|
IBM United States
Software Announcement 203-016 January 28, 2003 IBM Policy Director Authorization Services for z/OS and OS/390 V1.2
At a GlanceIBM Policy Director Authorization Services for z/OS and OS/390:
For ordering, contact: Your IBM representative, an IBM Business Partner, or the Americas Call Centers at 800-IBM-CALL (Reference: ME001). OverviewPolicy Director Authorization Services for z/OS™ and OS/390® provides a comprehensive open policy management and access control infrastructure for e-business applications. This infrastructure allows z/OS and OS/390 to participate in an IBM Tivoli® Access Manager for e-business secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390. New for Policy Director Authorization Services for z/OS and OS/390 V1.2, Secure Sockets Layer (SSL) is supported for highly secure communication between its authorization daemon (pdacld) and the master server. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for either:
Key PrerequisitesRefer to the Hardware Requirements and Software Requirements sections for details.
DescriptionIBM Policy Director Authorization Services for z/OS and OS/390 provides an authorization daemon (pdacld) that allows z/OS and OS/390 to participate in an IBM Tivoli Access Manager for e-business V4.1 secure domain. It also provides support for an enhanced set of z/OS and OS/390 callable services that can be used from an application to provide sophisticated access control processing. These enhanced callable services are patterned after the aznAPI Open Group Standard for cross-platform authorization services. Policy Director Authorization Services allows custom applications to make detailed application-level authorization decisions. Using the Policy Director Authorization Services callable services, you can build a consistent authorization model into your corporate applications. This leverages the cross-platform services of Policy Director Authorization Services that may help reduce application development time and cost. New for Policy Director Authorization Services for z/OS and OS/390 V1.2, Secure Sockets Layer (SSL) is supported for highly secure communication between its authorization daemon (pdacld) and the master server. The previous release (V1.1) required or supported IBM Distributed Computing Environment (DCE) and this environment is no longer supported. The Tivoli Access Manager for e-business function included with Policy Director Authorization Services at no additional charge includes:
Product PositioningCentralized policy-driven security authorization facilities, such as those provided by IBM Tivoli Access Manager for e-business, will play a critical role in implementing cross-platform e-business solutions on the Web and over extranets. IBM Policy Director Authorization Services provides the infrastructure that enables z/OS and OS/390 to participate in a Tivoli Access Manager secure domain. Policy Director Authorization Services is intended for customer environments that have complex security authorization needs spanning multiple systems and platform technologies including z/OS and OS/390. Policy Director Authorization Services may be used from typical applications such as z/OS and OS/390 UNIX® System Services applications, started tasks, or batch jobs which execute under a task mode environment. Policy Director Authorization Services allows applications and middleware running on z/OS and OS/390 to make authorization decisions based on policies set in a single place by an administrator. This function will be available on several release levels of z/OS and OS/390 so that you can take advantage of the cross-platform authorization services. Policy Director Authorization Services contains base authorization infrastructure which builds on the existing security infrastructure provided by the z/OS Security Server and OS/390 SecureWay Security Server. Key to a Policy Director Authorization Services implementation is its usage by applications and middleware. Your cross-platform e-business applications need the services provided by a central security policy manager, along with a level of integration with z/OS and OS/390 native security as provided by z/OS Security server. Policy Director Authorization Services for z/OS and OS/390 works cooperatively with Tivoli Access Manager for cross-platform support and also interfaces with z/OS and OS/390 platform security services. Through this cooperation and the set of services provided by Policy Director Authorization Services, you may be able to implement interoperable cross-platform security. Reference InformationFor additional information on IBM Tivoli security management products, refer to:
For additional information on OS/390 V2R10, refer to:
For additional information on z/OS, refer to:
For additional information on z/OS.e, refer to:
Trademarks
Technical InformationSpecified Operating EnvironmentHardware RequirementsPolicy Director Authorization Services for z/OS™ and OS/390® runs on the same servers supported by OS/390 V2R10 and z/OS V1.1 or later.
The Tivoli® Access Manager function must be installed on a workstation
capable of operating AIX®, Windows NT®, Windows® 2000,
Solaris, HP-UX or Linux for zSeries. Refer to the
Customer Responsibilities
section for additional information.
