OPTS Record-CA ACF2 for VM Options Specification

Defining Structured Infostorage Records › OPTS Record-CA ACF2 for VM Options Specification

OPTS Record-CA ACF2 for VM Options Specification

Record ID	Fields
OPTS	ACCTVLD(NO\|FULL\|LID) ATTKEY(SYSTEM,key value) CPUTIME(LOCAL\|GMT) DATE(MDY\|DMY\|YMD) DFTLNXG(default_linux_group) DFTLNXU(default_linux_user) DIAG84\|NODIAG84 DIRIPL\|NODIRIPL DSPVLD\|NODSPVLD IDLEMN(60\|nnn) IDLEOP(OFF\|ALLOFF\|DISC\|LOGOFF\|REPROMPT\|NOLOGOFF) INFOLIST(SECURITY,AUDIT\|privilege list) IUCVVLD\|NOIUCVVLD MAXLID(512\|nnnn) MAXPGRPS(32\|nnn\|125) MAXVIO(10\|nnn) MODE(ABORT\|WARN\|LOG\|QUIET\|RULE,no‑rule,no‑$mode) NOTIFY\|NONOTIFY POSIXDB\|NOPOSIXDB TAPEDSN\|NOTAPEDSN VMCFVLD\|NOVMCFVLD VMCHK(NULL\|bitfld)

Record ID

Fields

OPTS

The OPTS VMO record defines many CA ACF2 for VM system‑wide options.

Fields

ACCTVLD(NO|FULL|LID)

Specifies account validation for VM operating systems. Account validation is optional. The values for this operand are defined below.

Indicates CA ACF2 for VM account support is disabled. Directory account validations are performed the same as VM native.

FULL

Indicates full account support is in effect. We recommend this value for CA ACF2 for VM account validation. CA ACF2 for VM does not use the CP directory for accounting purposes except at system initialization time. This is the default.

The default account number that is automatically selected for a virtual machine during system entry is kept in the new VMACCT logonid field. Virtual machines whose VMACCT field contains blanks must have an account number specified for them during system entry. Use the ACCOUNT operand of the LOGON and AUTOLOG commands for this purpose.
CA ACF2 for VM validates account resource rules for all virtual machines.
If you use a virtual machine, issue the CP SET ACCOUNT command to change your account number during a session.

LID

This is the alternative to full account support. With this value, CA ACF2 for VM account support is in effect only for machines specified with the VLDVMACT attribute. CA ACF2 for VM does not use the CP directory for accounting purposes except at system initialization time.

The default account number that is automatically selected for a virtual machine during system entry is kept in the new VMACCT logonid field. You must specify an account for virtual machines with the VLDVMACT attribute and whose VMACCT field contains blanks during system entry. Use the ACCOUNT operand of the LOGON and AUTOLOG commands for this purpose. Virtual machines without the VLDVMACT attribute whose VMACCT field contains blanks cannot access the system.
CA ACF2 for VM validates account resources only for virtual machines with the VLDVMACT logonid attribute. Machines without VLDVMACT do not undergo account resource rule validation. They are automatically assigned the account numbers kept in their VMACCT logonid fields unless these fields contain blanks. In that case, the machines cannot access the system.
If you use a VLDVMACT‑defined virtual machine, you can issue the CP SET ACCOUNT command to change your account number. If you use a machine that does not have VLDVMACT, you cannot change your account number.

ATTKEY(SYSTEM,key value)

Defines the $KEY value for your dedicated and attached DASD volumes for access validation. The values for this operand are defined below.

SYSTEM

Specifies the default ATTKEY value.

key‑value

Specifies an ATTKEY value that you can define.

CPUTIME(LOCAL|GMT)

Specifies the time mode of the CPU. This specification determines how CA ACF2 for VM calculates a user's access time when processing zone records. If you specify GMT (Greenwich Mean Time), CA ACF2 for VM bases all time zone calculations on the time‑of‑day (TOD) clock. In LOCAL mode, CA ACF2 for VM first adjusts the TOD clock by the value stored in the CVTTZ field of the Communications Vector Table (CVT) and then bases all time zone calculations on the adjusted TOD clock. The default is LOCAL.

