CA 1 Passwords and Security › CA Top Secret Security Setup

CA Top Secret Security Setup

The following steps are required for implementation of the CA 1 external security system in a CA Top Secret Security environment:

1. Assign ownership of all entities to be protected. The following commands are used to perform this step:

   TSS ADD(acid) CACMD(L0CLEAN)
   TSS ADD(acid) CACMD(L0EXTEND)
   TSS ADD(acid) CACMD(L0EXPIRE)
   TSS ADD(acid) CACMD(L0RETAIN)
   TSS ADD(acid) CACMD(L0DELETE)
   TSS ADD(acid) CACMD(L0ADD)
   TSS ADD(acid) CACMD(L0CHECKI)
   TSS ADD(acid) CACMD(L0CHECKO)
   TSS ADD(acid) CACMD(L0ERASE)
   TSS ADD(acid) CACMD(L0SCRATC)
   TSS ADD(acid) CACMD(L0PTRS)
   TSS ADD(acid) CACMD(L0UPDTE)
   TSS ADD(acid) CATAPE(YSVCCOND)
   TSS ADD(acid) CATAPE(YSVCUNCD)
   TSS ADD(acid) CATAPE(NLRES)
   TSS ADD(acid) CATAPE(NLNORES)
   TSS ADD(acid) CATAPE(NSLRES)
   TSS ADD(acid) CATAPE(NSLNORES)
   TSS ADD(acid) CATAPE(BLPRES)
   TSS ADD(acid) CATAPE(BLPNORES)
   TSS ADD(acid) CATAPE(FORRES)
   TSS ADD(acid) CATAPE(FORNORES)
   TSS ADD(acid) CATAPE(ACCESSPROFILE)
   TSS ADD(acid) CATAPE(REINIT)
   TSS ADD(acid) CATAPE(BATCH)
   TSS ADD(acid) CATAPE(DEACT)
   

2. Permit users access as desired. The following commands are used to perform this step:

                                         {NONE       }
   TSS PERMIT(user1) CATAPE(NLRES) ACCESS{READ       }
                                         {READ,UPDATE}
                                         {ALL        }
   -or-
   TSS PERMIT(user1) CACMD(L0EXTEND)
   

   Notes:

   • The control option TAPE should be set to OFF in the CA Top Secret Security parameter file. This prevents CA Top Secret Security from being invoked by MVS.
   • A started task definition for the TMSINIT procedure must be defined and given update access to either YSVCCOND or YSVCUNCD to allow CA 1 to become active.
   • Activation of CA 1 external security requires that proper authorization for resources being checked is established within CA Top Secret Security prior to activation of the CA 1 external security options. It is not possible to deactivate CA 1 external security options without changing the TMOOPTxx member of hlq.CTAPOPTN, and then either performing a TMSINIT reinitialization, or an IPL of the entire operating system. A TMSINIT reinitialization is much easier than a system IPL. However, if TMSINIT is not authorized to use either the YSVCCOND or YSVCUNCD resource with a service of UPDATE, TMSINIT will abend. Should this occur, specify the appropriate rules to the security system before attempting to restart TMSINIT. Optionally, you can code and install the TMSXITS exit to ACCEPT the resource access to the YSVC and the TMSINIT resources (see the labels YSVC and INIT in the TMSXITS source) without making a security call.
   • If the CREATE option is set to CREATE (the default value is UPDATE), a generic volume profile must be created to allow tape data sets to be created. This can be done by adding a rule to the ALL record for create access to tape volumes:
     1. TSS ADD (acid) VOLUME (T0(G))
     2. TSS PERMIT (ALL) VOLUME (T0(G)) ACCESS (CREATE)
   • The T0 must be 2-6 characters.
   • This assumes all tape volumes begin with T0. If all tape volumes begin with zero, the volume statement would be VOLUME (00 (G)).
3. When a CA 1 region runs as a started task, a CA Top Secret Security ACID must be associated with each CA 1 region. This ACID must be able to access the STC facility, and must be authorized to all MVS data sets used within the region, since these data sets are opened by CA 1 itself. This ACID is referred to as the CA 1 region control ACID. The ACID is associated with the region via the CA Top Secret Security STC table.

   CA 1 can be defined to CA Top Secret Security as a started task with an entry like the following:

   TSS ADD(STC)  PROC(TMSINIT)  ACID(CA1ACID)
   

   Defining a started task to CA Top Secret Security results in the association of that STC with a specified ACID. See the CA Top Secret Security MVS Implementation: BATCH and STC Guide for more information regarding CA Top Secret Security and started task definition.

   Below is an example of how the facility for CA 1 should look:

   FACILITY DISPLAY FOR CA1
   INITPGM=TMS      id=C1 TYPE=099
   ATTRIBUTES=SHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXDEF
   ATTRIBUTES=NOLUMSG,NOSTMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
   ATTRIBUTES=NOPROMPT,NOAUDIT,RES,NOWARNPW,NOTSOC,LCFCMD
   ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR,NOIMSXTND
   MODE=FAIL  DOWN=GLOBAL  LOGGING=INIT,SMF,MSG,SEC9
   UIDACID=8 LOCKTIME=000 DEFACID=*NONE*   KEY=8
   

   In the above example, CA 1 is the name of the facility you have defined in CA Top Secret Security. The acidname you use to start this CA 1 application should then have a MASTER FACILITY of CA 1. If the acidname is CA1ACID, then a TSS ADD(CA1ACID) MASTFAC(CA1) should be issued. This will give acid CA1ACID a MASTER FACILITY of CA 1.

   Users who will execute TMSINIT as a Started Task will require access to the CA 1 facility. This can be done as follows:

   TSS ADD(TMSUSR)  FACILITY(CA1)