psf v4r6 for z/os: security guide - ibm.com · about this publication this publication is designed...

Print Services Facility for z/OS

Security GuideVersion 4, Release 6.0

S550-0434-04

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 37.

This edition applies to the IBM Print Services Facility Version 4 Release 6 Modification 0 for z/OS, ProgramNumber 5655-M32, and to all subsequent releases and modifications until otherwise indicated in new editions.

This edition replaces S550-0434-03.

© Copyright IBM Corporation 1989, 2017.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixWho should read this publication . . . . . . . ixHow this publication is organized . . . . . . . ix

Fast path . . . . . . . . . . . . . . xUnderstanding the syntax notation used in thispublication . . . . . . . . . . . . . . . xRelated information . . . . . . . . . . . . x

How to send your comments to IBM xiiiIf you have a technical problem . . . . . . . xiii

Summary of changes . . . . . . . . xv

Chapter 1. Introducing the print labelingfunction. . . . . . . . . . . . . . . 1Understanding print labeling . . . . . . . . . 1

User-printable area . . . . . . . . . . . 2Distributing secure PSF output . . . . . . . . 3Auditing PSF output for security . . . . . . . 4Introducing trusted computing base components . . 4

Trusted software . . . . . . . . . . . . 5Trusted hardware . . . . . . . . . . . . 6Users . . . . . . . . . . . . . . . . 6

Choosing from a list of security-related PSF tasks . . 7

Chapter 2. Using print labeling . . . . . 9Installing PSF . . . . . . . . . . . . . . 9

Printer support in PSF . . . . . . . . . . 9Designing pages for print labeling . . . . . . . 9

Creating security overlays . . . . . . . . 10Allocating the security definitions library . . . . 10

Security definitions library attributes . . . . . 11Defining a security definitions library. . . . . . 11

Syntax for a security definitions member . . . 11Rules for defining a security definitions member 13Sample security definitions member . . . . . 14

Defining security resource libraries . . . . . . 15Defining a security console . . . . . . . . . 15

Assembling separator pages . . . . . . . . . 16Enabling print labeling . . . . . . . . . . 16

Using RACF with PSF for z/OS . . . . . . 17PSF processing differences with the print labelingfunction . . . . . . . . . . . . . . 17

Updating initialization parameters. . . . . . . 18Updating print labeling parameters . . . . . 20Defining data definition names in the PRINTDEVstatement . . . . . . . . . . . . . . 21

Submitting a print job that includes identificationlabels . . . . . . . . . . . . . . . . 22

Overriding print labeling defaults . . . . . . 23Maintaining PSF for z/OS with print labelingenabled. . . . . . . . . . . . . . . . 23

Auditing PSF printing . . . . . . . . . . 23Interpreting security-related messages . . . . 24Diagnosing print labeling problems . . . . . 24

Appendix A. Security page layout . . . 29

Appendix B. PAPERNAM table forsystem-defined paper names . . . . . 31

Appendix C. Accessibility . . . . . . 33Accessibility features . . . . . . . . . . . 33Consult assistive technologies . . . . . . . . 33Keyboard navigation of the user interface . . . . 33Dotted decimal syntax diagrams . . . . . . . 33

Notices . . . . . . . . . . . . . . 37Terms and conditions for product documentation. . 39IBM Online Privacy Statement . . . . . . . . 40Policy for unsupported hardware . . . . . . . 40Minimum supported hardware . . . . . . . . 40Trademarks . . . . . . . . . . . . . . 41

Glossary . . . . . . . . . . . . . . 43

Bibliography . . . . . . . . . . . . 49Advanced Function Presentation (AFP) . . . . . 49

Index . . . . . . . . . . . . . . . 51

© Copyright IBM Corp. 1989, 2017 iii

iv PSF V4R6 for z/OS: Security Guide

Figures

1. Print labeling . . . . . . . . . . . . 12. Placing identification labels on the physical

page . . . . . . . . . . . . . . . 33. Random numbering of printed output . . . . 44. Typical components of a trusted computing

base . . . . . . . . . . . . . . . 55. Library attributes for the security definitions

library . . . . . . . . . . . . . . 116. Syntax for a security definitions library

member . . . . . . . . . . . . . . 117. Sample coding of a member . . . . . . . 148. Page layout for a cut-sheet page . . . . . 149. Page layout for a continuous form . . . . . 15

10. ROUTCODE option for routing messages 1511. ROUTCODE option for stopping messages 1612. Activating SECLABEL . . . . . . . . . 1713. Using the RACF SETROPTS and RDEFINE

commands . . . . . . . . . . . . . 1714. Adding a user ID to a RACF profile . . . . 1715. Refreshing RACF . . . . . . . . . . 1716. Sample PSF startup procedure with comments

for security-related parameters . . . . . . 1917. Sample JCL job card . . . . . . . . . 2318. Sample JCL output statement . . . . . . 2319. Security page layout . . . . . . . . . 29

© Copyright IBM Corp. 1989, 2017 v

vi PSF V4R6 for z/OS: Security Guide

Tables

1. SYS1.SAMPLIB members for PSFdocumentation updates . . . . . . . . . x

2. Security tasks and the people who do them 73. Library attributes for a security resource

library . . . . . . . . . . . . . . 15

4. PSF exit routines in SYS1.SAMPLIB . . . . 165. Parameters for enabling print labeling . . . 206. Print labeling diagnosis . . . . . . . . 257. PAPERNAM parameter values . . . . . . 31

© Copyright IBM Corp. 1989, 2017 vii

viii PSF V4R6 for z/OS: Security Guide

About this publication

This publication is designed to help programmers, analysts, and administratorswho install, customize, or maintain Print Services Facility™ (PSF) for z/OS®

(referred to as PSF) as a component of a trusted computing base.1

This publication describes the PSF function that is called print labeling. Thisfunction can be used to produce printed output that contains special labels. Theselabels can be used for security purposes or other installation-defined purposes.

Note: Print labeling can be done with PSF even if PSF is not a part of a trustedcomputing base.

Who should read this publicationYou use this publication if you are a system programmer, a system analyst, asecurity administrator, a security auditor, or an application programmer who isresponsible for data security.

You must be familiar with the material that is contained in PSF for z/OS:Customization and PSF for z/OS: User's Guide before you attempt any of theprocedures that are described in this publication.

How this publication is organizedThis publication is intended to help you do the tasks in Table 2 on page 7. Theinformation in this publication must not be used for programming purposes.

This publication is organized so that you can read it sequentially or refer directlyto individual tasks.v Use Chapter 1, “Introducing the print labeling function,” on page 1 for an

overview of the PSF print labeling function and how PSF operates within atrusted computing base.

v Use Chapter 2, “Using print labeling,” on page 9 when you are working with anoperating system that supports print labeling.

v Use Appendix A, “Security page layout,” on page 29 when you are designingpages for printing with the print labeling function of PSF.

v Use Appendix B, “PAPERNAM table for system-defined paper names,” on page31 to find a list of system-defined paper names that are used when you areestablishing a security definitions library.

v Use Appendix C, “Accessibility,” on page 33 to obtain information about theaccessibility features available in z/OS.

A notices section, glossary, bibliography, and index are included. The bibliographylists the publications that contain additional information about the system,hardware, or software used by PSF, or about installation and maintenance.

1. A trusted computing base consists of components that together enforce a unified security policy over a computing environment.For more information, see “Introducing trusted computing base components” on page 4.

© Copyright IBM Corp. 1989, 2017 ix

Fast pathFor a list of security-related tasks, see Table 2 on page 7. This fast path is providedso that you can quickly access task information if you are already familiar with thePSF print labeling function.

Understanding the syntax notation used in this publicationThe following rules apply to syntax examples and coding illustrations throughoutthis publication:v The uppercase letters are to be entered as shown; however, you do not need to

type them in uppercase.v The variable data that you must provide is printed in italics. Enter specific data

to replace the characters in italics; for example, for PRTnnnn you can enter PRT2.v Do not enter any of the following symbols as part of a parameter or an option:

Vertical Bar |Underscore ___Braces { }Brackets [ ]

v A vertical bar between two values means that you are to select only one of thevalues.

v If one value in a set of values is underscored, that value is the default—that is,the value that PSF uses if no option is specified.

v If values are enclosed in braces { }, one or the other of the values in the bracesmust be selected.

v If a value is enclosed in brackets [ ], you do not have to select that value.

Related informationPublications that are referred to in this document or that contain more informationabout AFP and related products are listed in the “Bibliography” on page 49. Forinformation about all z/OS product publications, see z/OS Information Roadmap.

For more information about z/OS and PSF for z/OS, see these web pages:v z/OS home page (www.ibm.com/systems/z/os/zos)v z/OS Print Management Software (www.ibm.com/systems/z/os/zos/

printsoftware)

To obtain the latest documentation updates for z/OS base elements and optionalfeatures that result from DOC APARs and PTFs, go to z/OS APAR book(publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/ZDOCAPAR).

To obtain the latest documentation updates for PSF for z/OS, see the appropriateSYS1.SAMPLIB members in Table 1.

Table 1. SYS1.SAMPLIB members for PSF documentation updates

Member Publication

APSGADP6 PSF for z/OS: AFP Download Plus

APSGCUS6 PSF for z/OS: Customization

APSGDGN6 PSF for z/OS: Diagnosis

APSGDLG6 PSF for z/OS: Download for z/OS

APSGMAC6 PSF for z/OS: Messages and Codes

x PSF V4R6 for z/OS: Security Guide

||

||

||

||

||

http://www.ibm.com/systems/z/os/zos

http://www.ibm.com/systems/z/os/zos/printsoftware

http://www.ibm.com/systems/z/os/zos/printsoftware

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/ZDOCAPAR

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/ZDOCAPAR

Table 1. SYS1.SAMPLIB members for PSF documentation updates (continued)

Member Publication

APSGSEC6 PSF for z/OS: Security Guide

APSGUSR6 PSF for z/OS: User's Guide

About this publication xi

||

||

xii PSF V4R6 for z/OS: Security Guide

How to send your comments to IBM

We appreciate your input on this documentation. Please provide us with anyfeedback that you have, including comments on the clarity, accuracy, orcompleteness of the information.

Use one of the following methods to send your comments:

Important: If your comment regards a technical problem, see instead “If you havea technical problem.”v Send an email to [email protected] Send an email from the Contact z/OS web page (www.ibm.com/systems/z/os/

zos/webqs.html).

Include the following information:v Your name and addressv Your email addressv Your phone or fax numberv The publication title and order number:

PSF V4R6 for z/OS: Security GuideS550-0434-04

v The topic and page number or URL of the specific information to which yourcomment relates

v The text of your comment.

When you send comments to IBM®, you grant IBM a nonexclusive right to use ordistribute the comments in any way appropriate without incurring any obligationto you.

