Previous Topic: Standard CA ACF2 for VM ValidationNext Topic: Logging DIALs and DIAL Drops

Protecting Special ResourcesProtecting the DIAL CommandImplementing DIAL Protection

Implementing DIAL Protection

The DIALBYP privilege bypasses DIAL command validation. When this logonid privilege is assigned to a target machine, CA ACF2 for VM does not validate a DIAL when you issue it to access the target virtual machine.

Because the DIALBYP logonid record privilege replaces the DIALSEC list in VMXAOPTS of HCPAC0, you should give all users specified in this list the DIALBYP privilege. For masked DIALSEC entries, use CHANGE LIKE to update all matching logonid records.

The steps involved in implementation are listed below.

  1. Add the DIALBYP privilege (optional)
  2. Modify the resource type code in the TYPES field of the RESTYPE VMO record (optional)
  3. Write DIAL resource rules
  4. Test DIAL resource rules.

See the Command and Diagnose Limiting Guide if you need to implement DIAL command limiting. A brief explanation of these steps follows.

Adding the DIALBYP Privilege

To let a virtual machine bypassDIAL validation, add the DIALBYP logonid privilege to the target machine's logonid record. To change an existing logonid to reflect the DIALBYP privilege, use the LIST subcommand, then issue the CHANGE subcommand. An example follows.

acf
 
ACF
 
list TLCAMS
 
TLCAMS  TLCMGRGTLCAMS ANN SMITH EXT 200
PRIVILEGES ACCOUNT AUDIT SCPLIST(ACCTMGR)
 .
 .

Next, issue the CHANGE subcommand:

acf
 
ACF
 
change TLCAMS DIALBYP
 
TLCAMS  TLCMGRGTLCAMS ANN SMITH EXT 200
PRIVILEGES ACCOUNT AUDIT DIALBYP SCPLIST(ACCTMGR)
 .
 .

Ann's virtual machine has the DIALBYP logonid privilege. When this virtual machine is the target of a DIAL command, CA ACF2 for VM will not validate the DIAL. To list all virtual machines with the DIALBYP logonid privilege, enter the LIST IF(dialbyp) subcommand.

Modifying the DIAL Resource Type Code

You can use a site‑definedresource type code for DIAL resource rules. To define this type code:

acf
 
ACF
 
SET CONTROL(VMO)
CHANGE RESTYPE DIA

The default value is DIAL=(DIA).

When you modify this operand, you must also modify the TYPES field of the RESTYPE VMO record to reflect this change. These resource type codes must be consistent in both the RESCLASS and RESTYPE records.

Modifying the RESTYPE Record

An example of a modified RESTYPE VMO record is RESTYPE TYPES(ABC). The default type code for DIAL is DIA.

Writing DIAL Resource Rules

An example of a DIAL resource rule is shown below.

ACF
 
set resource(dia)
 
RESOURCE(DIA)
 
compile
ACFCMP510I ACF compiler entered
 
$key(TLCAMS) type(dia)
 uid(*****tlc) allow
 uid(*****TLCPJM) prevent
 
ACFCMP551I Total record length=168 bytes ‑ 4 percent utilized
 
RESOURCE
Testing DIAL Resource Rules

An example of testing a DIAL resource rule follows.

test *
.
uid(*****TLCPJM)
The following parameters are in effect:
 DATE=12/27/97 TIME=1721 SOURCE=******** UID=*****TLCPJM
 
 ACCESS WOULD BE PREVENTED
.
uid(*****TLCAMS)
The following parameters are in effect:
 DATE=12/27/97 TIME=1721 SOURCE=******** UID=*****TLCAMS
 
 ACCESS WOULD BE ALLOWED
.
end
 
RESOURCE