DATE(MDY|DMY|YMD)

Specifies whether the dates used are in month‑day‑year (mm/dd/yy), day‑month‑year (dd/mm/yy), or year‑month‑day (yy/mm/dd) format. You must specify these formats in the DATE field as MDY, DMY, or YMD, respectively. Because dates are stored internally in Julian (YYDDD) format, there is no incompatibility in changing this option after some rule sets already exist. The default is month‑day‑year (mm/dd/yy).

DFTLNXG(default_linux_group)

Specifies the name of the default Linux group profile record. It is used when a user accesses Linux and does not have a valid group defined in the Linux user profile record.

DFTLNXU(default_linux_user)

Specifies the name of the default Linux user profile record. It is used when a user accesses Linux and does not have a valid Linux user profile record.

DIAG84|NODIAG84

Indicates whether a user with the CP class B privilege (as IBM defines it) can dynamically update fields in a VM directory entry. This is the online VM directory and the duration of the update is until the next system IPL. You must provide the VM directory password of the entry. This operand lets you use the VM directory password, or your CA ACF2 for VM password. The values for this field are defined below.

DIAG84: Means that your CA ACF2 for VM password is required unless you have the DG84DIR attribute in your logonid record. If you have this attribute, you must use the directory password when you issue the DIAG84 diagnose instruction. This is the default.

You must supply your CA ACF2 for VM password for all diagnose x'84' operations except LOGPASS and MDISK. These operations require the directory password.

NODIAG84

Specifies that you must use the VM directory to
update‑in‑place a VM directory entry.

DIRIPL|NODIRIPL

Controls command limiting of the IPL statement in the VM directory. DIRIPL causes command limiting to validate the directory IPL statement. DIRIPL prevents users from changing the IPL statement and bypassing command limiting. You should define the CMDLIM VMO record so that the IPL command is limited. If the IPL command is not limited, this option has no effect.

NODIRIPL bypasses command limiting for the directory IPL statement. If you limit the IPL command, only IPL commands are limited and the directory IPL statement is always allowed.

DSPVLD|NODSPVLD

Activates or deactivates dataspace protection. CA ACF2 for VM activates dataspace protection at installation. CA ACF2 for VM uses ESA dataspaces in CP on all releases of VM running on ESA‑capable hardware.

IDLEMN(60|nnn)

Specifies the number of minutes (from 1 to 240) that the terminal a user is logged onto can be idle before idle terminal processing begins. You can override this value at the individual logonid level using the VMIDLEMN logonid restriction. The default is 60

Specifies the type of idle terminal processing performed when a user exceeds the idle time limit. You can override this value at the individual logonid level using the VMIDLEOP logonid restriction, except when IDLEOP is set to ALLOFF. The values for this parameter are:

OFF: Disables system‑wide idle terminal processing. However, you can enable idle terminal processing at the individual logonid level using the VMIDLEOP logonid restriction. This is the default.

ALLOFF

Disables system‑wide idle terminal processing, regardless of the VMIDLEOP restrictions defined at the individual logonid level.

DISC

Forces disconnection from the system when the user exceeds the idle terminal limit.

LOGOFF

Forces the user off the system when the user exceeds the idle terminal limit.

NOLOGOFF: Prompts a user to enter logon password when idle terminal limit is exceeded. Incorrect passwords are counted as a password violation so the user can be suspended after entering too many incorrect passwords. The user can also disconnect from the system at this prompt. Similar to REPROMPT, but the option to logoff is not allowed.

REPROMPT

Prompts a user to enter his logon password when he exceeds the idle terminal limit. Incorrect passwords are counted as a password violation so the user can get suspended after he enters too many incorrect passwords. The user can also logoff or disconnect from the system at this prompt.

