ISPF client security

The ISPF client must be secure so that only authorized users can access stored files.
The IBM® Engineering Workflow Management (EWM) ISPF client provides mainframe access to source code that is stored in an EWM repository that might or might not be on the z/OS® machine to which the user is already authenticated. Therefore, the ISPF daemon needs to validate connection requests and provide secure communication between the host and the repository.

The security mechanism used by the EWM ISPF daemon relies on the file system where it resides to be secure. This implies that only trusted system administrators should be able to update the program libraries and configuration files.

To create ISPF client security definitions, customize and submit sample member BLZRACFT, which has sample RACF and z/OS UNIX commands, to create the basic security definitions for EWM. BLZRACFT is located in hlq.SBLZSAMP, unless you have copied it to another library for customization.The user submitting this job must have security administrator privileges, such as being RACF SPECIAL.
Note: The sample BLZRACFT job holds more than just RACF commands. The last step of the security definitions consists of making various z/OS UNIX files program controlled. Depending on the policies at your site, this might be a task for the system programmer and not the security administrator.
Refer to the RACF Command Language Reference (SA22–7687) for more information about RACF commands.

The user ID under which the ISPF daemon runs (as defined in BLZRACFT) should be added to the SAF Group that has write access to the CCM working directories when sample configuration JOB BLZCPBTK was submitted.

Through the ISPF client, you provide the user's EWM userid and password to the ISPF daemon through the dialogs. The authentication data provided by the client is only used once, during initial connection login. Once a user ID is authenticated, the user ID and self-generated PassTickets are used for all actions that require authentication. When you log out or exit the ISPF client, the authentication connection is lost and you must authenticate again the next time you use the ISPF client.Using PassTickets provides an explanation of the ISPF daemon security process.

Sample RACF commands for these steps are provided in sample job BLZRACFT, but they are discussed in more detail in the topics included in the following list:
Note: Refer to the RACF Command Language Reference (SA22–7687) for more information about RACF commands.

video icon Video channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community forums library

support icon Support

IBM Support Community
Deployment wiki