What do we need to set up for ZFS support? How can we secure the ZFS?

book

Article ID: 52985

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Description:

zFS is a hierarchical file system for IBM's z/OS operating system, the successor to that operating system's HFS (Hierarchical File System). The ZFS file system is also known as the z/OS Distributed File Service zSeries File System. The ZFS lid must be defined as an STC with the same group as DFS. It also requires a USER profile record and an appropriate GROUP profile record. A site can choose to secure the ZFS with native UNIX security or external security using ACF2 CA SAF HFS Security.

Solution:

TO setup the required logonids and OMVS GROUP and USER profile records for ZFS and DFS the following can be done.

  1. Create LID for zFS and DFS:
    SET LID
    INSERT ZFS STC GROUP(DFSGRP)
    INSERT DFS STC GROUP(DFSGRP)
  2. Create PROFILE on OMVS:
     SET PROFILE(USER) DIV(OMVS)
    INSERT ZFS UID(0) HOME(/opt/dfslocal/home/dfscntl)
    INSERT DFS UID(0) HOME(/opt/dfslocal/home/dfscntl)
    SET PROFILE(GROUP) DIV(OMVS)
    INSERT DFSGRP GID(2)
  3. Update GSO records:
     SET CONTROL(GSO)
    INSERT STC.ZFS STCID(ZFS-) LOGONID(GFS)
    INSERT STC.DFS STCID(DFS-) LOFONID(DFS)
  4. Activate above changes:
     F  ACF2,REBUILD(GRP),CLASS(P)
    F ACF2,REBUILD(USR),CLASS(P)
    F ACF2,REFRESH(STC)
    F ACF2,OMVS(ALL)

To verify above changes: SHOW OMVS

You can choose to secure the HFS or ZFS using native UNIX security or ACF2 external security known as CA SAF HFS Security.

Native Unix security for the file system directories and files is based on a UNIX model of security using permission bits. Each file and directory is assigned an owning UID and an owning GID. This assignment is defined and saved in the file system, not in the external security product. Normally each file or directory saves the access permissions in the form of four octal numbers nnnn. The first position represents special access flags while the remaining three are the permission categories. The access flags include the sticky bit, the setuid on execution, and the setgid on execution.

When using CA SAF HFS security, native file permission bit security is bypassed, as well as the superuser authority to access any file. File access is validated by eTrust CA-ACF2 for z/OS security using resource rules. Path names are converted to upper case unless your site inserts a GSO CLASMAP record for the HFSSEC class and specifies the MIXED keyword to indicate that mixed case resource names are to be used.

If you want to secure the ZFS with CA SAF HFS Security you would need to update the UNIXOPTS from NOHFSSEC to HFSSEC as well as follow the implementation steps as described in the CA-ACF2 Security for z/OS Administrator Guide, Chapter 22: Controlling Access to the Hierarchical File System, section "Implementing CA SAF HFS Security".

The Security process for ZFS file systems is exactly the same as HFS file systems and there is no distinction between the two as far as CA SAF HFS SECURITY is concerned.

Environment

Release:
Component: ACF2MS