The ETJI095x security job simplifies how you meet many security requirements. The security job is identified as follows: ETJI095x, where x equals A for CA ACF2, T for CA Top Secret, or R for IBM RACF. These jobs reside on the CA Chorus product page under Content Type, Recommended Reading.
This job and section apply only to CA Chorus platform security. The discipline Site Preparation Guides address additional security.
The following list details the security requirements that the job addresses.
Important! Review the following conceptual material before you proceed to the steps at the end of this topic.
(CA Top Secret only) Master Facility
If you are using CA Top Secret, define a master facility and associate it with the CA Chorus started task. Use CAWEBSVR as the master facility. The master facility (MASTFAC keyword) lets users access the CAWEBSVR facility. Before you can use the facility as a master facility, define it to CA Top Secret as a user facility in the system facilities matrix.
Important! Perform this task only once. If you have added CAWEBSVR to the facilities matrix and you have activated the definition, do not repeat this task.
You then give permission to the CA Top Secret facility CAWEBSVR for every user ACID accessing CA Chorus.
Administrator User ID and Group ID
You run CA Chorus using one user ID (CHORADM by default), which has a defined UNIX System Services (USS) segment, so that the following conditions are met:
Note: We recommend that the home directory be the same as the CA Chorus installation path.
The following security user IDs are created when you run the ETJI095x job. If the default values are not used, change all occurrences of CHORADM and CHORGRP in the security job.
Started task user ID that is used to run CA Chorus.
Default group name. This group creates a relationship among all relevant security objects.
User ID for PassTicket requests related to applications.
Note: Unique USS UIDs and GIDs (user ID and group ID numbers) must be used for the CA Chorus started task user IDs. Select a UID and GID that numerically match to track them easier.
Important! All users, including the installer, must have access to the group specified in this member. The default group is CHORGRP.
Started Tasks
The following started tasks are defined when you run the ETJI095x job. The default values are shown. If you do not use default names for the started tasks, change the names in the security job.
Note: We recommend that all CA Chorus tasks run as a started task with REGION=0M. If your site restricts the REGION=0M parameter, we recommend that you run with the maximum region size permitted.
Started task name that is associated with the CA Datacom/AD MUF for CA Chorus. The name depends on the name that you previously assigned to the MUF.
Started task name that is associated with the Time Series Facility (TSF).
Started task name that is associated with the remote TSF configuration. This started task is created only if TSF data relays are defined.
Started task name that is associated with the JBoss server.
Resource Class
CA Chorus defines security resources in class CAMFC, which you define using your security product. You then assign permissions for users to the discipline-specific resources as applicable. For more information about the required user permissions, see the discipline-specific installation guides.
Note: CAMFC is a resource class specifically for CA Chorus. The name of the class and entries cannot be modified.
PassTickets for General Users
PassTickets are required for users to access the z/OS components and products that CA Chorus and its supported disciplines use. A PassTicket is a temporary encoded and encrypted substitute for the user password that can be used to access a specific application. The PassTicket must be used within 10 minutes of the time it is generated.
Using PassTickets enables the z/OS components and products to authenticate a user ID without sending z/OS passwords through the network. Instead, the user is authenticated after they first log in with a valid z/OS user ID and password. The following process occurs when the user selects a function that accesses a z/OS component:
The component calls the z/OS security product to authenticate the user using the PassTicket as a password substitute before processing the request.
The CA Chorus server generates PassTickets that permit users to access the various back-end products that the CA Chorus disciplines use. As users access components, PassTickets are generated to validate the requests.
The CA Chorus PassTicket configuration includes the following systems:
The CA Chorus server system provides the entry point for CA Chorus users. Users can then access all of the CA Chorus remote systems that they have been authorized to use in your network of z/OS systems.
The PassTicket configuration for the security product must be done on each z/OS system that is hosting a component that CA Chorus uses. Configure PassTickets in your z/OS security products to enable the generation and validation of connections that are required for CA Chorus disciplines. If your site meets the following criteria, no additional security setup is required on the remote systems:
If the requisite products and components exist on a remote system that does not share the security database, additional security setup is required on the remote systems.
PassTickets for CA CSM Users
CA Chorus uses PassTicket security to let users launch CA Chorus™ Software Manager from the Quick Links module without requiring another user login. All systems using Passtickets must have identical application names and session keys for all nodes on the network. Note the following requirements:
Follow these steps:
The noted security requirements are met.
FACILITY(USERxx=NAME=CAWEBSVR) FACILITY(CAWEBSVR=PGM=********) FACILITY(CAWEBSVR=ACTIVE,SHRPRF,MULTIUSER,AUTHINIT)
User facility number. Use any available user facility number on your system.
Important! The xx value must match the value that you specified when you ran ETJI095T.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|