IBM United States
Software Announcement 201-342
November 27, 2001

IBM Policy Director Authorization Services for z/OS and OS/390 V1R1

 ENUS201-342.PDF (42KB)


At a Glance

IBM Policy Director Authorization Services for z/OS and OS/390:

  • Is designed to enable centrally manageable security policies for cross-platform e-business applications
  • Builds on a z/OS and OS/390 security infrastructure patterned after open industry standards
  • Is available at no charge

For ordering, contact:

Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: LE001).

Overview

IBM Policy Director Authorization Services for z/OS™ and OS/390® is designed to provide a comprehensive open policy management and access control infrastructure for e-business applications. This infrastructure is designed to allow z/OS and OS/390 to participate in a Tivoli® Policy Director secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390.

Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later.

In a related announcement, IBM is extending Tivoli Policy Director for MQSeries® to the z/OS and OS/390 operating systems. This new release of Tivoli Policy Director for MQSeries is planned to be available on November 30, 2001. On z/OS and OS/390, this new release of Tivoli Policy Director for MQSeries is designed to be functionally equivalent to Tivoli Policy Director for MQSeries V3.7.1, announced in Software Announcement 200-404 , dated November 14, 2000, plus adds support for utilizing hardware-based cryptography.

Tivoli Policy Director for MQSeries on z/OS and OS/390 will require and use IBM Policy Director Authorization Services for z/OS and OS/390 as the security policy engine. For additional information on Tivoli Policy Director for MQSeries on z/OS and OS/390, refer to Software Announcement 201-341 , dated November 27, 2001.

Key Prerequisites

Refer to the Hardware Requirements and Software Requirements sections for details.

Planned Availability Date

November 30, 2001

Description

IBM Policy Director Authorization Services for z/OS and OS/390 is designed to provide an authorization daemon, pdacld, that allows z/OS and OS/390 to participate in a Tivoli Policy Director V3.7.1 environment. It is also designed to provide support for a new set of z/OS and OS/390 Callable Services that can be used from an application to provide sophisticated access control processing. These new Callable Services are patterned after the aznAPI Open Group Standard for cross-platform authorization services.

Policy Director Authorization Services is designed to allow custom applications to make fine-grained application level authorization decisions. Using the Policy Director Authorization Services Callable Services, you can build a consistent authorization model into your corporate applications. This leverages the cross-platform services of Policy Director Authorization Services that may help reduce application development time and cost.

The Tivoli Policy Director function included with Policy Director Authorization Services at no additional charge includes:

  • Tivoli Policy Director base services for AIX®, Windows NT®, Windows® 2000, Solaris, and HP-UX workstations (distributed servers) that include:
    • Management Server, which maintains the primary authorization policy database for the secure domain. It is responsible for updating all authorization database replicas and maintaining location information about other Policy Director servers.
    • Directory, a powerful enterprise directory used to store Tivoli Policy Director user and group credentials. It is an open cross-platform program optimized to support LDAP-enabled applications. The Directory uses DB2 Universal Database® as its transaction store for directory data, extending the performance and availability of the Tivoli Policy Director. The LDAP server contained within z/OS or OS/390 SecureWay® Security Server is used in conjunction with Directory as supplied with the Tivoli Policy Director function for the supported workstation platforms of AIX, Windows NT, or Windows 2000. The z/OS and OS/390 SecureWay Security Server LDAP Server can also be used in place of Directory that is supplied with Tivoli Policy Director.
    • IBM DCE Directory and Security Services. DCE is used as a secure communication mechanism between the Tivoli Policy Director Management Server and Policy Director Authorization Services.
  • Web Portal Manager, a Web-based graphical application used to add and delete users or groups and apply access controls (ACLS) to the objects and the resources secured by the Tivoli Policy Director.

Accessibility by People with Disabilities

The following features support use by people with disabilities:

  • Operation by keyboard alone
  • Optional font enlargement and high-contrast display settings
  • Screen readers and screen magnifiers tested for use by people with visual impairment

Euro Currency

This program is not impacted by euro currency.

