Secure all of Copy Services Manager for z/OS via SAF

SAF Access

Currently the Copy Services Manager product that we are using, that is installed and running under z/OS, is accessed and governed by a GUI via a web browser with the appropriate IP address and port number. To logon to the CSM GUI, we provide our z/OS userid and password (for the lpar that CSM started task is running on) and the password is verified against the userid, using RACF.

The administration of the CSM product, whereby you specify userids and/or groups of userids and the CSM roles they can perform, is maintained outside of RACF control. The list of userids/groups that can perform tasks within CSM is held within the CSM product. For a mainframe based product, access to user roles/resources should be via a SAF check to the security product, not a table/file within the product.

From the CSM install guide the only SAF call to RACF (except for logging onto the CSM server running under z/OS) is for CLASS(FACILITY) RESOURCE(ANT.REPLICATIONMANAGER). There are no other SAF calls documented.

We would like to see CSM fully secured via SAF so that the user access and user roles are secured and administered via SAF and not internally within CSM.

By achieving SAF compliancy as above, this will eliminate the issue, whereby, when adding a "HOST CONNECTION" to CSM we are required to specify the CSM userid and its password.

To summarise :-

• There should be no userids and/or passwords (even encrypted) visible within any Physical File Systems (PFS)
• There should be no requirement to specify passwords within the GUI (except for initial logon)
• All actions performed within the GUI, requiring access to any z/OS resources, should have the access to that z/OS resource checked via SAF, and only if the requestor has the appropriate SAF access to the requested resource should CSM then be allowed to access that resource