|
IBM United States
Software Announcement 201-342 November 27, 2001 IBM Policy Director Authorization Services for z/OS and OS/390 V1R1
At a GlanceIBM Policy Director Authorization Services for z/OS and OS/390:
For ordering, contact: Your IBM representative, an IBM Business Partner, or IBM Americas Call Centers at 800-IBM-CALL (Reference: LE001). OverviewIBM Policy Director Authorization Services for z/OS™ and OS/390® is designed to provide a comprehensive open policy management and access control infrastructure for e-business applications. This infrastructure is designed to allow z/OS and OS/390 to participate in a Tivoli® Policy Director secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later. In a related announcement, IBM is extending Tivoli Policy Director for MQSeries® to the z/OS and OS/390 operating systems. This new release of Tivoli Policy Director for MQSeries is planned to be available on November 30, 2001. On z/OS and OS/390, this new release of Tivoli Policy Director for MQSeries is designed to be functionally equivalent to Tivoli Policy Director for MQSeries V3.7.1, announced in Software Announcement 200-404 , dated November 14, 2000, plus adds support for utilizing hardware-based cryptography. Tivoli Policy Director for MQSeries on z/OS and OS/390 will require and use IBM Policy Director Authorization Services for z/OS and OS/390 as the security policy engine. For additional information on Tivoli Policy Director for MQSeries on z/OS and OS/390, refer to Software Announcement 201-341 , dated November 27, 2001. Key PrerequisitesRefer to the Hardware Requirements and Software Requirements sections for details.
DescriptionIBM Policy Director Authorization Services for z/OS and OS/390 is designed to provide an authorization daemon, pdacld, that allows z/OS and OS/390 to participate in a Tivoli Policy Director V3.7.1 environment. It is also designed to provide support for a new set of z/OS and OS/390 Callable Services that can be used from an application to provide sophisticated access control processing. These new Callable Services are patterned after the aznAPI Open Group Standard for cross-platform authorization services. Policy Director Authorization Services is designed to allow custom applications to make fine-grained application level authorization decisions. Using the Policy Director Authorization Services Callable Services, you can build a consistent authorization model into your corporate applications. This leverages the cross-platform services of Policy Director Authorization Services that may help reduce application development time and cost. The Tivoli Policy Director function included with Policy Director Authorization Services at no additional charge includes:
Accessibility by People with DisabilitiesThe following features support use by people with disabilities:
Euro CurrencyThis program is not impacted by euro currency. Product PositioningCentralized, policy-driven security authorization facilities, such as those provided by Tivoli Policy Director, will play a critical role in implementing cross-platform e-business solutions on the Web and over extranets. IBM Policy Director Authorization Services is designed to provide the infrastructure that enables z/OS and OS/390 to participate in a Tivoli Policy Director secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390. Policy Director Authorization Services may be used from typical applications such as z/OS and OS/390 UNIX® System Services applications, started tasks, or batch jobs which execute under a task mode environment. IBM Policy Director Authorization Services is designed to allow applications and middleware running on z/OS and OS/390 to make authorization decisions based on policies set in a single place by an administrator. This function will be available on several release levels of z/OS and OS/390 so that you can take advantage of the cross-platform authorization services. Policy Director Authorization Services is designed to contain base authorization infrastructure which builds on the existing security infrastructure provided by the z/OS and OS/390 SecureWay Security Server. Key to a Policy Director Authorization Services implementation is its usage by applications and middleware. Your cross-platform e-business applications need the services provided by a central security policy manager, along with a level of integration with z/OS and OS/390 native security as provided by z/OS SecureWay Security Server. IBM Policy Director Authorization Services for z/OS and OS/390 is designed to work cooperatively with the Tivoli Policy Director for cross-platform support, in addition to interfacing with z/OS and OS/390 platform security services. Through this cooperation and the set of services provided by IBM Policy Director Authorization Services, you may be able to implement interoperable cross-platform security. In a related announcement, IBM is extending Tivoli Policy Director for MQSeries to the z/OS and OS/390 operating systems. Tivoli Policy Director for MQSeries will require and is designed to use the IBM Policy Director Authorization Services for z/OS and OS/390 as the security policy engine. Tivoli Policy Director for MQSeries on z/OS and OS/390 is designed to provide centralized, interoperable, cross-platform authorization and message protection of data for applications that use IBM MQSeries as the underlying messaging infrastructure. Reference InformationFor additional information on Tivoli security management products, refer to:
For additional information on OS/390 V1R10, refer to:
For additional information on z/OS, refer to:
Trademarks
Technical InformationSpecified Operating EnvironmentHardware RequirementsPolicy Director Authorization Services for z/OS™ and OS/390® runs on the same servers supported by OS/390 V2R10 and z/OS V1R1, or later.
The Tivoli® Policy Director Management Server function must be
installed on a workstation capable of operating AIX®, Windows NT®,
Windows® 2000, Solaris, or HP-UX. Refer to the
Customer Responsibilities
section for additional information.
