The security administrator or VM systems programmer should now log on using the default CA ACF2 for z/VM logonid of MAINT. CA ACF2 for z/VM prompts for a password the first time this logonid accesses the system.
If you are installing a new release of CA ACF2 for z/VM for VM, reassemble any SRF applications on your system and regenerate any modules for those applications, as necessary.
The ACFLIDGN utility created logonids for you during the installation. If there are additional logonids you need to add to the Logonid database, follow the information shown below.
Use the ACF INSERT command to create additional logonids for VM/CMS users. Do this as soon as possible. When you move the CA ACF2 for z/VM service machine to the first level, any user not defined to CA ACF2 for z/VM cannot log onto VM.
The following are ACF INSERT commands:
insert tlcjss name(joan s. simmons) phone(x233) security insert tlcmsb name(mark s. baker) phone(x234) account
In the first sample logonid record above, we gave user TLCJSS the SECURITY privilege that lets her write and store CA ACF2 for z/VM access rules for z/OS data sets, minidisks, VSE files, diagnose execution, CP command limiting, and CMS files. The second sample logonid, TLCMSB, has the ACCOUNT privilege, letting him insert, change, and delete CA ACF2 for z/VM logonid records.
To display logonid records, enter the following command:
ACF
Wait for the response indicating you are in ACF mode, and enter the following command with the logonid that you want to display:
LIST logonid
The command LIST TLCAMR displays the logonid record named TLCAMR. When you are finished displaying logonid records, enter the following subcommand:
END
See the Administrator Guide for detailed information about privileges and logonid records.
Compile and store access rules as soon as possible to avoid excessive loggings. The sample rule compile sequences below are for both minidisk and CMS file access rules. You can find complete information about rule writing in the Administrator Guide.
acf ACF compile $key(logonid1) A allow all users to link to 191 minidisk owned by logonid1 V0191.volume uid(‑) read(allow) write(allow) A allow user logonid2 to read/write the cms file named A "employee list" owned by logonid1 on the 191 minidisk V0191.employee.list uid(logonid2) read(a) write(a) A allow all users to read the cms file named A "employee list" owned by logonid1 V0191.employee.list uid(‑) read(a) A (or enter a null line) store end
If you are using CA ACF2 for z/VM command limiting support or performing CA ACF2 for z/VM syntax checking, compile the appropriate set of command syntax models. These models describe the syntax of all standard CP commands. CA ACF2 for z/VM provides the following sets of syntax models.
Use the file appropriate for your site.
ZVMnnn MODEL
Where nnn is the version and release of VM.
To compile the syntax models, enter the following commands:
acf ACF set model compile fn
The value of fn is the filename of the model file in the previous list. The default MDLTYPE from the CMDLIM VMO record is used unless the MDLTYPE is specified on each model in the file being compiled or the MDLTYPE parameter is included on the COMPILE command. For complete information on compiling command syntax models, see the Command and Diagnose Limiting Guide.
You must create command limiting rules for the rules specified in the COMMANDS operand of the CMDLIM VMO record.
You must create diagnose limiting rules for the rules that are specified in the DIAGS operand of the DIAGLIM VMO record. If you have selected the CA ACF2 for z/VM Diagnose Limiting feature, be sure to write a rule for the 0ACF diagnose CA ACF2 for z/VM uses. Minimally, allow the MAINT user to use the 0ACF diagnose. This lets MAINT IPL a modified CMS system through an IPL command, but prevents other users from IPLing a nonshared secured CMS system.
Write resource rules for:
Brief samples for each type of resource rule follow. For complete details on how CA ACF2 for z/VM supports each of these facilities (specifically, on related rules, logonid privileges, and validation flow), see the Administrator Guide.
Each rule key identifies an account number and the rule entries specify user access permissions for that account.
acf ACF set resource(act) RESOURCE compile $key(act001) type(act) uid(rscs1) allow RESOURCE store
The default three‑character resource type code is ACT. However, you can change this locally through the ACCOUNT operand of the RESCLASS VMO record.
A utility named ACFCVACT EXEC is provided to let you create account resource rules from the CP directory. This utility also prepares a file of ACF CHANGE subcommands to create VMACCT field values for logonids in the directory. This VMACCT logonid attribute indicates the default account number for a virtual machine that is account validated.