Product Positioning

Centralized, policy-driven security authorization facilities, such as those provided by Tivoli Policy Director, will play a critical role in implementing cross-platform e-business solutions on the Web and over extranets. IBM Policy Director Authorization Services is designed to provide the infrastructure that enables z/OS and OS/390 to participate in a Tivoli Policy Director secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390. Policy Director Authorization Services may be used from typical applications such as z/OS and OS/390 UNIX® System Services applications, started tasks, or batch jobs which execute under a task mode environment.

IBM Policy Director Authorization Services is designed to allow applications and middleware running on z/OS and OS/390 to make authorization decisions based on policies set in a single place by an administrator. This function will be available on several release levels of z/OS and OS/390 so that you can take advantage of the cross-platform authorization services. Policy Director Authorization Services is designed to contain base authorization infrastructure which builds on the existing security infrastructure provided by the z/OS and OS/390 SecureWay Security Server.

Key to a Policy Director Authorization Services implementation is its usage by applications and middleware. Your cross-platform e-business applications need the services provided by a central security policy manager, along with a level of integration with z/OS and OS/390 native security as provided by z/OS SecureWay Security Server. IBM Policy Director Authorization Services for z/OS and OS/390 is designed to work cooperatively with the Tivoli Policy Director for cross-platform support, in addition to interfacing with z/OS and OS/390 platform security services. Through this cooperation and the set of services provided by IBM Policy Director Authorization Services, you may be able to implement interoperable cross-platform security.

In a related announcement, IBM is extending Tivoli Policy Director for MQSeries to the z/OS and OS/390 operating systems. Tivoli Policy Director for MQSeries will require and is designed to use the IBM Policy Director Authorization Services for z/OS and OS/390 as the security policy engine. Tivoli Policy Director for MQSeries on z/OS and OS/390 is designed to provide centralized, interoperable, cross-platform authorization and message protection of data for applications that use IBM MQSeries as the underlying messaging infrastructure.

Reference Information

For additional information on Tivoli security management products, refer to:

  • Software Announcement 200-105 , dated April 25, 2000
  • Software Announcement 200-404 , dated November 14, 2000
  • Software Announcement 201-010 , dated January 23, 2001

For additional information on OS/390 V1R10, refer to:

  • Software Announcement 200-145 , dated May 16, 2000

For additional information on z/OS, refer to:

  • Software Announcement 200-352 , dated October 3, 2000 (z/OS V1R1)
  • Software Announcement 201-044 , dated February 27, 2001 (z/OS V1R2)
  • Software Announcement 201-248 , dated September 11, 2001 (z/OS V1R3)

Trademarks

 
z/OS is a trademark of International Business Machines Corporation in the United States or other countries or both.
 
OS/390, MQSeries, AIX, DB2 Universal Database, and SecureWay are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Windows NT and Windows are registered trademarks of Microsoft Corporation.
 
UNIX is a registered trademark is a registered trademark of the Open Company in the United States and other countries.
 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
Other company, product, and service names may be trademarks or service marks of others.

Technical Information

Specified Operating Environment

Hardware Requirements

Policy Director Authorization Services for z/OS™ and OS/390® runs on the same servers supported by OS/390 V2R10 and z/OS V1R1, or later.

  • Servers supported by OS/390 V2R10 include:
    • All models of the IBM e(logo)server zSeries 900 server
    • All models of the S/390 Parallel Enterprise Servers except Release 1 models
    • All models of the S/390® Multiprise®
    • All PC Server S/390 servers and RS/6000® with S/390 Server-on-Board models
    • All S/390 Integrated Servers
    • Equivalent servers
  • Servers supported by z/OS V1R1, or later, include:
    • All models of the IBM e(logo)server zSeries 900 server
    • S/390 Parallel Enterprise Servers — Generation 5 (G5) and Generation 6 (G6) models
    • All models of the S/390 Multiprise 3000 server
    • Equivalent servers

The Tivoli® Policy Director Management Server function must be installed on a workstation capable of operating AIX®, Windows NT®, Windows® 2000, Solaris, or HP-UX. Refer to the Customer Responsibilities section for additional information.

