Defining Platform Server to the z/OS Security System

TIBCO MFT Platform Server for z/OS supports different security approaches to adapt to different security architecture you might implement in your environment.

The following security approaches are supported:
TIBCO MFT Platform Server for z/OS is a multi-user application. From a security perspective, TIBCO MFT Platform Server for z/OS must be defined to your security system as a multi-user address space, and all data set access must be approved based on the individual user requesting the function. TIBCO MFT Platform Server for z/OS uses the z/OS security authorization facility (SAF) to initialize and check security for each user at the time they initiate.

Because the platform server performs functions on behalf of multiple users, it must call the installed z/OS security system to create individual security environments (ACEEs) for each user and to verify that the correct password is entered for that user. All requests for resources, such as data sets, by that user are verified using that user's environment.

The type of security processing that the platform server performs depends on whether the local z/OS system initiates the request, in which case the platform server for z/OS acts as the initiator, or the platform server is processing a request that is started by a remote computer, in which case the platform server for z/OS acts as the responder.

  • Initiator security processing: when a user invokes the client subtask to request that a file be transferred to or from a remote computer, the client software verifies if the user has access to the local data set. When transmitting to the remote system, security information is transmitted to the remote node, including the remote user ID, the type of access, and an encrypted password.
  • Responder security processing: when acting as a responder, the platform server extracts the necessary security information from the protocol data received from the remote system, including the name of the data set, the user ID, the password, and the type of access. The platform server then uses the z/OS security manager to determine whether there is sufficient authority to perform the requested activity. TIBCO MFT Platform Server for z/OS and the z/OS server are subject to the same security checks as any other z/OS application. Therefore, TIBCO MFT Platform Server for z/OS must have a security profile, to have access privileges to any file that might be transferred or managed. Failing to define proper access can result in a 913 abend error.
The platform server identifies which user is trying to access the system depending on whether the file transfer is started by the local z/OS server or by a remote computer such as a Windows server.
  • When the platform server started task is acting as a initiator, the platform server retrieves the initiator's user ID from z/OS control blocks, and places that user ID into the work queue dataspace of the platform server. The platform server does not support the user ID to run the request under the authority of anyone else.
  • When the platform server started task is acting as a responder, the platform server receives the user ID and encrypted password over the data communications links, and then issues a RACROUTE TYPE=VERIFY command to ensure that the user ID is valid, and the user ID and password combination are a match.