5. Will TSS be dropping the hfs stuff in a near future release since z/os is not supporting hfs ?
A5. No TSS will not be dropping support for HFSSEC security regardless of the filesystem type.
6. What happens if a customer has both options enabled for hfs and zfs ?
A6. Same answer as above. There are only HFSSEC resource class calls so there is no option to disable one and not the other.
Perhaps the existence of the FSACCESS checks is what is muddying the waters? FSACCESS checks are issued separately from the HFSSEC resource checks. These calls will occur whether you have HFSSEC set to YES or NO. The FSACCESS checks occur to verify access to the VSAM files that contain the ZFS file system, NOT the directories inside the VSAM datasets.
1. Are there 2 security checks coming to the saf interface , one for hfs and one for zfs ?
A1. No. The same security point issues a single check for the file name regardless of whether it is a HFS or ZFS file.
2. With the new release of z/os that is dropping hfs will those hfs saf calls not be made by the OS any more ?
A2. Same answer. File system checks will continue to occur.
3. Will TSS process a zfs secrurity call against the hfs rules ? Which take precedence ? Will both be evaluated as if they were one resource type and best match applied ?
Yes. All calls for USS HFS or ZFS file accesses occur under the HFSSEC resource class.
4. What if both hfs and zfs rules are written ?
A4. There are no separate ZFS rules to be written.
5. Will TSS be dropping the hfs stuff in a near future release since z/os is not supporting hfs ?
A5. No TSS will not be dropping support for HFSSEC security regardless of the filesystem type.
6. What happens if a customer has both options enabled for hfs and zfs ?
A6. Same answer as above. There are only HFSSEC resource class calls so there is no option to disable one and not the other.
Perhaps the existence of the FSACCESS checks is what is muddying the waters? FSACCESS checks are issued separately from the HFSSEC resource checks. These calls will occur whether you have HFSSEC set to YES or NO. The FSACCESS checks occur to verify access to the VSAM files that contain the ZFS file system, NOT the directories inside the VSAM datasets.
Feedback
Yes
No
Powered by
