CA 1 Passwords and Security › Security Recommendations

Security Recommendations

When setting up security, we recommend the following options and settings

• OCEOV—Use of this option depends on the environment. In a CA Top Secret Security environment, specify YES. In a CA ACF2 environment, specify YES if you want CA 1 to control security checking for foreign tape data set names (see the discussion on FORNDSN.) In a RACF environment below 1.9 specify YES; however, RACF 1.9 or higher with TAPEDSN set to YES you can have OCEOV specified as NO. However, if you specify TAPEDSN as NO in RACF and OCEOV as YES in CA 1, you can control security checking for foreign tape data set names (see FORNDSN). Check with your RACF security vendor for the ramifications of setting TAPEDSN to NO.
• DSNB set to YES—This prevents stacking unsecured data sets behind secured data sets on the same tape. This option should not be set to YES unless some security check has been performed on the primary data set. If you set this option to YES and use a tape stacking product to stack unlike data sets it may cause security errors.
• YSVC set to YES—Strictly controls who has access to the YSVCUNCD (unconditional) with UPDATE access. This should be strictly limited to the Librarian(s).
• PSWD set to YES—Is used to control which user IDs have the authority to use CA 1 ISPF and TIQ passwords assigned in the CA 1 internal security table and the use of the CA 1 system password for online access as well.
• CMD—(Optional) Used to further restrict which online commands may be used.
• FUNC set to YES—Especially important to limit the uses of BLPRES and FORRES. There should be no reason to allow BLP usage for in-house tapes or bypass CA 1 control for CA 1 tapes.
• SCRTCH—(Optional) Needed only if RACF is keeping discrete profiles.
• UNDEF set to FAIL - Ensure that all resources (YSVC, commands and functions) are defined.
• CREATE—Allow the same level of access to create a tape file that is required to create (and catalog) a DASD file.
• FORNDSN—(Optional) Used to control when calls are made for nonresident data set access.
• DSEALL set to NO—Determines whether data set erase (DSE) is required for tapes being processed as scratch tapes by TMSCLEAN.
• SECWTO set to YES—Controls if WTORs should be issued when TMSINIT is executed as a started task to ensure the operator is authorized to perform the desired function.
• WRKFLS set to NO—Determines whether work files may be created.
• LOGSVC set to UPDATE—Indicates only successful update access to the TMC is logged.
• AUDB4 set to BATCH—Indicates that a "Before" image of the updated TMC should be logged to the AUDIT file.
• TMC and Audit Data Sets—READ access to the TMC and Audit data sets should be allowed if all users have the authority to read data set names, block size and counts, and information about the creating job (name, stepname, ddname, and so on).

  UPDATE to the TMC and Audit data sets should be limited to a few programs (TMSCOPY, TMSINIT, TMSLBLPR, TMSFORMT, TMSUDSNB), and only by operations (TMSCOPY and TMSLBLPR) or the CA 1 systems programmer (TMSFORMT, TMSUDSNB). If you are using program protection, you must authorize the user IDs running the CA 1 batch jobs to have READ access to all modules beginning with TMS and CTS.

  ALTER, CREATE and ALLOCATE authority should not be given to anyone. Movement of the TMC and Audit data sets should not be performed without special checks made to ensure all tape activity is halted.

• TMSINIT Status Changes—Status changes to CA 1 are performed automatically, and are not controlled by a CA 1 security option. If status changes are requested via TMSINIT, the submitter of the started task or batch JCL should be given access to the REINIT, BATCH, and/or DEACT entities. If a started task is submitted, console messages are issued to request the submitter's user ID and password.

  TMSTPNIT requires the user ID of the person submitting the job to have UPDATE access to BLP. In addition, TMSTPNIT uses 98000 processing and must have the proper access if FUNC is set to YES. UPDATE access is needed for FORRES or FORNORES depending if the tape volser is in the TMC.