IBM or any other organizations use the personal information that you supply tocontact you only about the issues that you submit.

If you have a technical problemDo not use the feedback methods that are listed for sending comments. Instead,take one or more of the following actions:v Visit the IBM Support Portal (support.ibm.com).v Contact your IBM service representative.v Call IBM technical support.

© Copyright IBM Corp. 1989, 2017 xiii

mailto:[email protected]

http://www.ibm.com/systems/z/os/zos/webqs.html


http://support.ibm.com

xiv PSF V4R6 for z/OS: Security Guide

Summary of changes

This information contains no technical changes for this release.

© Copyright IBM Corp. 1989, 2017 xv

xvi PSF V4R6 for z/OS: Security Guide

Chapter 1. Introducing the print labeling function

This information introduces the concept of print labeling and explains how PSF forz/OS operates within a secure computing environment.

Understanding print labelingYou can place identification labels on each page of printed output with the PSFfunction called print labeling. An identification label can be composed of text,graphics, or a combination of both. Identification labels can be used for securityinformation, such as a TOP SECRET security level, or for other installation-definedpurposes. Identification labels can be placed on the top, bottom, or sides of allpages within a job. Up to eight labels can be defined to print on every page of thejob.

An identification label is positioned on the page by using a resource that is called asecurity overlay. The overlays and the resources used by the overlays, such as fontsand page segments, are stored in special security libraries.

Print labeling can be applied to data pages and to separator pages. Figure 1 showslabeling applied to a data page from one job and a separator page from anotherjob.

The two types of print labeling are guaranteed print labeling and nonguaranteed printlabeling. Guaranteed print labeling works with a subset of Advanced FunctionPresentation (AFP) printers and ensures the integrity of the identification label bypreventing the user from changing the label. Nonguaranteed print labeling works

Data Page Separator Page

To

p S

ecre

tP

roje

ct

A

Top Secret

Project A

Top Secret

Project ATo

p S

ecre

tP

roje

ct

A

John Q. PublicSIGMA CompanyBoulder, Colorado

TO: All EmployeesBoulder Plant

REF: BookMaster Demo

This demo memo shows BookMaster’s limited desktop capabilities.BookMaster is a WYSIWIG program that is comparable to such typesettingsoftware as PageMaker and Ventura

Pages can be composed and printed on avariety of printers, and the user interfacetakes about 3 hours to learn. Text can beflowed around imported graphics and finaloutput can be viewed without leavingBookMaster. This is comparable to the viewfeature of BookMaster. In BookMaster, younever stray too far from the editor. You can also dolimited editing on your graphic, without leaving the program.

Why am I telling you all this? BookMaster will be available for VM this year,a similar interface will be used. Who knows, maybe ID 2001 will be usinga WYSIWYG writing tool. What ever the future holds, we should beaware of the present state of technology.

If you would like more information on BookMaster,I’ll be glad to help. Do you have experience withanother new program? Perhaps we could all shareinformation as we get it!

Note:This demo shows BookMaster’s limited textand graphic capabilities. BookMaster is a WYSIWIGprogram that is comparable to other typesetting software.Text can be floated around imported graphics. This demomemo shows BookMaster’s limited text and graphic capabilities.

Identification Labels

START

686-208

USER:

JOB NAME: ZZ7PPW02

JOB NUMBER: JOB00021

SYSOUTCLASS: L

SYSTEM ID: SYSA

PRINTER: PRT14

PRINT DATE: 04 DEC 2001

PRINT TIME: 11:19:31

OUTPUT GROUP: 000 000

ROOM:

Figure 1. Print labeling. Identification labels can be placed on the top, bottom, or sides of allpages within a job. This example shows a page from two different jobs.

© Copyright IBM Corp. 1989, 2017 1

on most AFP printers, but the integrity of the identification labels cannot beguaranteed. For a list of printers that support print labeling, see “Printer supportin PSF” on page 9.

The following steps describe how print labeling works:1. The user submits a print request that uses data and resources from host

libraries. A security label is associated to the print request. The label is acombination of both the security level and the security class.

2. Resource Access Control Facility (RACF®), a component of z/OS SecurityServer, checks to ensure that the user’s security label matches the securitylabels of all requested user data or user resources. If the labels match, the datais placed on the spool.

3. PSF formats the data and resources by using the security label of the print jobto apply the appropriate security overlays to all pages of the printed output.

The integrity of the identification label is ensured by the positioning of the label inan area of the page where user data cannot be placed. To enforce this positioning,the valid printable area of a form for user data is reduced by the definition of auser-printable area.

User-printable areaThe user-printable area (UPA) is the area on the page that contains alluser-generated data. If an attempt is made to print user-generated data outside theUPA, an exception condition occurs. Identification labels are placed outside of theUPA, but within the valid printable area of the form. Figure 2 on page 3 shows alayout of where an identification label can be placed.

When guaranteed print labeling is enabled, an appropriate UPA must be definedby the system programmer for each paper size that can be used to print data witha particular identification label. Different UPAs can be defined for the same papersize when different identification labels are used.

2 PSF V4R6 for z/OS: Security Guide

For a template that you can use to lay out your pages and define the UPA, seeAppendix A, “Security page layout,” on page 29.

Distributing secure PSF outputPSF prints a randomly generated number for each job on the header and the trailerpages of the job if guaranteed print labeling is being done. The printer operatormatches the number on the header page to the number on the trailer page beforethe job output is distributed. By ensuring that the numbers match, the printeroperator ensures output security. Figure 3 on page 4 illustrates the printednumbers.

PhysicalPage Boundary

Identification Label

UPA(shaded area)

Identification Label

Figure 2. Placing identification labels on the physical page. Identification labels should beplaced outside the UPA but must be placed within the physical page boundaries.

Chapter 1. Introducing the print labeling function 3

Auditing PSF output for securityPSF and RACF record security exceptions and help the security administrator auditPSF activity. For more information about auditable conditions, see “Auditing PSFprinting” on page 23.

Introducing trusted computing base componentsA trusted computing base consists of components that together enforce a unifiedsecurity policy over a computer environment. Components of a trusted computingbase include hardware and software. PSF is a software component that is usedwith hardware and other software components to provide a trusted computingbase. Figure 4 on page 5 illustrates a sample trusted computing base.

Header Page Trailer Page

Top Secret

Project A

Top Secret

Project A

Random Number

END

686-208

USER:

JOB NAME: ZZ7PPW02


SYSOUTCLASS: L

SYSTEM ID: SYSA

PRINTER: PRT14




ROOM:

Top Secret

Project A

Top Secret

Project A

START

686-208

USER:

JOB NAME: ZZ7PPW02


SYSOUTCLASS: L

SYSTEM ID: SYSA

PRINTER: PRT14




ROOM:

Figure 3. Random numbering of printed output. The printer operator is responsible formatching the random numbers and distributing the printed output.


Trusted softwareTrusted software is the software portion of the trusted computing base. It includes:

Access control softwareAccess control is regulated by RACF, which:v Authorizes user sessions based on user ID.v Authorizes resource access.v Ensures that only users who are identified to RACF can access the

processor or resources.

For more information about how to protect processing with RACF, seez/OS Security Server RACF Security Administrator's Guide.

Trusted spooling softwareIn a trusted computing base, spool files are protected through RACF andyour spooling software. For example, in z/OS, the Job Entry Subsystem(JES) spool is protected by activating the RACF JESSPOOL security classand by defining RACF profiles. For information about defining PSF-relatedRACF profiles, see “Using RACF with PSF for z/OS” on page 17.

Trusted printer-driver softwareIn a trusted computing base, secure printed output is controlled throughPSF (the printer-driver software) and RACF. Output from a trusted printercontains identification labels that are printed on each page.

Trusted communications softwareIn a trusted computing base, communications software is used to connect

TrustedSpooling Software

Trusted Consoles

TrustedResourcesTrusted Processor with

Access Control Software

Trusted Printers End Users

Trusted Printer-Driver Software

(PSF)

TrustedCommunications

Software

Figure 4. Typical components of a trusted computing base. Different components might beinstalled with your installation.


input and output devices to the main processor. For example,Communications Server: IP Services can be used to connect user terminalsto the main processor so users communicate with one another.

In a trusted computing base, communication through networking softwareis controlled through RACF, and communication between users can berestricted or prohibited based on defined security clearances. See yournetworking software documentation for more information aboutcontrolling network access with RACF and for defining security clearancesfor user terminals.

Trusted resourcesIn a trusted computing base, some resources are defined as securityresources and are managed differently from other resources. For example,fonts, overlays, and page segments that are used to print identificationlabels are stored in secure libraries, and only the printer driver can accessthese resources for printing.

Trusted hardwareTrusted hardware is the set of equipment that is protected through RACF in thetrusted computing base. It includes:

Trusted processorIn a trusted computing base, the main processor provides access control foradmittance to all resources and user processing. Communication betweentrusted and nontrusted processors is restricted.

Trusted printersIn a trusted computing base, a trusted printer is one that supportsguaranteed print labeling. For more information about guaranteed printlabeling and printers that support guaranteed print labeling, see “Printersupport in PSF” on page 9.

In addition, a trusted printer is located in a controlled area. Only theprinter operator is allowed to distribute output to the user.

Trusted consoleIn a trusted computing base, a trusted console is a computer terminal thatis defined to RACF with a security label. In addition, a trusted console islocated in a controlled area where only authorized personnel are allowedto access the console.

A trusted console, or security console, can still be restricted from acceptingcertain console operator commands. For example, in z/OS, JES3 commandsare grouped into command authority levels, and consoles can be defined toaccept only certain levels of JES3 commands from the console operator. Formore information about defining a console to RACF, see the RACFdocumentation for your operating system.

For information about diverting PSF messages from a master console to asecurity console, see “Defining a security console” on page 15.

UsersIn a trusted computing base, the user must be defined to RACF by using a securitylevel and a security class. Both the security level and the security class make upthe security label of the user. Only users with a security label that is assigned to theuser terminal can use the trusted computing base.


Choosing from a list of security-related PSF tasksTable 2 matches personnel with security-related tasks that are described here. Youcan use this table as a fast path that directs you to security-related tasks containedin this information.

Note: Your installation might or might not have the unique personnel that arelisted in the table.

