Skip to Main Content
IBM System Storage Ideas Portal


This portal is to open public enhancement requests against IBM System Storage products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Created by Guest
Created on Jan 8, 2018

Secure all of Copy Services Manager for z/OS via SAF

SAF Access

Currently the Copy Services Manager product that we are using, that is installed and running under z/OS, is accessed and governed by a GUI via a web browser with the appropriate IP address and port number. To logon to the CSM GUI, we provide our z/OS userid and password (for the lpar that CSM started task is running on) and the password is verified against the userid, using RACF.

The administration of the CSM product, whereby you specify userids and/or groups of userids and the CSM roles they can perform, is maintained outside of RACF control. The list of userids/groups that can perform tasks within CSM is held within the CSM product. For a mainframe based product, access to user roles/resources should be via a SAF check to the security product, not a table/file within the product.

From the CSM install guide the only SAF call to RACF (except for logging onto the CSM server running under z/OS) is for CLASS(FACILITY) RESOURCE(ANT.REPLICATIONMANAGER). There are no other SAF calls documented.

We would like to see CSM fully secured via SAF so that the user access and user roles are secured and administered via SAF and not internally within CSM.

By achieving SAF compliancy as above, this will eliminate the issue, whereby, when adding a "HOST CONNECTION" to CSM we are required to specify the CSM userid and its password.

To summarise :-

• There should be no userids and/or passwords (even encrypted) visible within any Physical File Systems (PFS)
• There should be no requirement to specify passwords within the GUI (except for initial logon)
• All actions performed within the GUI, requiring access to any z/OS resources, should have the access to that z/OS resource checked via SAF, and only if the requestor has the appropriate SAF access to the requested resource should CSM then be allowed to access that resource

Idea priority High
  • Guest
    Reply
    |
    Apr 10, 2018

    We took a look at this but this will require a lot more research. CSM runs under USS but is designed so that it doesn't matter where the CSM server is in order to manage z/OS. So when a user logs in with an interface like the CLI, it is technically a remote call. It is not easy to determine that that remote call came from the same system in order to allow a SAF authentication. We could end up making the product less secure. Today it uses RACF to authenticate with z/OS. More research will be necessary to determine if this is doable in a secure fashion.