Software RequirementsPrerequisite Requirements: Policy Director Authorization Services requires the following to operate:
Limitations: Policy Director Authorization Services for z/OS or OS/390 does not supply all functions available from pdacld daemons that run on operating systems. The pdacld daemon that runs on z/OS or OS/390 does not support:
The native System Authorization Facility (SAF) programming services
provided by Policy Director Authorization Services are analogous to the
SAF callable services supported by the Security Server (RACF) and have
the same environment restrictions.
Planning InformationCustomer Responsibilities: Policy Director Authorization Services for z/OS or OS/390 requires a Distributed Computing Environment (DCE) cell. You must install DCE server components on your workstation. The DCE client runtime must be installed on the z/OS or OS/390 system and that system must be configured into your DCE cell. Any z/OS or OS/390 system that will run a pdacld and the workstation where the Policy Director Management Server daemon (pdmgrd) will run must be configured into the same DCE cell. Policy Director Authorization Services for z/OS or OS/390 also requires an LDAP directory for the Policy Director User Registry. The registry can be on or off the zSeries 900 or S/390 server. If you are using RACF as your z/OS or OS/390 Security Manager, you must install the LDAP server on the zSeries 900 or S/390 server and, at a minimum, configure it to use the Program Call (PC) callable and extended operations backend support with the support supplied with prerequisite APAR OW50971. Configured in this manner, the LDAP Server on the zSeries 900 or S/390 server can contact your Policy Director User Registry if it is not on the zSeries 900 or S/390 server. To use the LDAP Server on the zSeries 900 or S/390 server as the Policy Director User Registry, the TDBM backend must be configured in addition to the above requirements. Policy Director Authorization Services for z/OS and OS/390 also requires that the Tivoli Policy Director Management Server function be installed on one or more workstations capable of operating AIX, Windows NT, Windows 2000, Solaris, or HP-UX at the release levels specified in the Software Requirements section. This workstation must be accessible via a TCP/IP connection to the zSeries 900 or S/390 server where Policy Director Authorization Services function is running. Tivoli Policy Director Management Server V3.7.1 is packaged with Policy Director Authorization Services for z/OS and OS/390, on the CD-ROMs labeled "Tivoli Policy Director Base Services," and is the only version of the Tivoli Policy Director Management Server supported at this time. Customers deploying the Tivoli Policy Director Management Server V3.8 for other purposes must also install V3.7.1 on a separate workstation if they intend to use Policy Director Authorization Services for z/OS and OS/390. Packaging: The Policy Director Authorization Services product package is distributed with the following:
System Integrity
IBM and Tivoli will accept APARs where the installation of Policy
Director Authorization Services for z/OS and OS/390 or Tivoli Policy
Director for MQSeries® on z/OS and OS/390 introduces an exposure to
system integrity.
Security, Auditability, and ControlIBM Policy Director Authorization Services for z/OS and OS/390 is designed to provide a comprehensive open policy management and access control infrastructure for cross-platform e-business applications. This infrastructure is designed to enable granular access to information required by your employees, partners, and customers to do business more securely. Policy Director Authorization Services, at its core, is designed to provide an authorization service that will result in the approval or denial of client requests to perform operations on application level protected resources in a secure domain. The suite of security services offered by the z/OS environment are enhanced by the functions available in the optional SecureWay Security Server for z/OS feature. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities. Customer FinancingIBM Global Financing offers attractive financing to credit-qualified commercial and government customers and Business Partners in more than 40 countries around the world. IBM Global Financing is provided by the IBM Credit Corporation in the United States. Offerings, rates, terms, and availability may vary by country. Contact your local IBM Global Financing organization. Country organizations are listed on the Web at: Ordering InformationNew LicenseesOrders for new licenses can be placed now. Shipment will begin on the planned availability date. Unless a later date is specified, an order is scheduled for the week following order entry. New users of Policy Director Authorization Services for z/OS and OS/390 should specify:
Type Model
5655 F95
Basic License: To order a basic license, specify the Policy Director Authorization Services V1R1 program number 5655-F95 and feature number 9001 for asset registration. Proceed to select the license media feature numbers listed and billing feature (no-charge feature number), which are required, and then select any optional feature numbers. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later.
No-Charge
Program Feature
Description Number Number
Policy Director Authorization 5655-F95 0001
Services
Basic Machine-Readable Material Policy Director Authorization Services for z/OS and OS/390: To order the base program code for Policy Director Authorization Services, select the feature number of the desired distribution medium.
Policy Director Authorization Feature Distribution Services V1R1 Number Medium Base 5802 3480 Tape Base 6546 4-mm Tape The optional feature for Policy Director Authorization Services provides the messages translated in Japanese. To order, select the feature number of the desired distribution medium. When ordering the Japanese support, the base product of Policy Director Authorization Services will also be supplied with your order.
Policy Director Authorization Feature Distribution Services V1R1 Number Medium Japanese 5812 3480 Tape Japanese 6547 4-mm Tape For a list of material received when Policy Director Authorization Services for z/OS and OS/390 is ordered, refer to the Packaging section. Customization Options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders. Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.