Table 2. Security tasks and the people who do them

Security-Related Tasks Personnel See Page:

Install PSF System programmer 9

Determine how your printer supports printlabeling

System programmer and security administrator 9

Allocate security definitions libraries System programmer and security administrator 10

Define security definitions library System programmer and security administrator 11

Define security resource libraries System programmer and security administrator 15

Design page layouts for each size of paper System programmer, security administrator, andapplication programmer

29

Create security overlays System programmer, security administrator, andapplication programmer

10

Define security consoles System programmer and security administrator 15

Update the PSF startup procedure System programmer and security administrator 18

Enable print labeling System programmer and security administrator 16

Activate separator page content (randomnumbering)

System programmer or security administrator 16

Submit a print job that requires identificationlabels

User who is RACF authorized 22

Check PSF output for security Printer operator 3

Diagnose print-labeling problems System programmer and security administrator 24

Interpret security-related error messages Console operator, system programmer, securityadministrator, and application programmers

24

Perform security audits Security administrator and installation auditor 23


Chapter 2. Using print labeling

This information describes how to enable, customize, and maintain the printlabeling function of PSF for z/OS. The procedures, examples, and parametersdescribed here apply only to a z/OS operating system.

You can find more information in these publications:v PSF for z/OS: Customizationv PSF for z/OS: User's Guidev Overlay Generation Language/370 User's Guide and Reference

You must be familiar with PSF customization before you enable the print labelingfunction.

The tasks that are described in this information can be done in the followingsequence. Your installation might not require all tasks.1. “Installing PSF”2. “Designing pages for print labeling”3. “Allocating the security definitions library” on page 104. “Defining a security definitions library” on page 115. “Defining security resource libraries” on page 156. “Defining a security console” on page 157. “Assembling separator pages” on page 168. “Enabling print labeling” on page 169. “Updating initialization parameters” on page 18

10. “Submitting a print job that includes identification labels” on page 2211. “Maintaining PSF for z/OS with print labeling enabled” on page 23

Installing PSFInstall PSF as instructed in the Program Directory for Print Services Facility for z/OS,which is included with the PSF licensed program tapes. This directory containsinformation about the microcode levels for specific printers. You need to make surethat the appropriate level of microcode is installed on your printer before yourprinter can support guaranteed print labeling.

Printer support in PSFAFP printers can support guaranteed print labeling or nonguaranteed printlabeling. To determine the type of print labeling your printer supports in PSF forz/OS, use the display printer information function. If the Define User Area is listedin the DEVICE CONTROL COMMAND Set Vector of the Sense Type and Model(STM), the printer supports guaranteed print labeling; if it is not, the printersupports nonguaranteed print labeling. For more information about the displayprinter information function, see PSF for z/OS: Customization.

For more information about guaranteed print labeling and nonguaranteed printlabeling, see “Enabling print labeling” on page 16.

Designing pages for print labelingThese steps are required to design pages for print labeling:


1. Identify any fonts or page segments that you want to use in the identificationlabel. For information about identifying fonts and page segments, see “Definingsecurity resource libraries” on page 15 and “Defining data definition names inthe PRINTDEV statement” on page 21.

2. Construct a page layout. See Appendix A, “Security page layout,” on page 29for a page layout tool.

3. Create security overlays as needed. See “Creating security overlays.”4. Create a security definitions library (allocate and define members). Each

combination of security label, paper size, and page top must be defined to PSFin a member of a security definitions library. To define members in a securitydefinitions library, see “Defining a security definitions library” on page 11.

Creating security overlaysYou must create at least one security overlay for each security label that you areusing on your system. The same overlay can be used on different paper sizes andorientations but the overlay must be carefully designed, considerating the mediaorigin and the printable area differences. If you want, more than one securityoverlay can be created for each combination of security label, paper size, andorientation.

Security overlays are created as you would create other overlays, but RACF is usedto protect overlays that are in a secure library from any unauthorized modification.For example, a user of Overlay Generation Language (OGL) needs to beRACF-authorized to access an overlay in a secure library. See your RACFdocumentation for more information about how users are authorized to accesssecure libraries. For more information about creating overlays, see OverlayGeneration Language/370 User's Guide and Reference.

Printing with security overlaysPrinting security overlays is not specified with a form definition but with theSECOVLY option. This option is coded in a member of the security definitionslibrary. For more information, see “Defining a security definitions library” on page11.

Allocating the security definitions libraryThe security definitions library is a partitioned data set or a series of concatenatedpartitioned data sets. A security definitions library contains separate definitions foreach type of security label available on the system. A single member contains thedefinitions for one security label that is used with all paper sizes and pageorientations. For example, a security definitions library that is calledSECURE.SECDEFS contains two members, named TOPSEC and UNCL. Themember SECURE.SECDEFS(TOPSEC) contains definitions for printing a top secretidentification label. The member SECURE.SECDEFS(UNCL) contains definitions forprinting an unclassified identification label.

A member of a security definitions library contains the size and origin of theuser-printable area (UPA) for each paper size and page orientation that is used bythe printer. The security definitions library can optionally contain the names of anysecurity overlays.

You need to define the minimum number of paper sizes that are required for eachsecurity label. This definition reduces PSF search time. For example, you can createa security definitions library for all of your printers that use cut-sheet paper andanother library for all of your printers that use continuous-forms paper.


Names that are used to identify the security definitions library are defined in a PSFstartup procedure. The DD statement is used to associate a security definitionslibrary name to the printer that uses that library. See Figure 16 on page 19 for anexample of how a DD statement is used to refer to a security library name.

Security definitions library attributesYou allocate a security definitions library with the attributes that are listed inFigure 5.

Note: The security definitions library cannot have records that contain machine orAmerican National Standards Institute (ANSI) control characters and cannot usethe track overflow feature.

Defining a security definitions libraryYou define a member in the security definitions library for each security label.

Syntax for a security definitions memberFigure 6 illustrates the syntax for a security definitions library member.

The parameters and values for a security definitions library member are:

{PAPERNAM papername | PAPERSIZ width_value height_value}Specifies the size of the paper. You must use either PAPERNAM or PAPERSIZ.

PAPERNAM specifies the system-defined paper names for each paper size. SeeAppendix B, “PAPERNAM table for system-defined paper names,” on page 31for a list of valid names and the dimensions for each system-defined papername.

PAPERSIZ specifies the width and height of the paper and the units ofmeasurement, either in inches (IN) or in millimeters (MM). The PAPERSIZparameter is used if the size of the paper that is loaded in the printer does notcorrespond to one of the PSF system-defined paper names.

The valid values for inches can be from 0 to 22.75. The valid values formillimeters can be from 0 to 577.97. The values do not need to be in the sameunits and are entered as follows (the decimal point is optional for integervalues):nnn.nn {IN | MM}

See Figure 7 on page 14 for an example of this parameter.

DSORG=POLRECL=80BLKSIZE=multiple_of_80RECFM={FB | F}

Figure 5. Library attributes for the security definitions library

{PAPERNAM papername | PAPERSIZ width_value height_value }[ TOP { NARROW | WIDE } ][ UPAORG xorg_value yorg_value ][ UPADIM xlength_value ylength_value ][ SECOVLY name1 name2...name8 ]

Figure 6. Syntax for a security definitions library member

Chapter 2. Using print labeling 11

Note: Make sure that you have a paper definition for every size of paper thatmight be installed on a printer.

[ TOP { NARROW | WIDE } ]Specifies which edge of the paper is the top by identifying whether the mediaorigin2 is at the upper-left corner of a narrow or wide edge of the paper. TheTOP parameter has two options:v NARROW is the default and specifies that the security overlays and UPA in

this security definition entry use the upper-left corner of a narrow edge ofthe paper as the media origin.

v WIDE specifies that the security overlays and UPA in this security definitionentry use the upper-left corner of a wide edge of the paper as the mediaorigin.

For continuous-forms printers, a security definitions member can contain botha NARROW and WIDE entry if:v Both narrow and wide forms are used for the security label.3

v The form definition contains page-presentation and print-direction controlsthat change the default media origin.

For cut-sheet printers, only one entry (NARROW) is needed. Because themedia origin for cut sheets is always the upper-left corner of a narrow edge,the WIDE option is ignored for cut-sheet forms.

Determine whether to use the WIDE or NARROW entry for continuous-formsprinters:v WIDE for wide forms if the form definition contains LANDSCAPE ACROSS

or PORTRAIT DOWN controls.v WIDE for narrow forms if the form definition contains PORTRAIT ACROSS

or LANDSCAPE DOWN controls.v NARROW for narrow forms if the form definition contains PORTRAIT

ACROSS or LANDSCAPE DOWN controls.v NARROW for wide forms if the form definition contains LANDSCAPE

ACROSS or PORTRAIT DOWN controls.

For more information about the page-presentation and print-direction controlsin a form definition, see Page Printer Formatting Aid: User's Guide. See Figure 7on page 14 for an example of this parameter.

[ UPAORG xorg_value yorg_value ]Specifies the origin, in inches (IN) or millimeters (MM), of the UPA.

The origin is expressed as horizontal offsets (xorg) and vertical offsets (yorg)from the media origin for a particular page size and origin.

The valid values for inches can be from 0 to 22.75. The valid values formillimeters can be from 0 to 577.97. The values do not need to be in the sameunits and are entered as follows (the decimal point is optional for integervalues):nnn.nn {IN | MM}


2. Media origin that is used by any security overlays or the media origin that is used by the UPA. For more information aboutmedia origins and the coordinate system that is used by AFP printers, see Intelligent Printer Data Stream Reference.

3. Narrow forms have perforations on the shorter edge of the paper and tractor holes on the longer edge. Wide forms haveperforations on the longer edge of the paper and tractor holes on the shorter edge.


Note: This parameter is required if Restrict printable area=YES is specified (oris a default) in the Infoprint Server Printer Inventory, SYSAREA=YES isspecified (or is a default) in the PRINTDEV statement for the data set, orUPADIM is specified.

[ UPADIM xlength_value ylength_value ]Specifies the size, in inches (IN) or millimeters (MM), of the UPA.

The size of the UPA is expressed as horizontal (xlength) and vertical (ylength)dimensions of the UPA for a particular page size and origin.

The valid values for inches can be from 0 to 22.75. The valid values formillimeters can be from 0.1 to 577.97. The values do not need to be in the sameunits and are entered as follows (the decimal point is optional for integervalues):nnn.nn {IN | MM}


Note: This parameter is required if Restrict printable area=YES is specified (oris a default) in the Infoprint Server Printer Inventory, SYSAREA=YES isspecified (or is a default) in the PRINTDEV statement for the data set, orUPAORG is specified.

[ SECOVLY name1 name2...name8 ]Specifies the names of the overlays to be used for this security label on boththe separator pages and the data pages.

One to eight overlays can be specified. These overlays must be in a securityoverlay library.


Notes:

1. Overlay names are restricted to 6 characters; PSF appends a two-characterprefix (O1).

2. If fonts or page segments are used in any of these overlays, the fonts mustbe in a security font library and the page segments must be in a securitypage-segment library.

3. This parameter is required if Label data pages=YES or Label separatorpages=YES is specified in the Infoprint Server Printer Inventory, orDPAGELBL=YES or SPAGELBL=YES is specified in the PRINTDEVstatement.

