Protecting Your Datasets

When you have installed the MVS Tur(n)key system, there is no real security available. (There may be in a later incarnation of the Tur(n)key CD). The only thing you can use for security right out of the box is password protection of datasets. Password protection is different for VSAM and for non-VSAM datasets. This little document referes to non-VSAM dataset protection only.

Information on password protection will be recorded in two places

Password bits in the VTOC
Password entry on dataset PASSWORD

Yes, there is a dataset called PASSWORD and it contains the passwords for the protected datasets. In plain text. Just a little bit out of sight, but easily accessible. Take a look at job pwdprint in dataset SYS2.JCLLIB. This simple IDCAMS job will print all protected datasets with their corresponding passwords. (Good bye security....) You want it more comfortable? I have written a simple TSO command processor that works on/with the PASSWORD dataset. Just go to a TSO session and enter

password all

and the names of all password protected datasets together with the protection level and the password will be displayed. Using

password password(AAA BBBB)

will change all dataset passwords from AAA to BBBB. Also, anybody can access the PASSWORD dataset. It would be a very good idea to protect the PASSWORD dataset with a password ...... The PASSWORD dataset in the distributed system has already been protected with the following command

PROTECT 'PASSWORD' ADD(GEHEIM) PWREAD PWWRITE

which assigns the Control Password GEHEIM to the dataset. One needs a password for read access and for write access. The provided password GEHEIM allows both, read and write. You should change the control password as soon as possible by issuing a command like

PROTECT 'PASSWORD' REPLACE(GEHEIM newpassword)

where you will have to provide a new password (up to 8 alphanumeric characters, not case sensitive), of course. Instead of writing the passwords, for everybody to see, as part of the command, you can use prompt mode as well:

PROTECT 'PASSWORD' REPLACE

and you will be prompted for the current password, and then the new password. You get the full syntax of the protect command by entering

HELP PROTECT

in a TSO session. Instead of using the TSO protect command for maintaining the password protection status, you can also use IEHPROGM. Sample joby are available in SYS2.JCLLIB in members

PROGADD - Add a password entry to the PASSWORD dataset
PROGCHG - Change a password entry
PROGDEL - Delete a password entry
PROGLST - List a password entry

The first password assigned to a dataset is the so-called Control Password. It always allows read and write access to the file. Assume you want to protect a file, then you could use

PROTECT 'HERC01.SECRET.FILE' ADD(ALPHA) PWREAD PWWRITE

Displaying the password information now shows:

password all
 ENTER PASSWORD FOR DATA SET PASSWORD

 HERC01.SECRET.FILE                          ALPHA    C RW     0
 PASSWORD                                    GEHEIM   C RW     8
 READY

This shows that ALPHA is the control password, and can be used for READ and WRITE access. Now issue the command

PROTECT 'HERC01.SECRET.FILE' ADD(BAKER) PWREAD NOWRITE

The system will ask for the control password (ALPHA) and then process your request. A display of the password info shows

password all
 ENTER PASSWORD FOR DATA SET PASSWORD

 HERC01.SECRET.FILE                          BAKER      R      0
 HERC01.SECRET.FILE                          ALPHA    C RW     0
 PASSWORD                                    GEHEIM   C RW     9
 READY

Later you can add more passwords for the file, like

PROTECT 'HERC01.SECRET.FILE' ADD(CHARLIE) PWWRITE

which will result in

password all
 ENTER PASSWORD FOR DATA SET PASSWORD

 HERC01.SECRET.FILE                          BAKER      R      0
 HERC01.SECRET.FILE                          CHARLIE    RW     0
 HERC01.SECRET.FILE                          ALPHA    C RW     0
 PASSWORD                                    GEHEIM   C RW     9
 READY

In other words, CHARLIE is now a secondary password, and can be used to update the file. But, CHARLIE cannot be used to modify passwords etc, you still would need the Control Password (ALPHA) for doing so.

A password entry can be easily deleted from the PASSWORD dataset by

PROTECT 'HERC01.SECRET.FILE' DELETE(CHARLIE)

Again, you will be prompted for the Control Password, and then the password entry for CHARLIE is gone.

password all
 ENTER PASSWORD FOR DATA SET PASSWORD

 HERC01.SECRET.FILE                          BAKER      R      0
 HERC01.SECRET.FILE                          ALPHA    C RW     0
 PASSWORD                                    GEHEIM   C RW     9
 READY

If you delete the entry for the control password, all password entries for the dataset are deleted, and the dataset becomes unprotected.

PROTECT 'HERC01.SECRET.FILE' DELETE(ALPHA)

You noticed something? No? Well, you should have noticed that something did not happen: There was no prompt for the Control Password. Well, you just deleted it...

password all
 ENTER PASSWORD FOR DATA SET PASSWORD

 PASSWORD                                    GEHEIM   C RW     9
 READY