Feature
Description Number
Initial Shipments
Serial Number Only (suppresses shipment 3444
of media and documentation)
Ship Media Only (suppresses initial 3470
shipment of documentation)
Ship Documentation Only (suppresses 3471
initial shipment of media)
Update Shipments
Ship Media Updates Only (suppresses 3480
update shipment of documentation)
Ship Documentation Only (suppresses 3481
update shipment of media)
Suppress Updates (suppresses update 3482
shipment of media and documentation)
Expedite Shipments
Local IBM Office Expedite 3445
(for IBM use only)
Customer Expedite Process Charge 3446
($30 charge for each product)
Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air transportation. Expedite shipments are for items delivered under stand-alone program number (5655-F95) but not for custom-built offering deliverables. Unlicensed Documentation: Publications and documents for Policy Director Authorization Services are available as Adobe PDF files, BookManager® files, or printed material. This material includes:
Order Format
Title Number PDF BKM Print
Licensed Program GC24-6029 X X X
Specifications
Program Directory GI10-4730 X X X
Customization SC24-6040 X X
and Use
Memo to New GI10-4738 X
Licensees
Read Me First GI10-4739 X X X
BKM = BookManager Note: An "X" in one of the columns indicates available formats. Adobe PDF Files: Publications that are available in PDF format are provided on the IBM z/OS Internet Library at: These publications are also available from the Publications Center Web site at: The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided, as well as payment options via credit card. Furthermore, a large number of publications are available online in various file formats, which can currently be downloaded free of charge. You can view a PDF file using the Adobe Acrobat Reader, which is available free from the Adobe Web site at: You can also print the entire publication or just the section in which you are interested.BookManager Files: Publications that are available in BookManager format are provided on the IBM z/OS Internet Library at: These publications are also available from the Publications Center Web site at: You can view a BookManager file using BookManager READ for z/OS (an element of z/OS), IBM Softcopy Reader, or any of the other BookManager READ products. IBM SoftCopy Librarian, which runs under Windows 95 or later and Windows NT 4.0 or later, can be used to manage BookManager files in a repository. The Publication Notification System (PNS), which replaced the System Library Subscription Service (SLSS), is a World Wide Web notification system for IBM publications. You can register and create your own profile of publications by order number or product number. PNS will send you an e-mail note about new or revised publications based on your profile, and you can order the updates using any IBM publication ordering channel, typically the IBM Publications Center. Updated publications are only sent and billed if you respond to the electronic notification. Customers can register for PNS at: Note: PNS subscribers most often order their publications via the Publications Center. Printed Books: One copy of the Policy Director Authorization Services printed publications are supplied automatically with the basic machine-readable material. All printed Policy Director Authorization Services books are also available from the z/OS Internet Library and the IBM Publications Center. The Tivoli Policy Director License Information document is supplied automatically with the basic machine-readable material and is also available from the Publications Center Web site. Subsequent updates (technical newsletters or revisions between releases) to the publications shipped with the product will be distributed to the user of record for as long as a license for this software remains in effect. A separate publication order or subscription is not needed. Terms and ConditionsAgreement: IBM Customer Agreement Indexed Monthly License Charge (IMLC) Applies: No Educational Allowance Available: Not applicable Licensed Program Materials Availability
Testing Period: Not applicable Policy Director Authorization Services
For a suspected defect-related problem with Tivoli Policy Director function, call 800-237-5511. To submit a problem electronically for Tivoli Policy Director function, refer to: If you are not registered, you must obtain a user ID and password by selecting "registration form." After registering and receiving a user ID and password or if you are already a Tivoli customer and are a registered user, select "Tivoli Customers," then submit your problem electronically. IBM Operational Support Services — Support Line: Yes Unique Terms and Conditions: The IBM HTTP Server component of the Web Portal Manager within Tivoli Policy Director includes software developed by the Apache Group for use in the Apache HTTP Server project: Refer to the Policy Director Authorization Services for z/OS and OS/390 Licensed Program Specifications (GC24-6029) for more detailed information on the terms and conditions for the use of Policy Director Authorization Services. PricesThe prices provided in this announcement are suggested retail prices for the U.S. only and are provided for your information only. Dealer prices may vary, and prices may also vary by country. Prices are subject to change without notice. For additional information and current prices, contact your local IBM representative. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01), or later.
Program Feature
Description Number Number Charge
Policy Director 5655-F95 0001 $0.00
Authorization
Services Base
Order Now
Use Priority/Reference Code: LE001
Phone: 800-IBM-CALL
Fax: 800-2IBM-FAX
Internet: ibm_direct@vnet.ibm.com
Mail: IBM Atlanta Sales Center
Dept. LE001
P.O. Box 2690
Atlanta, GA 30301-2690
You can also contact your local IBM Business Partner or IBM representative. To identify them, call 800-IBM-4YOU.
Note: Shipments will begin after the planned availability date.
Trademarks
|
zSeries 900 server