Rules for defining a security definitions memberThis list describes the rules for defining a single member in a security definitionslibrary:v For each PAPERNAM or PAPERSIZ parameter, up to two sets of TOP, UPAORG,

UPADIM, and SECOVLY parameters can be specified, one for the TOP WIDEparameter and one for the TOP NARROW parameter. If duplicate parameterswithin a set are specified, the last option for that parameter is used.

v The TOP parameter, if present, must be specified before the SECOVLY,UPAORG, and UPADIM parameters that correspond to the TOP parameter.

v The UPAORG, UPADIM, and SECOVLY parameters can be specified in anyorder. Either SECOVLY or both the UPAORG and the UPADIM parameter mustbe specified. All three can be used together.

v Multiple parameters and options can be specified in a single record.


v The delimiters that separate the parameters and options are one or moreconsecutive blanks, or the end of the line.

v Comments can be entered in the security member by entering an asterisk (*) asthe first nonblank character in a line. The rest of the record is ignored.Comments cannot appear on the same line as the parameters or options.

Note: When the paper is to be cut after printing (for example, 2-up printing), youmust take care to create secure overlays that appropriately label each of thesubsheets.

Sample security definitions memberThe member definition in Figure 7 is used when a SECLABEL of TOPSEC isspecified in the print job JCL and can be used for two paper types.

The coding for PAPERSIZ in Figure 7 produces a layout shown in Figure 8.

* SECURE.SECDEFS(TOPSEC)*** DEFINITION FOR CUT SHEET PAPER

PAPERSIZ 216 MM 11.00 INTOP NARROWUPAORG 0 IN 1 INUPADIM 8.5 IN 10.00 INSECOVLY TOPSEC

*** DEFINITION FOR CONTINUOUS FORMSPAPERNAM LISTING1TOP WIDEUPAORG 0 IN 1 INUPADIM 13.88 IN 10.00 INSECOVLY TOPSEC

* END SECURE.SECDEFS(TOPSEC)

Figure 7. Sample coding of a member. This member contains two entries, one for cut sheetand one for continuous forms.

UPAORG(0, 1)

UPA(shaded area)

UPADIM(8.5, 10)

Area for Identification Label

Figure 8. Page layout for a cut-sheet page


The coding for PAPERNAM LISTING1 in Figure 7 on page 14 produces a layout asillustrated in Figure 9.

Defining security resource librariesThe three types of security resources are overlays, page segments, and fonts. Thesetypes of resources are stored in a secure library, and they are managed differentlyfrom other resources that are stored on the system. You allocate a security resourcelibrary with the attributes that are listed in Table 3.

Table 3. Library attributes for a security resource library

Overlays and Page Segments Fonts

DSORG=POLRECL=8205BLKSIZE=8209RECFM=VBM

DSORG=POLRECL=12284BLKSIZE=12288RECFM=VBM

Security overlays are produced for each security label defined. One or moresecurity overlays can be defined for each size paper and page orientation that isused. Security fonts and security page segments are used within the securityoverlay. Security resource libraries are named in the PRINTDEV statement of thePSF startup procedure. See “Defining data definition names in the PRINTDEVstatement” on page 21 for the syntax that is used in the PRINTDEV statement.

Defining a security consoleYou can optionally receive security-related PSF messages at a security console, andyou can optionally elect not to receive PSF security-related messages at the masterconsole.

To route messages to a security console, change the ROUTCODE in theSYS1.PARMLIB(CONSOLxx) as illustrated in Figure 10.

Area for Identification Label

UPAORG(0, 1)

UPA(shaded area)

UPADIM13.88, 10)

Figure 9. Page layout for a continuous form

ROUTCODE(9)

Figure 10. ROUTCODE option for routing messages


To stop security-related PSF messages from reaching the master console, changethe ROUTCODE in SYS1.PARMLIB(CONSOLxx) as shown in Figure 11. With thisoption, all messages except security-related messages reach the master console.

Assembling separator pagesOptional exits are provided if random numbering of separator pages is needed. Forinformation about the exits that PSF provides, see PSF for z/OS: Customization.

The installation exits in Table 4 must be modified, assembled, installed, orlink-edited with the REPLACE option to print random numbers on job separatorpages.

Table 4. PSF exit routines in SYS1.SAMPLIB

Sample Routine Description

APSUX01S Source routine for security job headers.

APSUX02S Source routine for security job trailers.

Either use the supplied source or modify the source to meet your needs. Figure 3on page 4 illustrates the IBM-supplied security header and trailer pages in aprinted format.

Notes:

1. If APSUX01S and APSUX02S are used, they must replace APSUX01 andAPSUX02. Ensure that APSUC01 and APSUC02 are not used. If they are, deletethem because they override APSUX01 and APSUX02.

2. Separator pages do not have a UPA.

Enabling print labelingPSF supports print labeling in two ways:

Guaranteed print labelingGuaranteed print labeling ensures the integrity of the identification labelby preventing the user from changing the label. (See “Printer support inPSF” on page 9 for information about determining whether a printersupports guaranteed print labeling.) Ensure that the RACF option PSFMPLis set according to Figure 13 on page 17.

Nonguaranteed print labelingPrinters that do not support guaranteed print labeling can still printidentification labels, but the integrity of the labels cannot be guaranteed.For nonguaranteed print labeling, you must:1. Define the valid security labels to RACF as described in z/OS Security

Server RACF Security Administrator's Guide.2. Activate security label checking through TSO commands as in Figure 12

on page 17.

ROUTCODE(1-8,10-128)

Figure 11. ROUTCODE option for stopping messages


In addition, the RACF parameters that are shown in Figure 13 are optionalfor nonguaranteed print labeling. Other parameters in the PSF startupprocedure are used to enable nonguaranteed print labeling. For moreinformation, see “Updating initialization parameters” on page 18.

Note: PSF processing is different if print labeling is enabled. See “PSF processingdifferences with the print labeling function” for a list of differences.

Using RACF with PSF for z/OSUse RACF to activate PSFMPL and create RACF profiles.

Note: RACF CLASS PSFMPL must be refreshed after you activate PSFMPL orcreate new profiles.v To activate print labeling, use SETROPTS. To set print labeling defaults to YES,

use the RDEFINE command. RDEFINE creates RACF profiles. See Figure 13 forexamples of using SETROPTS and RDEFINE.

v If you want to authorize a print job submitter to override printer defaults, issuethe PERMIT commands in Figure 14 to add the user ID to the RACF profile.

v Whenever any of the commands that are shown in Figure 13 or Figure 14 areused, issue the REFRESH command that is illustrated in Figure 15 to refreshRACF.

For more information about RACF commands, see z/OS Security Server RACFSecurity Administrator's Guide.

PSF processing differences with the print labeling functionWhen you are using the print labeling function, PSF processing is different. Thedifferences include:v Security resources are accessed only from security libraries. A resource that is

loaded in the printer from a security library cannot be used to print user data.

SETROPTS CLASSACT(SECLABEL)SETROPTS RACLIST(SECLABEL) REFRESH

Figure 12. Activating SECLABEL

SETROPTS CLASSACT(PSFMPL)RDEFINE PSFMPL PSF.DPAGELBL UACC(NONE)RDEFINE PSFMPL PSF.SYSAREA UACC(NONE)

Figure 13. Using the RACF SETROPTS and RDEFINE commands

PERMIT PSF.DPAGELBL CLASS(PSFMPL) ID(userid) ACCESS(READ)PERMIT PSF.SYSAREA CLASS(PSFMPL) ID(userid) ACCESS(READ)

Figure 14. Adding a user ID to a RACF profile

SETROPTS RACLIST(PSFMPL) REFRESH

Figure 15. Refreshing RACF


v User resources are accessed only from user resource libraries. A resource that isloaded in the printer from a user library cannot be used to print identificationlabels.

v Security resources are loaded into the printer as required by the print data set.They typically are not deleted at the end of a data set, except when:– The resource deletion exit is used to delete the resources.– A job-trailer page is printed.

For more information about resource loading, deleting, and using installationexits, see PSF for z/OS: Customization.

v Suppression of trailer pages by using JES operator commands can impact printerperformance because printer storage can be exceeded.

v An audit is done whenever a data set is printed on a nonguaranteed printer.

Printable area considerationsIf PSFMPL is active, the Restrict printable area parameter in the InfoprintServer Printer Inventory or the SYSAREA parameter in the PRINTDEV statementdefaults to YES.

If PSFMPL is not active, the Restrict printable area parameter in the PrinterInventory or the SYSAREA parameter in the PRINTDEV statement defaults to NO.

If you are using a nonguaranteed printer, these parameters must be set to NO oran abend occurs. For more information, see “Updating print labeling parameters”on page 20.

Updating initialization parametersBefore you start a PSF functional subsystem (FSS), you must have a cataloged PSFstartup procedure in SYS1.PROCLIB or in a procedure library that is concatenatedto the JES startup procedure. The PSF startup procedure specifies PSF initializationparameters that tell PSF where security resources and security definitions arelocated. Figure 16 on page 19 lists a sample PSF startup procedure that includesparameters that are modified for print labeling.


