Re: Security Level 40 -- BPCS-L

Hello,

There is a lot of 'mythology' around this subject with BPCS, because in the
old days, officially SSA said they did not support level 40 security (around
1993-94). That is no longer true. Back then, it was BIR, BBM and BEM
(referred to as DSS products) - which used MI calls (or direct calls to
system objects not using the system provided interfaces). They were
originally developed for S/38. The direct calls to system objects generally
is/was done to increase performance and software vendors got away with it
more often in the early days of the AS/400 when security issues were not as
well understood, and level 40 was not very popular. However, SSA never did
fully alter this code to correct the problem, and the products are no longer
available, and were never RISC enabled. This also caused problems not just
with security level, but when users upgraded OS releases from V2R2 to V2R3,
there were issues where some of the MI instructions failed at the new
release.

There was also discussion in those days that level 40 was not recommended
because it was bad for performance since the system uses more resources to
perform all the checking of object integrity etc. It is really no longer a
big factor on the faster RISC machines, and several systems at SSA are
running at 40.

BPCS CD itself will run fine on level 40, and was loaded on HelpLine boxes
and run at this level during Y2K testing. As might guess, AS/SET would not
have any idea what to do with an MI instruction if it saw one, so any AS/SET
generated code is guaranteed to be fine. If you don't use those older
reporting products there should not be a problem with level 40 security.
Any V6.x release is verified to run at level 40, and does so at SSA on our
systems. Here are some recent SCOPE FAQ entries on the subject:

Platform: A400
Product: SYS
Version: 6.004
Program: SYS
Log Date: 04-27-99
Logged By: QUINLAJ
Incident #: 616053- 1
OGS

CAN CUSTOMER CHANGE SYSTEM VALUE FOR QSECURITY FROM 30 TO 40?

Customer was told by IBM Competencey Center it was OK to go to security
level 40. Informed customer we have put our Helpline system at security
level 40 and run with no problems with BPCS 6.0.02, 6.0.02 and 6.1.00. Also,
IBM tests BPCS at level 50 with no problems. If any problems were to be
found relating to security levels, the Helpline would work with you to
resolve those problems. Some older versions of BPCS contained 3rd party
products (such as BIR) which did have some problems running at higher
security levels.

Platform: A400
Product: SYS
Version: 6.002
Program: SYS650C
Log Date: 06-22-99
Logged By: NOVAKG
Incident #: 627228- 1
OGS

We're trying to impliment an object level security strategy (level 40) and
having problems with several BPCS programs. Because they are non-observable,
I can't change the User Profile option from *USER to *OWNER. I understand
that the programs are part of the SSA security & key validation - can you
help?

Wants all security programs in BPCS re-compiled with the User Profile
parameter set to *OWNER instead of current value of *USER. Under normal
circumstances, user profile SSA should own all objects and we recommend
having users set to Group Profile SSA with owner of *GRPPRF. However, for
more security, they can not implement this way and want each environment
owned by a different profile, with all objects compiled with User Profile
*OWNER, so they can adopt the authority of the owning profile. Thus, outside
of BPCS, no one can update the database. At security level 40, when a job is
submitted to batch, the adopter must have *USE authority to the profile
running the job. Entered 'E'BMR 51582 to request the security programs be
recompiled to *OWNER.

Note that this BMR 51582 is being completed on 6.1.01.

Thanks

Genyphyr Novak
SSA


-----Original Message-----
From: Mack, Robert M. <Robert.M.Mack@sgcna.com>
To: 'BPCS-L@midrange.com' <BPCS-L@midrange.com>
Date: Thursday, March 23, 2000 5:01 PM
Subject: RE: Security Level 40


The best way to determine if a vendor application will run at Security level
40 is to set the system valeu for auditing to PGMFAIL.  This will create a
log of all programs thatwill fail at level 40.  it's a lot safer than just
making the change and hoping for the best.  Look in the security reference
manual for instructions relating to program fail.  it will explain how to
set up the audit journal and then the lournal receivers.  If it's to
technical ask an your IBM rep for help.

-----Original Message-----
From: Wolf, Roger [mailto:Roger.Wolf@garmin.com]
Sent: Thursday, March 23, 2000 10:06 AM
To: 'BPCS-L@midrange.com'
Subject: RE: Security Level 40



I heard SSA does not support security level 40 on BPCS 405 CD.

Think I saw it in a document once.


-----Original Message-----
From:   Rob [SMTP:stagis@fansteelvrwesson.com]
Sent:   Wednesday, March 22, 2000 1:34 PM
To:     BPCS-L@midrange.com
Subject:        RE: Security Level 40

I don't think I'm the guy to answer this.  I'm running 4.05CD as
well, and
actually have no interest in running that level of security...you could try
it on a day off, I think.  I'm sure others will have a definitive answer,
but why don't you try setting that level on a Saturday and see what happens?


-----Original Message-----
From: owner-bpcs-l@midrange.com [ mailto:owner-bpcs-l@midrange.com
<mailto:owner-bpcs-l@midrange.com> ]On
Behalf Of Bill Robins
Sent: Wednesday, March 22, 2000 2:28 PM
To: BPCS-L@midrange.com
Subject: Security Level 40


Can BPCS V405CD run at Level 40?

Thanks
Bill




+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---