Each rule key names the target of a machine you can autolog. Rule entries specify which users can autolog that machine.
acf ACF set resource(alg) RESOURCE compile $key(maint) type(alg) uid(syspgr*) allow RESOURCE store
The default three‑character resource type code is ALG. However, you can change this locally through the AUTOLOG operand of the RESCLASS VMO record.
We provide a utility named ACFCVALG EXEC to create AUTOLOG and XAUTOLOG resource rules from the CP directory.
The following information applies to execution of the AUTOLOG and XAUTOLOG commands:
When EXECIO or DIAG x'08' does not buffer an AUTOLOG and XAUTOLOG response, the autologging virtual machine could hang, particularly when the machine is forced into a CP read, such as during a password expired condition. To prevent these machines from ever hanging, use EXECIO and DIAG x'08' with message buffering.
Whenever AUTOLOG or XAUTOLOG ends with a nonzero return code and message buffering is in effect, CA ACF2 for z/VM cancels any CP read, displaying an appropriate message. In such cases, the exec or program that issued the XAUTOLOG or AUTOLOG command must take the appropriate action, such as notifying the operator and displaying all messages. The autologging machine should then continue with its next function. With message buffering, it is the exec or program's responsibility to display the associated messages.
If you set PSWDSUP=NO and CA ACF2 for z/VM requires you to enter a password, you must supply the password on the command line if you issued the SET PASSWORD AUTOLOG INCLUDE command since the last IPL. If SET PASSWORD AUTOLOG SEPARATE is in effect (the system default), you cannot enter the password on the command line (CA ACF2 for z/VM considers it as console input data).
There is one more password consideration for XAUTOLOG, when the SET PASSWORD XAUTOLOG INCLUDE mode is in effect. Under this mode, if you turn off password suppression (PSWDSUP=NO) and execute the AUTOLOG command where no password is required, you must issue a dummy password of at least one character with the AUTOLOG command.
Each rule key names the target of a machine that a user can access using the DIAL command. Rule entries specify who can dial that machine.
acf
ACF set resource(dia) RESOURCE compile
$key(testvm) type(dia) uid(musr‑) allow
RESOURCE store
The default three‑character resource type code is DIA. However, you can change this locally through the DIAL operand of the RESCLASS VMO record.
You must also define the names of the virtual machines that bypass CA ACF2 for z/VM DIAL command validation, such as VTAM and VTERM. Define these machines with the DIALBYP logonid attribute. All machines without the DIALBYP logonid attribute undergo CA ACF2 for z/VM DIAL resource validation. CA ACF2 for z/VM logs the dials and drops of dialed devices.
A group machine is any machine that has the CA ACF2 for z/VM logonid attribute of GRPLOGON. Each rule key names the target of a group machine. Rule entries specify who can log onto that machine.
acf ACF set resource(grp) RESOURCE compile
$key(maint) type(grp) uid(sys‑) allow
RESOURCE store
The default three‑character resource type code is GRP. However, you can change this locally through the GRPLOGON operand of the RESCLASS VMO record.
CA ACF2 for z/VM for VM validates all VM and VM dataspace accesses. This validation occurs at PERMIT time, not at actual access time.
Dataspace protection is activated by default at installation time. The resource rule type for dataspace validation is the DSPACE(xxx) keyword of the RESCLASS VMO record. The default DSPACE resource rule type for dataspaces is DSP.
Like IUCV validation, the owner of a dataspace must be defined in the COMSEC list before dataspace validation can occur. Unlike IUCV validation rules, dataspace rules must distinguish between READ and WRITE access to the dataspace. Therefore, dataspace rules use the SERVICE keyword of resource rules to distinguish between READ access (which is read‑only) and UPDATE access (both READ and WRITE).
Below is a sample dataspace access rule that permits TLCAMS read access to any dataspaces TLCJAM created, and lets TLCMEG have write access:
acf ACF set resource (dsp) RESOURCE compile
$key(tlcjam) type(dsp) uid(tlcams) service(read) allow uid(tlcmeg) service(update) allow
RESOURCE store
Each rule key names the target of a machine that you can access through an IUCV CONNECT function. The rule entries specify who can CONNECT to that machine.
acf ACF set resource(iuc) RESOURCE compile
$key(%msg) type(iuc) uid(‑) allow
RESOURCE store
The default three‑character resource type code is IUC. However, you can change this locally through the IUCV operand of the RESCLASS VMO record. We used the percent sign (%) instead of an asterisk (*) in the rules for CP system services.