//J2PSF00 PROC//STEP01 EXEC PGM=APSPPIEP,REGION=4M,PARM=(,FULL)//SYSABEND DD SYSOUT=A//SYSUDUMP DD SYSOUT=A//JOBHDR OUTPUT PAGEDEF=A06462,// FORMDEF=A10110//JOBTLR OUTPUT PAGEDEF=A06462,// FORMDEF=A10110//DSHDR OUTPUT PAGEDEF=A06462,// FORMDEF=A10110//MSGDS OUTPUT PAGEDEF=A06462,// FORMDEF=A10110//FONT01 DD DSN=TEST.FONTLIBB,DISP=SHR// DD DSN=SYS1.FONTLIBB,DISP=SHR//PSEG01 DD DSN=TEST.SEGMENT,DISP=SHR// DD DSN=SYS1.SEGMENT,DISP=SHR//OLAY01 DD DSN=TEST.OVERLAY,DISP=SHR// DD DSN=SYS1.OVERLAY,DISP=SHR//FDEF01 DD DSN=TEST.FORMDEF,DISP=SHR// DD DSN=SYS1.FORMDEF,DISP=SHR//PDEF01 DD DSN=TEST.PAGEDEF,DISP=SHR// DD DSN=SYS1.PAGEDEF.DISP=SHR//SFONT1 DD DSN=SECURE.FONTLIBB,DISP=SHR /* DD statements used for print labeling. *///SFONT2 DD DSN=SECURE.FONTL240,DISP=SHR /* *///SFONT3 DD DSN=SECURE.FONTL300,DISP=SHR /* *///SOLAY1 DD DSN=SECURE.OVERLAY,DISP=SHR /* *///SPSEG1 DD DSN=SECURE.SEGMENT,DISP=SHR /* *///SPSEG2 DD DSN=SECURE.SEGMT240,DISP=SHR /* *///SPSEG3 DD DSN=SECURE.SEGMT300,DISP=SHR /* *///SDEF1 DD DSN=SECURE.SECDEFS,DISP=SHR /* A member in SDEF1, SDEF2, or SDEF3 *///SDEF2 DD DSN=SECURE.SECDF240,DISP=SHR /* matches the SECLABEL on the job card. *///SDEF3 DD DSN=SECURE.SECDF300,DISP=SHR /* *///PRT10 CNTL//PRT10 PRINTDEV FONTDD=*.FONT01,// OVLYDD=*.OLAY01,// PSEGDD=*.PSEG01,// PDEFDD=*.PDEF01,// FDEFDD=*.FDEF01,// JOBHDR=*.JOBHDR,// JOBTRLR=*.JOBTLR,// DSHDR=*.DSHDR,// MESSAGE=*.MSGDS,// SFONTDD=*.SFONT1, /* These PRINTDEV statements correspond to */// SFONT240=*.SFONT2, /* the DD statements used for print labeling. */// SFONT300=*.SFONT3, /* */// SOVLY=*.SOLAY1, /* */// SPSEGDD=*.SPSEG1, /* */// SPSEG240=*.SPSEG2, /* */// SPSEG300=*.SPSEG3, /* */// SDEFDD=*.SDEF1, /* */// SDEF240=*SDEF2, /* */// SDEF300=*.SDEF3, /* */// PAGEDEF=A06462,// FORMDEF=A10110,// CHARS=(60DB),// TRACE=YES,// DATACK=BLOCK,// BUFNO=5,// SPAGELBL=YES, /* These parameters enable print labeling if */// DPAGELBL=YES, /* PSFMPL is not active. */// SYSAREA=YES, /* */// PIMSG=YES//PRT10 ENDCNTL

Figure 16. Sample PSF startup procedure with comments for security-related parameters. A sample startup procedureis provided in SYS1.PROCLIB.


For more information about PSF initialization parameters, see PSF for z/OS:Customization.

Updating print labeling parametersYou can use the Infoprint Server Printer Inventory, the PRINTDEV statement in thePSF startup procedure, or the OUTPUT JCL statement to enable print labeling.Table 5 lists the parameters that you can use.

Using the Printer Inventory is more efficient than using the PSF startup procedurebecause it avoids the need to restart all the printers in a startup procedure whenyou change parameters. Only the printer for which parameters are changed needsto be restarted.

Keep in mind:

1. Parameters available in the Printer Inventory are ignored in the PSF startupprocedure when the Printer Inventory is used. Therefore, if you use the PrinterInventory, you must specify the parameters in the Printer Inventory instead ofthe startup procedure.

2. You can use the Printer Inventory component of Infoprint Server withoutlicensing the Infoprint Server feature of z/OS. For more information, see z/OSInfoprint Server Printer Inventory for PSF.

To use the Printer Inventory, you must specify the Printer Inventory name on theINV parameter in the PARM field of the EXEC statement for the startup procedure:// EXEC PGM=APSPPIEP,PARM=(’INV=piname’)

where piname is the four-character name of the Printer Inventory that is specifiedin the Infoprint Server configuration file. For example, // EXECPGM=APSPPIEP,PARM=(’INV=AOPI’) specifies the default name of the PrinterInventory.

You can use either the Printer Inventory Definition Utility (PIDU) or the PrinterInventory ISPF panels to enable print labeling in the Printer Inventory (for moreinformation, see PSF for z/OS: Customization). When you are defining parameters onthe ISPF panels, see the online help for information about each parameter.

Table 5. Parameters for enabling print labeling

Printer Inventory PRINTDEV OUTPUT Description

ISPF Panel PIDU

Label data pagesValues:

1 = Yes2 = No

label-data-pagesValues:

yesno

DPAGELBLValues:

YESNO

DPAGELBLValues:

YESNO

Indicates whether a label isprinted on each data page.

Label separatorpagesValues:

1 = Yes2 = No

label-separator-pagesValues:

yesno

SPAGELBLValues:

YESNO

Indicates whether a label isprinted on a separator page.


Table 5. Parameters for enabling print labeling (continued)

Printer Inventory PRINTDEV OUTPUT Description

ISPF Panel PIDU

Restrict printableareaValues:

1 = Yes2 = No

restrict-printable-areaValues:

yesno

SYSAREAValues:

YESNO

SYSAREAValues:

YESNO

Indicates whether the printablearea is restricted to thesystem-defined UPA. If theprintable area is restricted, thearea outside the UPA is reservedfor a security label and anyattempt to print in the reservedarea results in error messages. Ifyour printer does not supportguaranteed print labeling, thisparameter must be set to NO.

Note: In these parameters, the default is YES if PSFMPL is active; NO if PSFMPL is not active.

Defining data definition names in the PRINTDEV statementThese parameters are used to define security-related data definition names in thePRINTDEV statement:

SFONTDD=*.ddnameDefines the default secure font library. This ddname is required if a securityoverlay references a font.

SFONT240=*.ddnameDefines the secure font library for 240-pel fonts. This ddname is optional if allreferenced 240-pel fonts are found in the default secure font library.

SFONT300=*.ddnameDefines the secure font library for 300-pel fonts. This ddname is optional if allreferenced 300-pel fonts are found in the default secure font library.

SOVLYDD=*.ddnameDefines the default secure overlay library. This ddname is required if a securityoverlay is used to print identification labels.

SOVLY240=*.ddnameDefines the secure overlay library for overlays that print best at 240-pelresolution. This ddname is optional if all such overlays are found in the defaultsecure overlay library.

SOVLY300=*.ddnameDefines the secure overlay library for overlays that print best at 300-pelresolution. This ddname is optional if all such overlays are found in the defaultsecure overlay library.

SPSEGDD=*.ddnameDefines the default secure page segment library. This ddname is required if asecurity overlay references a page segment.

SPSEG240=*.ddnameDefines the secure page segment library for page segments that print best at240-pel resolution. This ddname is optional if all such page segments are foundin the default secure page segment library.

SPSEG300=*.ddnameDefines the secure page segment library for page segments that print best at


300-pel resolution. This ddname is optional if all such page segments are foundin the default secure page segment library.

SDEFDD=*.ddnameDefines the default security definitions library. This ddname is required forprint labeling.

SDEF240=*.ddnameDefines the security definitions library for printing at 240-pel resolution. Thisddname is optional if all such page segments are found in the default securitydefinitions library.

SDEF300=*.ddnameDefines the security definitions library for printing at 300-pel resolution. Thisddname is optional if all such page segments are found in the default securitydefinitions library.

These parameters refer to the libraries named in the startup procedure; seeFigure 16 on page 19.

Note: Even if you used the Printer Inventory to enable print labeling, you muststill specify these parameters in the PRINTDEV statement.

Submitting a print job that includes identification labelsAfter you define a security definitions library, update PSF initialization parameters,and create security resources, you are ready to submit a print job. To submit aprint job and have that job print with the correct identification label, follow thisprocedure to ensure that a member exists in the security definitions library withthe same name as each SECLABEL that is defined to RACF by the securityadministrator:1. The security administrator defines a set of security labels to be used by the

installation.2. The security administrator associates SECLABELs with every user on the

system.3. The print administrator creates a member in the security definitions library to

match the name of every SECLABEL defined to the system.4. The user submits the job, the user's SECLABEL is matched and the appropriate

security labeling is printed on the user's output.

For example, if you want to print the identification label that is associated with thesecurity label of TOPSEC, specify SECLABEL=TOPSEC in the job card. PSF usesthe member that is named SECURE.SECDEFS(TOPSEC) to find the security overlaythat is identified for the TOPSEC security label.

Figure 17 on page 23 shows an example of using the SECLABEL parameter in thejob card. Figure 7 on page 14 shows an example of the definitions that are used inSECURE.SECDEF(TOPSEC).


Overriding print labeling defaultsIf authorized by RACF, you can use these JCL keywords in the OUTPUT statementto change the definition of print labeling:

DPAGELBL=YES|NOIndicates whether a label is printed on each data page.

SYSAREA=YES|NOIndicates whether the printable area is restricted to the system-defined UPA.

If SYSAREA=YES is specified, any attempt to print outside the UPA results inerror messages.

If your printer does not support guaranteed print labeling, use SYSAREA=NO.To determine whether your printer supports guaranteed print labeling, see“Printer support in PSF” on page 9.

Figure 18 shows an example of the OUTPUT statement that is used to override PSFdefaults.

Maintaining PSF for z/OS with print labeling enabledThe following information is used to maintain PSF when print labeling is enabled.

Auditing PSF printingPSF uses the SMF type 6 record to audit certain events that can indicate a securityexception. Only one record is written per data set, but the record can containnumerous conditions.

The following information is included in the SMF type 6 record to support printlabeling:v Indicator that flags JCL keywords that are in effect during printing.v Indicator that flags a successful print operation.v Indicator that flags an error that occurred during overlay processing.

//TESTER1 JOB (SYS10000),USER=TESTER1,// CLASS=A,MSGCLASS=T,MSGLEVEL=(1,1),REGION=4M,// SECLABEL=TOPSEC...

Figure 17. Sample JCL job card. The SECLABEL=TOPSEC points to a member namedTOPSEC in a security definitions library.

.

.

.//OUTPUT1 OUTPUT FORMDEF=IPGP00,DATACK=UNBLOCK,// DPAGELBL=YES,SYSAREA=NO//SYSUT1 DD SYSOUT=L,DCB=(RECL=VBA,BLKSIZE=8192),// OUTPUT=*.OUTPUT1

Figure 18. Sample JCL output statement. The statement shows an override that activatesdata page labeling without UPA enforcement.


v Indicator that flags a hardware error that occurred.v Indicator that flags printed job-trailer pages.v Indicator that flags printed job-header pages.v Indicator that flags that the user suppressed data-page labeling.v Indicator that flags that the user suppressed UPA enforcement.v Identifier for the job or group identifier for the data set.v Identifier for the page definition name.v Identifier for the form definition name.v Identifier for the number of security overlays that are used.v Identifier for the number of security fonts that are used.v Identifier for the number of security page segments that are used.

For more information about the SMF type 6 record that PSF generates, see PSF forz/OS: Customization.

Interpreting security-related messagesIf you receive a PSF error message that relates to print labeling, see PSF for z/OS:Messages and Codes for more information.

PSF security-related messages are received at these locations:v Within a print jobv At the security consolev At the master console

A PSF message number can be placed in these JES messages:v HASP704v IAT706I

Diagnosing print labeling problemsThe problems in Table 6 on page 25 can occur when you are using the printlabeling function.


