Addressing Security Requirements › Define Security Authorizations for CIA Real-Time Component (CA ACF2)

Define Security Authorizations for CIA Real-Time Component (CA ACF2)

If you are using CA ACF2, create the CA ACF2 security environment required for the CIA real-time component.

The CIARTACF job does the following:

• Defines an STC logonid for the CIA real-time component address space with the unscoped AUDIT privilege and defines the OMVS and group profiles required for USS capabilities.
• Gives the STC logonid access to the CIA real-time component data sets.
• Defines the CIA real-time GSO CHORUS record.

  When specified, the following fields in the CA ACF2 GSO CHORUS record enable the recording of update requests to the CIA logstream.

  • CIA
  • CIALOG
  • CIASTG(25|nn)
  • CIAHOST(CIA DSI host name)
  • CIAPORT(nn)

  The CA ACF2 Global System Option (GSO) CHORUS record provides the information required by the CIA real-time component to connect to the DSI server and to read and process the update requests from the CIA logstream.

  CIA|NOCIA

  Specifies whether CIA real-time updates are active or inactive. When CIA is specified at CA ACF2 startup, it will be started automatically. The default is NOCIA.

  CIASTART|NOCIASTART

  Specifies whether the CIA real-time component started task is automatically started during CA ACF2 initialization.

  CIALOG

  Specifies the name of the log stream used by the CIA real-time process. This name must match the logstream name in the CIALOGST job that created the logstream.

  CIAPROC(CIARTUPD|CIA started procedure name)

  Specifies the procedure name for the CIA real-time component started task procedure.

  CIASYSID(CIA sysid used in the CIA database)

  Specifies the SYSID parameter value that was used for this security image when its information was loaded into the CIA repository.

  This option allows multiple z/OS images to update a single security image in CIA. When a security product database is shared across multiple z/OS images, each of those images must use the CIASYSID control option to specify the SYSID of the single image that was unloaded.

  CIASTG(25|nn)

  Specifies the maximum amount of above the bar (64 bit) storage in the ACF2 address space that is used to temporarily hold the queue of update requests that are waiting to be written out to the CIA logstream.

  CIAHOST(CIA DSI host name)

  Specifies the 1-to-255 character host name for the CA DSI Server on the z/OS image that hosts the CIA repository. For more information, see the CA DSI Server Installation Guide.

  CIAPORT(nn)

  Specifies the port number for the CA DSI Server on the z/OS image that hosts the CIA repository. For more information, see the CA DSI Server Installation Guide.

Follow these steps:

1. Edit the CIARTACF job in CAI.CAX1JCL0.

   Important! DO NOT activate CIA real-time recording in this job. Activation is done later in this guide.

   Modify the job to conform to your installation standards. Follow the instructions in the Notes and the Customization sections of the job to customize the job for your environment.

2. Submit the CIARTACF job.

   The job runs and completes.

3. Verify the output of the CIARTACF job.

   The CIA real-time component is authorized to access security data and send real-time updates.