Software RequirementsPolicy Director Authorization Services requires the following to operate:
Select the product IBM Tivoli Access Manager for e-business, then select Product Information. Compatibility: Policy Director Authorization Services V1.2 interoperates with IBM Tivoli Access Manager for e-business V4.1 and is the only version of Tivoli Access Manager for e-business supported at this time. Limitations: Policy Director Authorization Services for z/OS or OS/390 does not supply all functions available from pdacld daemons that run on other operating systems. The pdacld daemon that runs on z/OS or OS/390 does not support:
The native System Authorization Facility (SAF) programming services
provided by Policy Director Authorization Services are analogous to the
SAF callable services supported by the Security Server (RACF) and have
the same environment restrictions.
Planning InformationCustomer Responsibilities: Policy Director Authorization Services for z/OS or OS/390 and Tivoli Access Manger for e-business components use Secure Sockets Layer (SSL) for highly secure communication. At your distributed server, you must install and configure IBM Global Security Toolkit. On z/OS or OS/390, you must make sure that your OS/390 or z/OS System SSL is accessible to Policy Director Authorization Services for z/OS and OS/390. Any z/OS or OS/390 system that will run a pdacld must be configured into a Tivoli Access Manager for e-business secure domain. All z/OS or OS/390 systems that will run a pdacld and that want to be part of the same Tivoli Access Manager for e-business secure domain must configure into the same Tivoli Access Manager for e-business Management Server daemon (pdmgrd). Policy Director Authorization Services for z/OS or OS/390 also requires an LDAP directory for the Policy Director User Registry. The registry can be on or off the zSeries 800 (z800) and 900 (z900) or S/390 server. If you are using RACF as your z/OS or OS/390 Security Manager, you must install the LDAP server on the z800, z900, or S/390 server and, at a minimum, configure it to use the Program Call (PC) callable and extended operations backend support with the support supplied with prerequisite APAR OW50971. Configured in this manner, the LDAP Server on the z800, z900, or S/390 server can contact your Policy Director User Registry if it is not on the z800, z900, or S/390 server. To use the LDAP Server on the z800, z900, or S/390 server as the Policy Director User Registry, the TDBM backend must be configured in addition to the above requirements. Policy Director Authorization Services for z/OS and OS/390 also requires that the Tivoli Access Manager for e-business Management Server function be installed on one or more workstations or servers capable of operating AIX, Windows NT, Windows 2000, Solaris, HP-UX, or zSeries for Linux at the release levels specified in the Software Requirements section. This workstation or server must be accessible via a TCP/IP connection to the z800, z900, or S/390 server where Policy Director Authorization Services function is running. Tivoli Access Manager for e-business Management Server V4.1 is packaged with Policy Director Authorization Services for z/OS and OS/390, on the CD-ROMs labeled IBM Tivoli Access Manager Base, and is the only version of the Tivoli Access Manager management server supported at this time . If you are deploying the Tivoli Access Manager for e-business management server at a different version for other purposes, you must also install V4.1 on a separate workstation or server and create a separate secure domain if you intend to use Policy Director Authorization Services for z/OS and OS/390. The Policy Director Authorization Services product package is distributed with the following:
Form
Document Language Number
Licensed Program English GC24-6029
Specifications
Program Directory English GI10-4730
Memo to New Licensees English GI10-4738
Installation Road Map for IBM English GI10-4739
Tivoli Access Manager for
e-business (Base Services),
V4.1
System Integrity
IBM and Tivoli will accept APARs where the installation of Policy
Director Authorization Services for z/OS and OS/390 or Tivoli Access
Manager for Business Integration — Host Edition on z/OS and OS/390
introduces an exposure to system integrity.
Security, Auditability, and ControlIBM Policy Director Authorization Services for z/OS and OS/390 provides a comprehensive open policy management and access control infrastructure for cross-platform e-business applications. This infrastructure enables granular access to information required by your employees, partners, and customers to do business more securely. Policy Director Authorization Services, at its core, provides an authorization service that will result in the approval or denial of client requests to perform operations on application level protected resources in a secure domain. The suite of security services offered by the z/OS environment are enhanced by the functions available in the optional Security Server for z/OS feature. The customer is responsible for evaluation, selection, and implementation of security features, administrative procedures, and appropriate controls in application systems and communication facilities. Ordering InformationOrder Policy Director Authorization Services through the InternetShopzSeries (formerly SHOPS390) provides an easy way to plan and order your z/OS products (including Policy Director Authorization Services) with your z/OS ServerPac or CBPDO. It will analyze your current installation, determine the correct product migration, and present your new configuration based on z/OS. Additional products can also be added to your order (including determination of whether all product requisites are satisfied). ShopzSeries is available in the U.S. and several countries in Europe. In countries where ShopzSeries is not available yet, contact your IBM representative to handle your order via the traditional IBM ordering process. For more details and availability, visit the ShopzSeries Web site at: Current Licensees of Policy Director Authorization ServicesWill be sent a program reorder form that can be returned directly to IBM Software Delivery and Fulfillment. Reorder forms are scheduled to be mailed by February 14, 2003. Reorder forms should be returned to IBM Software Delivery and Fulfillment and will be processed within 10 workdays of receipt. When Policy Director Authorization Services Release 2 is available, Release 1 will no longer be available. Program Services Discontinuance: Effective April 4, 2004 , Central Service, including the IBM Support Center, will be discontinued for Policy Director Authorization Services for z/OS and OS/390 V1.1. APARs will be accepted up to date of service discontinuance or program services. At IBM's discretion, a final release may be sent to users of record that incorporates corrections for valid APARs received up to the date of discontinuance. APARs may be submitted after the date of discontinuance under the following conditions:
Following announcement of Policy Director Authorization Services V1.2,
current licensees of the affected programs will receive notification of
the program services discontinuance directly from IBM Software Delivery
and Fulfillment.