Table 6. Print labeling diagnosis

Problem Possible Causes

No identification label isprinted on any page.

v Security definitions library member does not name a security overlay or names anoverlay that does not contain any labeling information.

v PSFMPL is not active and:

– Label data pages and Label separator pages are not specified in the PrinterInventory or DPAGELBL and SPAGELBL are not specified in the PRINTDEVstatement for the printer that printed the file.

– Label data pages=NO and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=YES and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=YES and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=NO on the OUTPUT statement for the file.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but separator pageswere suppressed by an operator command.

– Label data pages=YES and Label separator pages=YES are specified in thePrinter Inventory or DPAGELBL=YES and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but separator pageswere suppressed by an operator command and the print-job submitter specifiedDPAGELBL=NO on the OUTPUT statement for the file.

v PSFMPL is active and:

– Label data pages=NO and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=YES and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=YES and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=NO on the OUTPUT statement for the file andis RACF-authorized to override data page labeling.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but separator pageswere suppressed by an operator command.

– Label data pages=YES and Label separator pages=YES are specified in thePrinter Inventory or DPAGELBL=YES and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but separator pageswere suppressed by an operator command and the print-job submitter specifiedDPAGELBL=NO on the OUTPUT statement for the file and is RACF-authorizedto override data page labeling.


Table 6. Print labeling diagnosis (continued)


Identification label isprinted on separator pages,but is not printed on datapages.


– Label separator pages=YES but Label data pages is not specified in the PrinterInventory, or SPAGELBL=YES but DPAGELBL is not specified in the PRINTDEVstatement for the printer that printed the file.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=YES and Label separator pages=YES are specified in thePrinter Inventory or DPAGELBL=YES and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=NO on the OUTPUT statement for the file.


– Label data pages=NO but Label separator pages is not specified in the PrinterInventory, or DPAGELBL=NO but SPAGELBL is not specified in the PRINTDEVstatement for the printer that printed the file.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=YES and Label separator pages=YES are specified in thePrinter Inventory or DPAGELBL=YES and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=NO on the OUTPUT statement for the file andis RACF-authorized to override data page labeling.


Table 6. Print labeling diagnosis (continued)


Identification label isprinted on data pages, but isnot printed on separatorpages.


– Label data pages=YES but Label separator pages is not specified in the PrinterInventory, or DPAGELBL=YES but SPAGELBL is not specified in the PRINTDEVstatement for the printer that printed the file.

– Label data pages=YES and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=YES and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=NO and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=YES on the OUTPUT statement for the file.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=YES on the OUTPUT statement for the file andseparator pages were suppressed by an operator command.


– Label separator pages=NO but Label data pages is not specified in the PrinterInventory, or SPAGELBL=NO but DPAGELBL is not specified in the PRINTDEVstatement for the printer that printed the file.

– Label data pages=YES and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=YES and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file.

– Label data pages=NO and Label separator pages=NO are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=NO are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=YES on the OUTPUT statement for the file.

– Label data pages=NO and Label separator pages=YES are specified in the PrinterInventory or DPAGELBL=NO and SPAGELBL=YES are specified in thePRINTDEV statement for the printer that printed the file, but the print-jobsubmitter specified DPAGELBL=YES on the OUTPUT statement for the file andseparator pages were suppressed by an operator command.

Wrong data in identificationlabel.

v Print-job submitter specified wrong SECLABEL on job card.

v Wrong security overlay is specified in the security definitions library member forthe SECLABEL on the job card and the size of paper in the printer that printed thefile.

v Security definitions library member names an overlay that contains the wronglabeling information.

v Overlay names were changed in the security overlay library.

Wrong page segment inidentification label.

v Security overlay is named the wrong page segment.

v Page segment names were changed in the security page segment library.

Wrong overlay is used foridentification label.

v Print-job submitter specified wrong SECLABEL on job card.

v Wrong security overlay is specified in the security definitions library member forthe SECLABEL on the job card and the size of paper in the printer that printed thefile.

v Overlay names were changed in the security overlay library.


Appendix A. Security page layout

The template in Figure 19 is provided to help you determine the dimensions thatyou need when you design pages for the print labeling function. This template canbe used to help define where identification label placement occurs and to helpdetermine the dimensions of the user-printable area (UPA). For information aboutusing these measurements to code a security definition, see “Defining a securitydefinitions library” on page 11. To determine the printable area dimensions yourprinter supports, see the documentation that is provided with the printer.

Page Length

UPA

(shaded a

rea)

UPA

OR

G P

oin

t(x

org

valu

e, yorg

valu

e)

Page

Wid

th

UPA

DIM

Dim

ensio

n(x

length

valu

e, yle

ngth

valu

e)

Are

a for

Identification L

abel

xle

ngth

ylength

Figure 19. Security page layout. This template is for a page that is defined as TOP=NARROW.


Appendix B. PAPERNAM table for system-defined papernames

Table 7 lists the paper names that you can select for the PAPERNAM parameter.

Table 7. PAPERNAM parameter values

Paper NamePaper Size: Width by Heightin Millimeters

Paper Size: Width by Heightin Inches

A4 210 x 297 8.27 x 11.69

B4 257 x 364 10.12 x 14.33

B5 182 x 257 7.17 x 10.12

EXEC1 178 x 267 7.00 x 10.50

EXEC2 184 x 267 7.25 x 10.50

EXEC3 190 x 267 7.50 x 10.50

LEGAL 216 x 356 8.50 x 14.00

LETTER 216 x 279 8.50 x 11.00

LISTING1 378 x 279 14.88 x 11.00

LISTING2 305 x 216 12.00 x 8.50


Appendix C. Accessibility

Accessible publications for this product are offered through IBM KnowledgeCenter (www.ibm.com/support/knowledgecenter/SSLTBW/welcome).

If you experience difficulty with the accessibility of any z/OS information, send adetailed message to the Contact z/OS web page (www.ibm.com/systems/z/os/zos/webqs.html) or use the following mailing address.

IBM CorporationAttention: MHVRCFS Reader CommentsDepartment H6MA, Building 7072455 South RoadPoughkeepsie, NY 12601-5400United States

Accessibility features

Accessibility features help users who have physical disabilities such as restrictedmobility or limited vision use software products successfully. The accessibilityfeatures in z/OS can help users do the following tasks:v Run assistive technology such as screen readers and screen magnifier software.v Operate specific or equivalent features by using the keyboard.v Customize display attributes such as color, contrast, and font size.

Consult assistive technologiesAssistive technology products such as screen readers function with the userinterfaces found in z/OS. Consult the product information for the specific assistivetechnology product that is used to access z/OS interfaces.

Keyboard navigation of the user interfaceYou can access z/OS user interfaces with TSO/E or ISPF. The followinginformation describes how to use TSO/E and ISPF, including the use of keyboardshortcuts and function keys (PF keys). Each guide includes the default settings forthe PF keys.v z/OS TSO/E Primer

v z/OS TSO/E User's Guide

v z/OS ISPF User's Guide Vol I

Dotted decimal syntax diagramsSyntax diagrams are provided in dotted decimal format for users who access IBMKnowledge Center with a screen reader. In dotted decimal format, each syntaxelement is written on a separate line. If two or more syntax elements are alwayspresent together (or always absent together), they can appear on the same linebecause they are considered a single compound syntax element.

Each line starts with a dotted decimal number; for example, 3 or 3.1 or 3.1.1. Tohear these numbers correctly, make sure that the screen reader is set to read out


http://www.ibm.com/support/knowledgecenter/SSLTBW/welcome

http://www.ibm.com/support/knowledgecenter/SSLTBW/welcome



punctuation. All the syntax elements that have the same dotted decimal number(for example, all the syntax elements that have the number 3.1) are mutuallyexclusive alternatives. If you hear the lines 3.1 USERID and 3.1 SYSTEMID, yoursyntax can include either USERID or SYSTEMID, but not both.

The dotted decimal numbering level denotes the level of nesting. For example, if asyntax element with dotted decimal number 3 is followed by a series of syntaxelements with dotted decimal number 3.1, all the syntax elements numbered 3.1are subordinate to the syntax element numbered 3.

Certain words and symbols are used next to the dotted decimal numbers to addinformation about the syntax elements. Occasionally, these words and symbolsmight occur at the beginning of the element itself. For ease of identification, if theword or symbol is a part of the syntax element, it is preceded by the backslash (\)character. The * symbol is placed next to a dotted decimal number to indicate thatthe syntax element repeats. For example, syntax element *FILE with dotted decimalnumber 3 is given the format 3 \* FILE. Format 3* FILE indicates that syntaxelement FILE repeats. Format 3* \* FILE indicates that syntax element * FILErepeats.

Characters such as commas, which are used to separate a string of syntaxelements, are shown in the syntax just before the items they separate. Thesecharacters can appear on the same line as each item, or on a separate line with thesame dotted decimal number as the relevant items. The line can also show anothersymbol to provide information about the syntax elements. For example, the lines5.1*, 5.1 LASTRUN, and 5.1 DELETE mean that if you use more than one of theLASTRUN and DELETE syntax elements, the elements must be separated by a comma.If no separator is given, assume that you use a blank to separate each syntaxelement.

If a syntax element is preceded by the % symbol, it indicates a reference that isdefined elsewhere. The string that follows the % symbol is the name of a syntaxfragment rather than a literal. For example, the line 2.1 %OP1 means that you mustrefer to separate syntax fragment OP1.

The following symbols are used next to the dotted decimal numbers.

? indicates an optional syntax elementThe question mark (?) symbol indicates an optional syntax element. A dotteddecimal number followed by the question mark symbol (?) indicates that allthe syntax elements with a corresponding dotted decimal number, and anysubordinate syntax elements, are optional. If there is only one syntax elementwith a dotted decimal number, the ? symbol is displayed on the same line asthe syntax element, (for example 5? NOTIFY). If there is more than one syntaxelement with a dotted decimal number, the ? symbol is displayed on a line byitself, followed by the syntax elements that are optional. For example, if youhear the lines 5 ?, 5 NOTIFY, and 5 UPDATE, you know that the syntax elementsNOTIFY and UPDATE are optional. That is, you can choose one or none of them.The ? symbol is equivalent to a bypass line in a railroad diagram.

! indicates a default syntax elementThe exclamation mark (!) symbol indicates a default syntax element. A dotteddecimal number followed by the ! symbol and a syntax element indicate thatthe syntax element is the default option for all syntax elements that share thesame dotted decimal number. Only one of the syntax elements that share thedotted decimal number can specify the ! symbol. For example, if you hear thelines 2? FILE, 2.1! (KEEP), and 2.1 (DELETE), you know that (KEEP) is the


default option for the FILE keyword. In the example, if you include the FILEkeyword, but do not specify an option, the default option KEEP is applied. Adefault option also applies to the next higher dotted decimal number. In thisexample, if the FILE keyword is omitted, the default FILE(KEEP) is used.However, if you hear the lines 2? FILE, 2.1, 2.1.1! (KEEP), and 2.1.1(DELETE), the default option KEEP applies only to the next higher dotteddecimal number, 2.1 (which does not have an associated keyword), and doesnot apply to 2? FILE. Nothing is used if the keyword FILE is omitted.