You must define the names of the virtual machines and CP system services that CA ACF2 for z/VM controls. Define these machines in the COMSEC operand of the VMXAOPTS macro. The default is COMSEC=(INCLUDE,‑). This lets CA ACF2 for z/VM control CONNECTs to all machines. For more information about IUCV support, the Systems Programmer Guide.
Each rule key names the target of a resource ID that you can access through an APPC/VM CONNECT function. The rule entries specify who can connect to that resource ID.
acf ACF set resource(iuc) RESOURCE compile
$key(applsrv) type(iuc) uid(‑) allow
RESOURCE store
The default three‑character resource type code is IUC. It is the same as the default for IUCV support. See the Inter‑User Communication Vehicle (IUCV) Support section for information about changing the default at your site.
You must define the names of the resource ID that CA ACF2 for z/VM is to control. The COMSEC operand of the VMXAOPTS macro defines these resource IDs. The default is COMSEC=(INCLUDE,‑). This lets CA ACF2 for z/VM control CONNECTs to all resource IDs. See the Administrator Guide for additional information on APPC/VM support.
Each rule key names the target of a machine that you can access through a VMCF AUTHORIZE and UNAUTHORIZE function. The rule entries specify who can use VMCF to communicate with that machine.
acf ACF set resource(vmc) RESOURCE compile
$key(dirmaint) type(vmc) uid(dasdmgr) allow
RESOURCE store
The default three‑character resource type code is VMC. However, you can change this locally through the VMCF operand of the RESCLASS VMO record. You must define the names of the virtual machines that CA ACF2 for z/VM controls. Define these machines in the COMSEC operand of the VMXAOPTS macro. The default is COMSEC=(INCLUDE,‑). This lets CA ACF2 for z/VM control VMCF communications to all machines. For more information about VMCF support, see the Systems Programmer Guide.
CA ACF2 for z/VM autologs the postbackup service machine after any backup, whether automatic or the ACFSERVE BACKUP command invoked it. This service machine
You can set up this service machine any way you like. CA ACF2 for z/VM only autologs the postbackup service machine. See the Administrator Guide for sample procedures.
To activate the postbackup service machine option, modify the AUTOLOG operand of the BACKUP VMO record. This operand specifies the name of the postbackup service machine.
set control(vmo) VMO CHANGE BACKUP AUTOLOG(ACF2PBSM)
ACF2PBSM is the CA ACF2 for z/VM postbackup service machine. Add a directory entry for the service machine:
USER ACF2PBSM DUMMYPWD 4M 8M . MDISK 191 . . . (a one‑cylinder minidisk)
Add a logonid record for the postbackup service machine. For example, you can enter the following command:
INSERT ACF2PBSM PASSWORD(secret) NOPSWD‑EXP VM AUTONOPW AUDIT
Modify or create the rule for the CA ACF2 for z/VM service machine to let the postbackup service machine access its disks. Assuming the name of your service machine is ACF2VM, here is a sample rule:
$key(acf2vm) v0195.‑ uid(acf2pbsm) r(a) v03a‑.‑ uid(acf2pbsm) r(a) w(a)
Create an autolog resource rule to let the service machine autolog the postbackup service machine, as shown below:
$key(acf2pbsm) type(alg) uid(acf2vm) allow
Format the postbackup service machine 191 disk, if necessary, and create a profile exec to do the necessary processing. For details on the processing the postbackup service machine performs after CA ACF2 for z/VM autologs it and the sample execs available for configuring this machine to restore the databases, see the Administrator Guide.
There might be times when you want to restart the CA ACF2 for z/VM service machine or you might want to dump the service machine storage and then restart it. To restart the CA ACF2 for z/VM service machine, enter the following command:
ACFSERVE RESTART
To restart the service machine and take a dump, enter the following command:
ACFSERVE RESTART DUMP
The default privilege for these commands is SECURITY. The system operator can also issue these commands.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|