New Licensees of Policy Director Authorization ServicesPolicy Director Authorization Services can be ordered as a no-charge stand-alone product or as a optional feature within the Customized Offerings (CBPDO, ServerPac, Systempac®). Non-customized items (for example, CD-ROMs, Memos, Hardcopy Publications) will continue to be shipped via the stand-alone product. Policy Director Authorization Services V1.2 will not be available in the Customized Offerings on the planned availability date, January 31, 2003. Policy Director Authorization Services V1.2 will be available in the Customized Offerings soon. Orders for new licenses can be placed now. Registered customers can access IBMLink™ for Ordering Information and Charges. Shipment will begin on the planned availability date.
New users of Policy Director Authorization Services should specify:
Type Model
5655 F95
Basic License: To order a basic license, specify the Policy Director Authorization Services V1.2 program number 5655-F95 and feature number 9001 for asset registration. Proceed to select the license media feature numbers listed and billing feature (no charge feature number), which are required, and then select any optional feature numbers. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2R10 (5647-A01) or z/OS V1R1 (5694-A01) or later.
No Charge
Program Feature
Description Number Number
Policy Director 5655-F95 0001
Authorization Services
When Policy Director Authorization Services V1.2 is available, V1.1 will no longer be available. Basic Machine-Readable Material: Policy Director Authorization Services for z/OS and OS/390 To order the base program code for Policy Director Authorization Services, select the feature number of the desired distribution medium.
Policy Director Authorization Feature Distribution Services V1.2 Number Medium Base 5802 3480 Tape Base 6546 4-mm Tape The optional feature for Policy Director Authorization Services provides the messages translated in Japanese. To order, select the feature number of the desired distribution medium. When ordering the Japanese support, you will also receive the base product of Policy Director Authorization Services with your order.
Policy Director Authorization Feature Distribution Services V1.2 Number Medium Japanese 5812 3480 Tape Japanese 6547 4-mm Tape For a list of material received when Policy Director Authorization Services for z/OS and OS/390 is ordered, refer to the Packaging section. Customization Options: Select the appropriate feature numbers to customize your order to specify the delivery options desired. These features can be specified on the initial or MES orders. Example: If publications are not desired for the initial order, specify feature number 3470 to ship media only. For future updates, specify feature number 3480 to ship media updates only. If, in the future, publication updates are required, order an MES to remove feature number 3480; then, the publications will ship with the next release of the program.