* indicates an optional syntax element that is repeatableThe asterisk or glyph (*) symbol indicates a syntax element that can berepeated zero or more times. A dotted decimal number followed by the *symbol indicates that this syntax element can be used zero or more times; thatis, it is optional and can be repeated. For example, if you hear the line 5.1*data area, you know that you can include one data area, more than one dataarea, or no data area. If you hear the lines 3* , 3 HOST, 3 STATE, you knowthat you can include HOST, STATE, both together, or nothing.

Notes:

1. If a dotted decimal number has an asterisk (*) next to it and there is onlyone item with that dotted decimal number, you can repeat that same itemmore than once.

2. If a dotted decimal number has an asterisk next to it and several itemshave that dotted decimal number, you can use more than one item from thelist, but you cannot use the items more than once each. In the previousexample, you can write HOST STATE, but you cannot write HOST HOST.

3. The * symbol is equivalent to a loopback line in a railroad syntax diagram.

+ indicates a syntax element that must be includedThe plus (+) symbol indicates a syntax element that must be included at leastonce. A dotted decimal number followed by the + symbol indicates that thesyntax element must be included one or more times. That is, it must beincluded at least once and can be repeated. For example, if you hear the line6.1+ data area, you must include at least one data area. If you hear the lines2+, 2 HOST, and 2 STATE, you know that you must include HOST, STATE, orboth. Similar to the * symbol, the + symbol can repeat a particular item if it isthe only item with that dotted decimal number. The + symbol, like the *symbol, is equivalent to a loopback line in a railroad syntax diagram.

Appendix C. Accessibility 35

Notices

This information was developed for products and services that are offered in theUSA or elsewhere.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785United States of America

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.


This information could include missing, incorrect, or broken hyperlinks.Hyperlinks are maintained in only the HTML plug-in output for the KnowledgeCenters. Use of hyperlinks in other output formats of this information is at yourown risk.

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of thosewebsites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationSite Counsel2455 South RoadPoughkeepsie, NY 12601-5400USA

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.


COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sampleprograms are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBMwebsite.

Personal use

You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.

You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,

Notices 39

NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“SoftwareOfferings”) may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, to tailor interactions withthe end user, or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may usesession cookies that collect each user’s name, email address, phone number, orother personally identifiable information for purposes of enhanced user usabilityand single sign-on configuration. These cookies can be disabled, but disablingthem will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM’s Privacy Policy at ibm.com/privacy and IBM’s OnlinePrivacy Statement at ibm.com/privacy/details in the section entitled “Cookies,Web Beacons and Other Technologies,” and the “IBM Software Products andSoftware-as-a-Service Privacy Statement” at ibm.com/software/info/product-privacy.

Policy for unsupported hardwareVarious z/OS elements, such as DFSMS, JES2, JES3, and MVS™, contain code thatsupports specific hardware servers or devices. In some cases, this device-relatedelement support remains in the product even after the hardware devices pass theirannounced End of Service date. z/OS may continue to service element code;however, it will not provide service related to unsupported hardware devices.Software problems related to these devices will not be accepted for service, andcurrent service activity will cease if a problem is determined to be associated without-of-support devices. In such cases, fixes will not be issued.

Minimum supported hardwareThe minimum supported hardware for z/OS releases identified in z/OSannouncements can subsequently change when service for particular servers ordevices is withdrawn. Likewise, the levels of other software products supported ona particular release of z/OS are subject to the service support lifecycle of thoseproducts. Therefore, z/OS and its product publications (for example, panels,samples, messages, and product documentation) can include references tohardware and software that is no longer supported.v For information about software support lifecycle, see: IBM Lifecycle Support for

z/OS (www.ibm.com/software/support/systemsz/lifecycle)


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/software/info/product-privacy

http://www.ibm.com/software/support/systemsz/lifecycle

http://www.ibm.com/software/support/systemsz/lifecycle

v For information about currently-supported IBM hardware, contact your IBMrepresentative.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available at Copyright and Trademarkinformation (www.ibm.com/legal/copytrade.shtml).

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Notices 41

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Glossary

This glossary defines technical terms andabbreviations used in PSF for z/OSdocumentation. If you do not find the term youare looking for, see IBM Glossary of ComputingTerms (www.ibm.com/software/globalization/terminology).

These cross-references are used in this glossary:

See Refers to preferred synonyms or todefined terms for acronyms andabbreviations.

See alsoRefers to related terms that have similar,but not synonymous, meanings, or tocontrasted terms that have opposite orsubstantively different meanings.

A

access controlThe process of ensuring that users canaccess only those resources of a computersystem for which they are authorized.

C

concatenated data setA group of logically connected data setsthat are treated as one data set for theduration of a job step. See also data set,partitioned data set, and library.

consoleA display station from which an operatorcan control and observe the systemoperation.

D

data setThe major unit of data storage andretrieval, consisting of a collection of datain one of several prescribed arrangementsand described by control information towhich the system has access. See also file,concatenated data set, partitioned dataset, and sequential data set.

data set headerA page in printed output that separatesmultiple data sets or multiple copies of adata set within a print job. See also jobheader.

F

file

1. A collection of related data that isstored and retrieved by an assignedname. A file can include informationthat starts a program (program-fileobject), contains text or graphics(data-file object), or processes a seriesof commands (batch file).

2. See also data set, partitioned data set,sequential data set, and library.

font

1. A family or assortment of charactersof a given size and style, for example,9-point Bodoni modern. A font has aunique name and might have aregistry number.

2. A particular type style (for example,Bodoni or Times Roman) that containsdefinitions of character sets, markersets, and pattern sets.

form definitionAn AFP resource object used by PSF thatdefines the characteristics of the form orprinted media, including: overlays to beused, duplex printing, text suppression,the position of composed-text data on theform, and the number and modificationsof a page.

FSA See functional subsystem application.

FSS See functional subsystem.

functional subsystem (FSS)An extension of JES that runs in anaddress space separate from the JESaddress space. An FSS provides supportfor an auxiliary function to JESprocessing, such as a peripheral device orother component.

functional subsystem application (FSA)

1. An area within the functionalsubsystem (FSS) that drives andmanages a single printer. FSAs areidentified with JES printer definitions.

2. An application that uses the supportfacilities of the functional subsystem(FSS) to communicate with JES.


http://www.ibm.com/software/globalization/terminology



G

guaranteed print labelingA method of print labeling that ensuresthe integrity of the identification label bypreventing the user from changing thelabel. If attempts are made to overrideprint labeling, printing is stopped, and anaudit record is written. See alsononguaranteed print labeling andidentification label.

I

identification labelIn PSF, a protected set of resources (fonts,overlays, and page segments) that areused to label PSF output for securitypurposes. See also security label.

Infoprint ServerAn element of z/OS that supportsprinting on local printers and remoteprinters in an Internet Protocol or SNAnetwork. With Infoprint Server, users cansubmit print requests from remoteworkstations in an Internet Protocolnetwork, from z/OS UNIX SystemServices applications, from batchapplications, from VTAM® applications(such as CICS® or IMS™), and from SAPR/3.

J

JCL See job control language.

JES See Job Entry Subsystem.

JES2 An MVS subsystem that receives jobs intothe system, converts them to internalformat, selects them for processing,processes their output, and purges themfrom the system. In an installation withmore than one processor, each JES2processor independently controls its jobinput, scheduling, and output processing.See also Job Entry Subsystem and JES3.

JES3 An MVS subsystem that receives jobs intothe system, converts them to internalformat, selects them for processing,processes their output, and purges themfrom the system. In complexes that haveseveral loosely coupled processing units,the JES3 program manages processors sothat the global processor exercisescentralized control over the localprocessors and distributes jobs to them by

using a common job queue. See also JobEntry Subsystem and JES2.

job A separately executable unit of work.

job control language (JCL)A command language that identifies a jobto an operating system and describes thejob's requirements.

Job Entry Subsystem (JES)An IBM licensed program that receivesjobs into the system and processes alloutput data that is produced by jobs. Seealso JES2 and JES3.

job headerA page in printed output that indicatesthe beginning of a user job. A user job cancontain one or more data sets, or one ormore copies of a print job. See also dataset header.

job separationThe ability to identify job boundaries byplacing marks or sheets of paper betweensuccessive jobs.

job trailerA page in the printed output thatindicates the end of a user job.

L

library

1. A system object that serves as adirectory to other objects. A librarygroups related objects, and allows theuser to find objects by name.

2. A data file that contains copies of anumber of individual files and controlinformation that allows them to beaccessed individually.

3. A partitioned data set or a series ofconcatenated partitioned data sets.

licensed programA separately priced program and itsassociated materials that bear a copyrightand are offered to customers under theterms and conditions of a licensingagreement.

M

media originThe reference point from which thelogical page origin is positioned by themedium map. This point is representedby Xm=0, Ym=0 in the Xm, Ym


coordinate system. The media origin isdefined relative to the upper-left corner ofthe form. See also logical page origin. Seealso .

Multiple Virtual Storage (MVS)An IBM operating system that accessesmultiple address spaces in virtual storage.

N

nonguaranteed print labelingSome printers that do not supportguaranteed print labeling can still printidentification labels, but the integrity ofthe labels cannot be guaranteed by usingPSF. See also guaranteed print labeling.

O

OGL See Overlay Generation Language.

operating system (OS)A collection of system programs thatcontrol the overall operation of acomputer system.

OS See operating system.

overlay

1. A resource object that containspredefined presentation data, such astext, image, graphics, and bar codedata, that can be merged with variabledata on a page or form while printing.

2. The final representation of a collectionof predefined presentation data on aphysical medium.

Overlay Generation Language (OGL)An IBM licensed program used fordesigning objects (such as lines, boxes,shadings, and irregular shapes) forelectronic overlays.

P

page definitionAn AFP resource object used by PSF thatdefines the rules for transforming linedata and XML data into MO:DCA dataand text controls, such as width ofmargins and text orientation.

Page Printer Formatting Aid (PPFA)An IBM licensed program with which tocreate and store form definitions and pagedefinitions, which are resource objects

used for print-job management. Thesestored objects are used to format printedoutput.

page segmentAn AFP resource object containing text,image, graphics, or bar code data that canbe positioned on any addressable pointon a page or an electronic overlay.

parameterA value or reference passed to a function,command, or program that serves asinput or controls actions. The value issupplied by a user or by another programor process.

partitioned data set (PDS)A data set in direct-access storage that isdivided into partitions, called members,each of which can contain a program, partof a program, or data. See also sequentialdata set.