Software Requirements

Prerequisite Requirements: Policy Director Authorization Services requires the following to operate:

  • Operating systems:
    • OS/390 V2R10 or z/OS V1R1 (or later) with the PTF for APAR OW49960 for the System Authorization Facility (SAF)
    • AIX 4.3.3, or later, Windows NT 4.0 with Service Pack 5, or later, Windows 2000, Sun Solaris 2.7 and 2.8, or HP-UX 11.0 installed on a workstation
  • SecureWay® Security Server (an optional feature of OS/390 and z/OS), including:
    • RACF® plus:
      • PTF for APAR OW49959 for OS/390 V2R10
      • PTF for APAR OW49959 for z/OS V1R1, or later
    • LDAP server plus:
      • PTF for APAR OW50971

Limitations: Policy Director Authorization Services for z/OS or OS/390 does not supply all functions available from pdacld daemons that run on operating systems. The pdacld daemon that runs on z/OS or OS/390 does not support:

  • External authorization engines
  • All of the external interfaces (azn APIs)
  • Client connections from applications running off of the z/OS or OS/390 system which use Secure Socket Layer (SSL) to communicate
  • Use of Domino™ or DCE directories as the User Registry by Policy Director Authorization Services

The native System Authorization Facility (SAF) programming services provided by Policy Director Authorization Services are analogous to the SAF callable services supported by the Security Server (RACF) and have the same environment restrictions.

Planning Information

Customer Responsibilities: Policy Director Authorization Services for z/OS or OS/390 requires a Distributed Computing Environment (DCE) cell. You must install DCE server components on your workstation. The DCE client runtime must be installed on the z/OS or OS/390 system and that system must be configured into your DCE cell. Any z/OS or OS/390 system that will run a pdacld and the workstation where the Policy Director Management Server daemon (pdmgrd) will run must be configured into the same DCE cell.

Policy Director Authorization Services for z/OS or OS/390 also requires an LDAP directory for the Policy Director User Registry. The registry can be on or off the zSeries 900 or S/390 server. If you are using RACF as your z/OS or OS/390 Security Manager, you must install the LDAP server on the zSeries 900 or S/390 server and, at a minimum, configure it to use the Program Call (PC) callable and extended operations backend support with the support supplied with prerequisite APAR OW50971. Configured in this manner, the LDAP Server on the zSeries 900 or S/390 server can contact your Policy Director User Registry if it is not on the zSeries 900 or S/390 server. To use the LDAP Server on the zSeries 900 or S/390 server as the Policy Director User Registry, the TDBM backend must be configured in addition to the above requirements.

Policy Director Authorization Services for z/OS and OS/390 also requires that the Tivoli Policy Director Management Server function be installed on one or more workstations capable of operating AIX, Windows NT, Windows 2000, Solaris, or HP-UX at the release levels specified in the Software Requirements section. This workstation must be accessible via a TCP/IP connection to the zSeries 900 or S/390 server where Policy Director Authorization Services function is running. Tivoli Policy Director Management Server V3.7.1 is packaged with Policy Director Authorization Services for z/OS and OS/390, on the CD-ROMs labeled "Tivoli Policy Director Base Services," and is the only version of the Tivoli Policy Director Management Server supported at this time. Customers deploying the Tivoli Policy Director Management Server V3.8 for other purposes must also install V3.7.1 on a separate workstation if they intend to use Policy Director Authorization Services for z/OS and OS/390.

Packaging: The Policy Director Authorization Services product package is distributed with the following:

  • Licensed program code on either 3480 or 4-mm tape
  • Licensed program code in Japanese on either 3480 or 4-mm tape (optionally available if ordered)
  • Tivoli Policy Director base services function CD-ROMs:
    • LK3T-5753-01 for AIX
    • LK3T-5754-01 for Windows
    • LK3T-5755-01 for Solaris
    • LK3T-5756-01 for HP-UX
    • LK3T-8074-00 for Web Portal Manager
  • Four documents for Policy Director Authorization Services:

                                                           Form
    Document                            Language           Number
     
    Licensed Program                    English            GC24-6029
     Specifications
    Program Directory                   English            GI10-4730
    Memo to New Licensees               English            GI10-4738
    Read Me First                       English            GI10-4739
    

System Integrity

IBM and Tivoli will accept APARs where the installation of Policy Director Authorization Services for z/OS and OS/390 or Tivoli Policy Director for MQSeries® on z/OS and OS/390 introduces an exposure to system integrity.