Feature
Description Number
Initial Shipments
Serial Number Only (suppresses shipment 3444
of media and documentation)
Ship Media Only (suppresses initial 3470
shipment of documentation)
Ship Documentation Only (suppresses 3471
initial shipment of media)
Update Shipments
Ship Media Updates Only (suppresses 3480
update shipment of documentation)
Ship Documentation Only (suppresses 3481
update shipment of media)
Suppress Updates (suppresses update 3482
shipment of media and documentation)
Expedite Shipments
Local IBM Office Expedite 3445
(for IBM use only)
Customer Expedite Process Charge 3446
($30 charge for each product)
Expedite shipments will be processed to receive 72-hour delivery from the time IBM Software Delivery and Fulfillment (SDF) receives the order. SDF will then ship the order via overnight air transportation. Expedite shipments are for items delivered under stand-alone program number (5655-F95) but not for custom built offering deliverables. Unlicensed Documentation: Publications and documents for Policy Director Authorization Services are available as Adobe PDF files, BookManager® files, or printed material. This material includes:
Order Format
Title Number PDF BKM Print
Licensed Program GC24-6029 X X
Specifications
Program Directory GI10-4730 X X X
Customization and Use SC24-6040 X X
Memo to New Licensees GI10-4738 X
Installation Road Map for GI10-4739 X X X
IBM Tivoli Access
Manager for e-business
(Base Services), V4.1
BKM = BookManager Note: An "X" in one of the columns indicates available formats. Adobe PDF Files: Publications that are available in PDF format are provided on the IBM z/OS Internet Library at: These publications are also available from the Publications Center Web site at: The Publications Center is a worldwide central repository for IBM product publications and marketing material with a catalog of 70,000 items. Extensive search facilities are provided, as well as payment options via credit card. Furthermore, a large number of publications are available online in various file formats, which can currently be down-loaded free of charge. You can view a PDF file using the Adobe Acrobat Reader, which is available free from the Adobe Web site at: You can also print the entire publication or just the section in which you are interested. BookManager Files: Publications that are available in BookManager format are provided on the IBM z/OS Internet Library at: These publications are also available from the Publications Center Web site at: You can view a BookManager file using BookManager READ for z/OS (an element of z/OS), IBM Softcopy Reader, or any of the other BookManager READ products. IBM SoftCopy Librarian, which runs under Windows 95 or later and Windows NT 4.0 or later, can be used to manage BookManager files in a repository. The Publication Notification System (PNS), which replaced the System Library Subscription Service (SLSS), is a World Wide Web notification system for IBM publications. You can register and create your own profile of publications by order number or product number. PNS will send you an e-mail note about new or revised publications based on your profile, and you can order the updates using any IBM publication ordering channel, typically the IBM Publications Center. Updated publications are only sent and billed if you respond to the electronic notification. Customers can register for PNS at: Note: PNS subscribers most often order their publications via the Publications Center. Printed Books: One copy of the Policy Director Authorization Services printed publications are supplied automatically with the basic machine-readable material. All printed Policy Director Authorization Services books are also available from the z/OS Internet Library and the IBM Publications Center. The Tivoli Policy Director License Information document is supplied automatically with the basic machine-readable material and is also available from the Publications Center Web site.
Subsequent updates (technical newsletters or revisions between releases)
to the publications shipped with the product will be distributed to the
user of record for as long as a license for this software remains in
effect. A separate publication order or subscription is not needed.
Customized OfferingsMost product media is shipped only via Customized Offerings (that is, CBPDO, ServerPac, SystemPac). Non-customized items (CDs, diskettes, source media, media kits) will continue to be shipped via the stand-alone product. Terms and ConditionsThe terms for Policy Director Authorization Services V1.2, as previously announced in Software Announcement 201-342 , dated November 27, 2001, licensed under the IBM Customer Agreement are unaffected by this announcement. PricesThe prices provided in this announcement are suggested retail prices for the U.S. only and are provided for your information only. Dealer prices may vary, and prices may also vary by country. Prices are subject to change without notice. For additional information and current prices, contact your local IBM representative. Policy Director Authorization Services is available at no charge to customers. It is intended for customers who have a license for OS/390 V2.10 (5647-A01), z/OS V1.1 or later (5694-A01), or z/OS.e V1.3 or later (5655-G52).
Program Feature
Description Number Number Charges
Policy Director 5655-F95 0001 $0.00
Authorization
Services Base
For additional product information, refer to Software Announcement
201-342
, dated November 27, 2001.
Global FinancingIBM Global Financing offers competitive financing to credit-qualified customers to assist them in acquiring IT solutions. Our offerings include financing for IT acquisition, including hardware, software, and services, both from IBM and other manufacturers or vendors. Offerings (for all customer segments: small, medium, and large enterprise), rates, terms, and availability can vary by country. Contact your local IBM Global Financing organization or visit the Web at: Order NowTo order, contact the Americas Call Centers, your local IBM representative, or your IBM Business Partner. To identify your local IBM representative or IBM Business Partner, call 800-IBM-4YOU (426-4968).
Phone: 800-IBM-CALL (426-2255)
Fax: 800-2IBM-FAX (242-6329)
Internet: ibm_direct@vnet.ibm.com
Mail: The Americas Call Centers
Dept. ME001
P.O. Box 2690
Atlanta, GA 30301-2690
Reference: ME001
The Americas Call Centers, our national direct marketing organization, can add your name to the mailing list for catalogs of IBM products.
Note: Shipments will begin after the planned availability date.
Trademarks
|
zSeries™ 900 server