INFOLIST(SECURITY,AUDIT|privilege list)

Specifies which logonid attributes are necessary to list Infostorage records (such as entry lists, scope, and shift and zone records). The user does not have the authority to change these records. It does not convey the authority to compile and store resource rules or access rules. The default is SECURITY,AUDIT, indicating that users with either attribute are authorized. Scopes do not affect logonids with the privileges listed in the INFOLIST record. You should also refer to the SELAUTH field of the APPLDEF VMO record described earlier in this chapter.

IUCVVLD|NOIUCVVLD

Implements CA ACF2 for VM validation of a one way IUCV and APPC/VM path connection. This validation takes place through resource rules. The values for this field are defined below.

IUCVVLD

Specifies standard CA ACF2 for VM validation through resource rules. This is the default.

NOIUCVVLD

Specifies that CA ACF2 for VM does not validate IUCVVLD.

MAXPGRPS(32|nnn|125)

For POSIX environments only. Defines the maximum number of POSIX groups allowed. Be conservative in your estimate. CP allocates storage based on this number for every user that logs onto VM. The minumum value is 32; maximum is 125.

MAXLID(512|nnnn)

Specifies the maximum number of active CA ACF2 for VM logonids. Active logonids include virtual machines logged onto VM, users logged onto SRF applications, users logged onto CA ACF2 for VM VSE, and users executing batch jobs. You can use the same CA ACF2 for VM logonid in two or more of the preceding situations and it will still be counted as one active logonid. MAXLID calculates the amount of virtual storage that the CA ACF2 for VM service machine needs to reserve for active logonids during startup. It is not intended to restrict the number of VM user IDs logged onto a system. The minimum value is eight and the maximum value is 524,288. The default is 512. You must adjust the storage size of the service machine VM directory entry to accommodate this value. The default MAXLID value of 512 is normally inadequate for large VM systems. For large systems, you must change the default value to reflect the maximum number of users that are logged onto the system simultaneously.

MAXVIO(10|nnn)

Specifies the maximum number of security violations in a single job (or CMS session) before CA ACF2 for VM terminates the job or CMS session rather than just the task. The default value is ten. The maximum value is 32,767.

MODE(ABORT|WARN|LOG|QUIET|RULE,no‑rule,no$mode)

Defines the mode of CA ACF2 for VM as it relates to data access. Depending on the MODE value, CA ACF2 for VM validates:

CP LINK commands
CMS file access requests
OS/390 data set access requests
VSE file access requests
CP ATTACH requests for DASD
LINK and DEDICATE commands defined in a user's VM directory entry
Tape volume access requests for volumes defined in the TAPEVOLS VMO record.

Set MODE to one of the following:

ABORT: Logs attempted violations, issues violation messages, and denies accesses. This is the default value.

WARN

Logs access violations and issues warning messages, but lets accesses continue.

LOG

Logs access violations, but lets accesses continue.

QUIET

Disables CA ACF2 for VM data access rule validations.

CA ACF2 for VM logonid record validations and similar user and system access validations still occur.

RULE

Specifies that CA ACF2 for VM checks the $MODE control statement in the appropriate access rule set to determine what action to take if the access request violates security. The value of the $MODE statement can be QUIET, LOG, WARN, or ABORT, as defined above. CA ACF2 for VM only uses the $MODE control statement when the (RULE,no‑rule,no‑$mode) option is in effect and it determines that a data access request violates security. The two positional parameters, no‑rule and no‑$mode, are defined as follows:

no‑rule

Specifies the action CA ACF2 for VM takes if no access rule is found when RULE mode is in effect. The value for this parameter can be QUIET, LOG, WARN, or ABORT, as defined above.

no‑$mode

Specifies the action CA ACF2 for VM takes if no $MODE control statement is found in the applicable access rule set when RULE mode is in effect. The value for this parameter may be QUIET, LOG, WARN, or ABORT, as defined above.