Security, Auditability, and Control

IBM Policy Director Authorization Services for z/OS and OS/390 is designed to provide a comprehensive open policy management and access control infrastructure for cross-platform e-business applications. This infrastructure is designed to enable granular access to information required by your employees, partners, and customers to do business more securely. Policy Director Authorization Services, at its core, is designed to provide an authorization service that will result in the approval or denial of client requests to perform operations on application level protected resources in a secure domain.

The suite of security services offered by the z/OS environment are enhanced by the functions available in the optional SecureWay Security Server for z/OS feature. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities.

Customer Financing

IBM Global Financing offers attractive financing to credit-qualified commercial and government customers and Business Partners in more than 40 countries around the world. IBM Global Financing is provided by the IBM Credit Corporation in the United States. Offerings, rates, terms, and availability may vary by country. Contact your local IBM Global Financing organization. Country organizations are listed on the Web at:

Ordering Information

New Licensees

Orders for new licenses can be placed now.

Shipment will begin on the planned availability date.

Unless a later date is specified, an order is scheduled for the week following order entry.

New users of Policy Director Authorization Services for z/OS and OS/390 should specify:

          Type           Model
 
          5655           F95

Basic License: To order a basic license, specify the Policy Director Authorization Services V1R1 program number 5655-F95 and feature number 9001 for asset registration. Proceed to select the license media feature numbers listed and billing feature (no-charge feature number), which are required, and then select any optional feature numbers.

Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later.

                                                       No-Charge
                                      Program          Feature
Description                           Number           Number
 
Policy Director Authorization         5655-F95         0001
 Services

Basic Machine-Readable Material

Policy Director Authorization Services for z/OS and OS/390: To order the base program code for Policy Director Authorization Services, select the feature number of the desired distribution medium.

 
 
Policy Director
Authorization                 Feature               Distribution
Services V1R1                 Number                Medium
 
Base                          5802                  3480 Tape
Base                          6546                  4-mm Tape

The optional feature for Policy Director Authorization Services provides the messages translated in Japanese. To order, select the feature number of the desired distribution medium. When ordering the Japanese support, the base product of Policy Director Authorization Services will also be supplied with your order.

Policy Director
Authorization                 Feature               Distribution
Services V1R1                 Number                Medium
 
Japanese                      5812                  3480 Tape
Japanese                      6547                  4-mm Tape

For a list of material received when Policy Director Authorization Services for z/OS and OS/390 is ordered, refer to the Packaging section.

Customization Options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders.

Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.

                                                    Feature
Description                                         Number
 
Initial Shipments
 
Serial Number Only (suppresses shipment             3444
 of media and documentation)
 
Ship Media Only (suppresses initial                 3470
 shipment of documentation)
 
Ship Documentation Only (suppresses                 3471
 initial shipment of media)
 
Update Shipments
 
Ship Media Updates Only (suppresses                 3480
 update shipment of documentation)
 
Ship Documentation Only (suppresses                 3481
 update shipment of media)
 
Suppress Updates (suppresses update                 3482
 shipment of media and documentation)
 
Expedite Shipments
 
Local IBM Office Expedite                           3445
 (for IBM use only)
 
Customer Expedite Process Charge                    3446
 ($30 charge for each product)

Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air transportation.

Expedite shipments are for items delivered under stand-alone program number (5655-F95) but not for custom-built offering deliverables.

Unlicensed Documentation: Publications and documents for Policy Director Authorization Services are available as Adobe PDF files, BookManager® files, or printed material. This material includes:

                             Order                   Format
Title                        Number              PDF  BKM  Print
 
Licensed Program             GC24-6029           X    X    X
 Specifications
Program Directory            GI10-4730           X    X    X
Customization                SC24-6040           X    X
 and Use
Memo to New                  GI10-4738           X
 Licensees
Read Me First                GI10-4739           X    X    X

BKM = BookManager

Note: An "X" in one of the columns indicates available formats.

Adobe PDF Files: Publications that are available in PDF format are provided on the IBM z/OS Internet Library at:

These publications are also available from the Publications Center Web site at:

The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided, as well as payment options via credit card. Furthermore, a large number of publications are available online in various file formats, which can currently be downloaded free of charge.

You can view a PDF file using the Adobe Acrobat Reader, which is available free from the Adobe Web site at:

You can also print the entire publication or just the section in which you are interested.