PDS See partitioned data set.

physical pageA single surface (front or back) of a form.

PPFA See Page Printer Formatting Aid.

Printer Control Language (PCL)The Hewlett Packard page descriptionlanguage that is used in laser and ink-jetprinters.

Printer InventoryIn Infoprint Server, a set of files thatcontain information about printers. ThePrinter Inventory includes such objects asprinter definitions, functional subsystem(FSS) definitions, and job selection rulesfor IP PrintWay™.

print jobOne or more documents submitted in thesame job to be printed on the sameprinter.

print labelingA controlled method of placingidentification labels on each page of PSFprinted output.

Print Services Facility (PSF)An IBM licensed program that managesand controls the input data stream andoutput data stream required by supportedpage printers.

processorIn a computer, the part that interprets and

Glossary 45

processes instructions. Two typicalcomponents of a processor are a controlunit and an arithmetic logic unit.

PSF See Print Services Facility.

R

RACF See Resource Access Control Facility.

record

1. In programming languages, anaggregate that consists of data objects,possibly with different attributes, thattypically have identifiers attached tothem. In some programminglanguages, records are calledstructures.

2. A group of related data, words, orfields treated as a unit, such as onename, address, and telephone number.

resourceA collection of printing instructions used,in addition to the print data set, toproduce the printed output. Resourcesinclude coded fonts, font character sets,code pages, page segments, overlays,form definitions, and page definitions.

Resource Access Control Facility (RACF)An IBM licensed program that providesfor access control by identifying users tothe system, verifying users of the system,authorizing access to protected resources,logging unauthorized attempts to enterthe system, and logging accesses toprotected resources.

S

security definitionA member containing the definitions forone identification label. These definitionsinclude instructions for the overlay name,and the size and origin of paper to beused.

security definitions libraryA partitioned data set or a series ofconcatenated partitioned data sets thatcontain the security definitions for anentire system.

security labelIn a trusted computing base, a label usedto maintain multiple levels of security ona system. This label is a combination of a

security class and a security level. Seealso identification label.

security overlayAn overlay, such as one created by use ofOverlay Generation Language, thatresides in a secure library and is used toplace security resources on a page.

separator pageAn identifying sheet of paper betweensuccessive jobs. See also job header andjob trailer.

sequential data setA data set whose records are organizedon the basis of their successive physicalpositions, such as on magnetic tape. Seealso partitioned data set.

SMF See System Management Facilities.

SMF type 6 recordA record that PSF uses to record data foreach print data set.

spool The system function of putting files orjobs into disk storage for later processingor printing. An abbreviation forsimultaneous peripheral operations online.

spool file

1. A file containing output that has beensaved for later processing.

2. A file that is used in the transmissionof data among devices.

spoolingThe sending of data to auxiliary storagefor later processing. The most commonspooling application is print spooling.

statement

1. In programming languages, alanguage construct that represents astep in a sequence of actions or a setof declarations.

2. An instruction in a program orprocedure.

System Management Facilities (SMF)A component of z/OS that collects andrecords a variety of system andjob-related information. Examples ofinformation collected by SMF arestatistics, accounting information, andperformance data.


T

terminalIn data communication, a device, typicallyequipped with a keyboard and displaydevice, capable of sending and receivinginformation.

trusted computing baseThe part of the system that contains allthe elements that support the securitypolicy of the system. The trustedcomputing base includes all hardware,microcode, and software that protectinformation on the system.

U

UPA See user printable area.

user IDSee user identifier.

user identifierA string of characters that uniquelyidentifies a user to a system.

user printable area (UPA)The area within the valid printable area(VPA) where user-generated data canprint without causing an exceptioncondition. See also valid printable area.

V

valid printable area (VPA)The intersection of the current logicalpage or current overlay with the physicalpage in which printing is allowed. Seealso user printable area.

VPA See valid printable area.

X

Xm, Ym coordinate systemThe media coordinate system.

Z

z/OS An IBM mainframe operating system thatuses 64-bit real storage.

Glossary 47

Bibliography

This bibliography lists the titles of publications containing additional informationabout PSF, AFP, the z/OS operating system, and related products.

The titles and order numbers might change from time to time. To verify the currenttitle or order number, consult your IBM marketing representative.

You can obtain many of the publications listed in this bibliography from the AFPConsortium Publications (afpcinc.org/publications) and the z/OS Internet Library(www.ibm.com/systems/z/os/zos/library/bkserv).

Advanced Function Presentation (AFP)

Publication Order Number

Advanced Function Presentation: Programming Guide and Line Data Reference S544-3884

AFP Consortium: AFP Color Management Architecture (ACMA) AFPCC

AFP Toolbox User's Guide S544-5292

Bar Code Object Content Architecture Reference AFPC-0005

Color Management Object Content Architecture Reference AFPC-0006

Font Object Content Architecture Reference AFPC-0007

Graphics Object Content Architecture for AFP Reference AFPC-0008

Guide to Advanced Function Presentation G544-3876

Image Object Content Architecture Reference AFPC-0003

Intelligent Printer Data Stream Reference AFPC-0001

Mixed Object Document Content Architecture Reference AFPC-0004

Overlay Generation Language/370 User's Guide and Reference S544-3702

Presentation Text Object Content Architecture Reference AFPC-0009


http://afpcinc.org/publications

http://afpcinc.org/publications

http://www.ibm.com/systems/z/os/zos/library/bkserv

http://www.ibm.com/systems/z/os/zos/library/bkserv

Index

Aaccessibility 33

contact IBM 33features 33

activating print labeling with RACF 17activating security labeling checking 17adding user IDs to RACF profiles 17allocating security resource libraries 15allocating the security definitions library 10areas, physical page 2assembling separator pages 16assistive technologies 33attributes for security definitions library 11auditing printing 23auditing PSF output for security 4

Ccommands, RACF

PERMIT 17RDEFINE 17REFRESH 17SETROPTS 17

computing base, trusted 4consoles, defining security 15contact

z/OS 33creating RACF profiles 17creating security overlays 10

Ddata definition names, defining 21DD statements

SDEF240SDEF300 21SFONT300 21SOVLY300 21SPSEG300 21

SDEFDD 21SFONT240 21SFONTDD 21SOVLY240 21SOVLYDD 21SPSEG240 21SPSEGDD 21

defaults, overriding print labeling 23defining

security consoles 15security definitions library 11security resources 15security-related data definition names 21

deleting security resources 18designing pages for print labeling 9diagnosing print labeling problems 24distributing secure PSF output 3DPAGELBL parameter 20

Eenabling print labeling 16error messages, interpreting 24exits for assembling separator pages 16

Gguaranteed print labeling 16

Hhardware, trusted 6

Iidentification labels

description of 1layout for 2, 29printing correct 22

Infoprint Server Printer Inventory, specifying 20initialization parameters, updating 18installation exits for separator pages 16installing PSF 9interpreting error messages 24

JJES messages, interpreting 24

Kkeyboard

navigation 33PF keys 33shortcut keys 33

LLabel data pages parameter 20Label separator pages parameter 20label, security 2, 6layout, security page 29libraries

attributes for 11defining security definitions 11defining security resource 15

loading security resources 17

Mmaintaining PSF with print labeling enabled 23messages, interpreting 24

Nnames, system-defined paper 31


navigationkeyboard 33

nonguaranteed print labeling 16numbering, random job 3

OOUTPUT statement for overriding defaults 23overlays, creating security 10overriding print labeling defaults 23

Ppage layout template 29pages, designing for print labeling 9paper names, system-defined 31PAPERNAM parameter 31parameters and options

DD statement 21PAPERNAM 31PRINTDEV statement 20, 21Printer Inventory 20PSFMPL 17SECLABEL 22SECLABEL in RACF 17security definitions library 11

PERMIT command 17physical page, printable area 2print job, submitting secure 22print labeling function

activating with PSFMPL 17allocating the security definitions library 10assembling separator pages 16defining

security consoles 15security definitions library 11security resource libraries 15

designing pages 9diagnosing problems 24enabling 16guaranteed 16installing PSF 9maintaining PSF with print labeling enabled 23nonguaranteed 16overriding defaults 23page template 29printer support for 9PSF processing differences 17random numbering of printed output 3security auditing of output 4security-related PSF tasks 7submitting secure print jobs 22trusted computing base components 4understanding 1updating initialization parameters 18using 9

Print Services Facility (PSF)auditing printing 23distributing secure output 3error messages, interpreting 24installing 9maintaining with print labeling enabled 23, 24printer support in 9processing differences with print labeling 17security auditing of output 4security-related tasks 7

Print Services Facility (PSF) (continued)using print labeling 9

printable area considerations 18printable areas on a physical page

print labeling functionUPA 2

PRINTDEV statement parameters 20, 21Printer Inventory parameters 20printer support for print labeling 9problems, diagnosing print labeling 24processing differences with print labeling 17profiles, creating RACF 17PSFMPL option 17publications, related 49

RRACF

adding user IDs to profiles 17profiles, creating 17refreshing 17

random numbering for print labeling 3RDEFINE command 17refreshing RACF 17related publications 49resources

defining security 15loading and deleting security 17

Restrict printable area parameter 20rules for defining a security definitions member 13

Ssample security definitions member 14SDEF240 parameter 21SDEF300 parameter 21SDEFDD parameter 21SECLABEL option in RACF 17SECLABEL parameter 22secure print jobs, submitting 22secure PSF output, distributing 3security auditing of PSF output 4security consoles, defining 15security definitions library

allocating 10attributes 11defining 11rules for defining a member 13sample member 14syntax for members 11

security label 2, 6security overlays, creating 10security page layout 29security resource library, allocating and defining 15security resources, loading and deleting 17security-related messages, interpreting 24security-related tasks 7sending comments to IBM xiiiseparator pages, assembling 16SETROPTS command 17SFONT240 parameter 21SFONT300 parameter 21SFONTDD parameter 21shortcut keys 33SMF type 6 record auditing 23software, trusted 5


SOVLY240 parameter 21SOVLY300 parameter 21SOVLYDD parameter 21SPAGELBL parameter 20SPSEG240 parameter 21SPSEG300 parameter 21SPSEGDD parameter 21submitting secure print jobs 22syntax for security definitions member 11SYSAREA parameter 20system-defined paper names 31

Ttasks, security-related 7trusted computing base 4

hardware 6software 5users 6

UUPA 2updating initialization parameters 18user IDs, adding to RACF profiles 17user interface

ISPF 33TSO/E 33

user security label 6user-printable area 2

Index 53

IBM®

Product Number: 5655-M32

Printed in USA

S550-0434-04

psf v4r6 for z/os: security guide - ibm.com · about this publication this publication is designed...

Documents