This article describes the need for identity and resource access management on the mainframe to mitigate inappropriate use of applications and data. It will compare and contrast how such management is implemented by the three top security servers: IBM RACF, CA-Top Secret, and CA-ACF2. It points to the System z mainframe as the most secure platform, making it the best choice for hosting highly sensitive data, including electronic keys required to access encryption-protected data and to sign and authenticate sensitive data exchanges. Finally, it considers how the three security servers are evolving to manage such keys as well as their role in an enterprise Public Key Infrastructure (PKI).
New IT professionals now supporting the mainframe may not be aware of the history of the security servers. The use of security servers on z/OS evolved from a need to consolidate the separate authentication systems that existed in the individual subsystems on MVS, such as Time Share Option (TSO), Information Management System (IMS), and CICS. On z/OS today, you must have one of the three security servers: RACF, CA-Top Secret, or CA-ACF2.
RACF was introduced in 1976 for use with the Multiprogramming with Variable number of Tasks (MVT) operating system, introducing means for automated authentication and authorization. RACF didn’t provide “security by default,” meaning that it didn’t protect all system resources (e.g., data sets, commands, etc.). Instead, it had to be configured to protect specific resources. The fundamental design followed a philosophy that if access isn’t expressly prohibited, it’s allowed by default.
Two years later, Barry Schrager, Scott Krueger, and Eberhard Klemens (SKK) created ACF2. At the time, the biggest advertised difference between RACF and ACF2 was that when ACF2 was installed, it provided “security by default,” meaning that every resource was protected and ACF2 had to be configured to allow access to resources. Unlike RACF, ACF2 was designed so access was prohibited by default unless expressly allowed. ACF2 was sold to UCCEL in 1986, and a year later, UCCEL was acquired by CA, which continues to sell CA-ACF2.
In 1980, CGA created another security server called Top Secret Security (TSS). It tried to combine what users liked about RACF and ACF2; it had an architecture that was less resource-centric and more business-oriented (like RACF), but also provided “security by default” (like ACF2). In 1985, Top Secret was sold to CA.
RACF can now provide “security by default” by activating PROTECTALL processing. When PROTECTALL is active, resources can be accessed only if the user has been expressly granted permission.
z/OS and Security Servers
One and only one security server can be installed on z/OS. There may be a misconception by some that RACF comes free with z/OS, so there’s no choice to make. However, RACF is separately licensed and customers must choose which security server they’d like to run: RACF, ACF2, or Top Secret.
z/OS interfaces with the security servers through a z/OS component, the System Authorization Facility (SAF), which provides the interface between products requesting security services and the installed security server.