BookManager Files: Publications that are available in BookManager format are provided on the IBM z/OS Internet Library at:

These publications are also available from the Publications Center Web site at:

You can view a BookManager file using BookManager READ for z/OS (an element of z/OS), IBM Softcopy Reader, or any of the other BookManager READ products. IBM SoftCopy Librarian, which runs under Windows 95 or later and Windows NT 4.0 or later, can be used to manage BookManager files in a repository.

The Publication Notification System (PNS), which replaced the System Library Subscription Service (SLSS), is a World Wide Web notification system for IBM publications. You can register and create your own profile of publications by order number or product number. PNS will send you an e-mail note about new or revised publications based on your profile, and you can order the updates using any IBM publication ordering channel, typically the IBM Publications Center. Updated publications are only sent and billed if you respond to the electronic notification. Customers can register for PNS at:

Note: PNS subscribers most often order their publications via the Publications Center.

Printed Books: One copy of the Policy Director Authorization Services printed publications are supplied automatically with the basic machine-readable material. All printed Policy Director Authorization Services books are also available from the z/OS Internet Library and the IBM Publications Center.

The Tivoli Policy Director License Information document is supplied automatically with the basic machine-readable material and is also available from the Publications Center Web site.

Subsequent updates (technical newsletters or revisions between releases) to the publications shipped with the product will be distributed to the user of record for as long as a license for this software remains in effect. A separate publication order or subscription is not needed.

Terms and Conditions

Agreement: IBM Customer Agreement

Variable Charges Apply: No

Indexed Monthly License Charge (IMLC) Applies: No

Location License Applies: No

Use Limitation Applies: No

Educational Allowance Available: Not applicable

Volume Orders: Not applicable

Warranty Applies: Yes

Licensed Program Materials Availability

  • Restricted Materials of IBM: None
  • Nonrestricted Source Materials: All
  • Object Code Only (OCO): None

Testing Period: Not applicable

Program Services

Policy Director Authorization Services

  • Support Center Applies: Yes. Access available through the IBM Support Center.
  • Available until: 12 months' written notice.

For a suspected defect-related problem with Tivoli Policy Director function, call 800-237-5511.

To submit a problem electronically for Tivoli Policy Director function, refer to:

If you are not registered, you must obtain a user ID and password by selecting "registration form." After registering and receiving a user ID and password or if you are already a Tivoli customer and are a registered user, select "Tivoli Customers," then submit your problem electronically.

IBM Operational Support Services — Support Line: Yes

Unique Terms and Conditions: The IBM HTTP Server component of the Web Portal Manager within Tivoli Policy Director includes software developed by the Apache Group for use in the Apache HTTP Server project:

Refer to the Policy Director Authorization Services for z/OS and OS/390 Licensed Program Specifications (GC24-6029) for more detailed information on the terms and conditions for the use of Policy Director Authorization Services.

Prices

The prices provided in this announcement are suggested retail prices for the U.S. only and are provided for your information only. Dealer prices may vary, and prices may also vary by country. Prices are subject to change without notice. For additional information and current prices, contact your local IBM representative.

Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later.

                        Program          Feature
Description             Number           Number          Charge
 
Policy Director         5655-F95         0001            $0.00
 Authorization
 Services Base

Order Now

 Use Priority/Reference Code: LE001
 
 Phone:     800-IBM-CALL
 Fax:       800-2IBM-FAX
 Internet:  ibm_direct@vnet.ibm.com
 Mail:      IBM Atlanta Sales Center
            Dept. LE001
            P.O. Box 2690
            Atlanta, GA  30301-2690

You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.

Note: Shipments will begin after the planned availability date.

Trademarks

 
z/OS is a trademark of International Business Machines Corporation in the United States or other countries or both.
 
OS/390, Multiprise, S/390, RS/6000, AIX, SecureWay, RACF, MQSeries, and BookManager are registered trademarks of International Business Machines Corporation in the United States or other countries or both.
 
Windows NT and Windows are registered trademarks of Microsoft Corporation.
 
Tivoli is a registered trademark of International Business Machines Corporation or Tivoli Systems Inc. in the United States or other countries or both.
 
Domino is a trademark of Lotus Development Corporation and/or IBM Corporation.
 
Other company, product, and service names may be trademarks or service marks of others.