The product I'm working on now has a deep stack. We have an assembler
back-end server with C++ wrapping it and a Java web server in the mix
wrapping the C++ layer. We decided we would use UNIX domain sockets for
the communication between the clients and server. This works well for
both ISPF and the web UI. The compelling reason was it doesn't need to
run authorized. Our most experienced assembler programmers (and our
owners) were dubious about that at first but were won over when they
realized that the socket could be protected using UNIX file permissions
backed by RACF.
On 4/12/2017 8:55 PM, Peter Relson wrote:
One of the terms bandied about w/r/t B1 security was "covert channels" --
an unauthorized user is not supposed to be able to know anything about
another user.
"Communication" in this case would include, but would not be limited to,
in-memory data.
"Another user" would usually not be the same as "a subsequent step in the
same job" but conceivably could be thought of as such.
You can decide for yourself to what extent (if any) z/OS Unix could be
thought to allow such channels. Maybe Unix (not just on z) brought about
the demise of B1 security, I have no idea; I have not heard B1 security
mentioned in a long time (that doesn't mean its concepts were bad).
Peter Relson
z/OS Core Technology Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