For example, if TLCAMS tries to link to TLCPJM's 0191 minidisk for write access but the rule does not grant TLCAMS access, CA ACF2 for VM checks the $MODE control statement in the access rule and bases the access on the $MODE value. If $MODE(LOG) is specified in the access rule set, TLCAMS can link to TLCPJM's 0191 minidisk and CA ACF2 for VM creates a logging record. If $MODE(ABORT) is specified, TLCAMS cannot access and CA ACF2 for VM creates a logging record detailing the access violation attempt.

Note: If an I/O error occurs reading a rule, CA ACF2 for VM treats it as a RULE NOT FOUND condition. If you are in RULE mode, CA ACF2 for VM ignores any $mode statement in that rule. If the no‑rule setting of RULE mode is set to QUIET, access is allowed and CA ACF2 for VM does not create any SMF loggings. Because of this potential security exposure, we recommend that you do not use QUIET for the no‑rule or no‑$mode settings of RULE mode if you are protecting sensitive data.

NOTAPEDSN|TAPEDSN

Specifies whether the VMTAPE interface performs validation at the data set name (DSN) level. With NOTAPEDSN (the default), the interface does not perform DSN validation. DSN validation occurs if TAPEDSN is specified. There is no ACF subcommand for displaying the OPTIONS field of the VMO record TAPEDSN setting.

NOTIFY|NONOTIFY

Specifies whether CA ACF2 for VM sends a message to the user at logon time (giving the date, time, and source of the user's last successful system access). This message warns you if someone used your logonid and password to access CA ACF2 for VM. Teach your users about this message and show them how to report possible misuse of their logonids. Specify NONOTIFY to suppress the message. The default is NOTIFY, which displays the message.

POSIXDB|NOPOSIXDB

For POSIX environments only. Defines who owns the POSIX database.

POSIXDB

CA ACF2 for VM informs VM that it is maintaining the POSIX databases. CA ACF2 for VM responds to the DIAGA0 subcode X'08' and takes over POSIX Database management.

NOPOSIXDB: CA ACF2 for VM does not maintain POSIX databases. CA ACF2 for VM responds negatively to the DIAGA0 subcode X'08'. This is the default.

VMCFVLD|NOVMCFVLD

Implements CA ACF2 for VM validation of a one‑way VMCF path connection. This validation takes place through resource rules. The values for this operand are defined below.

VMCFVLD: Specifies standard CA ACF2 for VM validation through resource rules. This is the default.

NOVMCFVLD

Specifies that CA ACF2 for VM does not validate through resource rules.

VMCHK(null|VM|VMXA|bit‑fld)

Defines the logonid record privilege you need to access the system. If you do not have the appropriate privilege turned on in your logonid record, the logon is denied. Before you modify this operand to reflect VM or a locally defined
bit‑field, ensure that users have the appropriate value turned on in their logonid record. The values for this operand are listed below.

null: If you do not specify a value for VMCHK, standard
CA ACF2 for VM logon validation is done but does not require a specific privilege to logon. We recommend that you only use VMCHK in environments with shared CA ACF2 for VM databases. To remove a privilege from VMCHK if one exists, use the null value instead of a field name. For example, specify change opts vmchk(). The null setting is the default.

bit‑field

You can specify CA ACF2 for VM‑defined VM and VMXA logonid privileges to be checked at logon. If you specify a locally‑defined field, add an @CFDE macro defining your bit‑field and add the field to your USERID or USERXLID COPY files.

SHOW Subcommand

The SHOW STATE subcommand displays the values specified in the OPTS VMO record for the ATTKEY, CPUTIME, DATE, MAXLID, MAXVIO, MODE, and VMCHK fields. The SHOW ACTIVE subcommand displays the ACCTVLD, DIAG84, IUCVVLD, and VMCFVLD fields.

POSIX Support

You can maintain POSIX Database information in the VM directory or with an External Security Manager (ESM) such as CA ACF2 for VM. See the “OpenExtensions VM Support” chapter for additional information.