The ETJI095x, ETJ2540T, and ETJ3040x security jobs simplify how you meet many security requirements. You run one of these jobs depending on your installation type and external security manager.
Note: In these security jobs, x equals A for CA ACF2, T for CA Top Secret, or R for IBM RACF. These jobs reside on the CA Chorus product page under Content Type, Recommended Reading.
Important! These jobs and this section apply only to CA Chorus Platform security. The discipline Site Preparation Guides address additional security requirements. Before proceeding with this topic, determine if your discipline offers a security job. To do so, check the discipline product page under Content Type, Recommended Reading. To simplify security administration, we recommend that you run these jobs at the same time.
The following list details the security requirements that the job addresses.
Important! Review the following conceptual material before you proceed to the steps at the end of this topic.
(CA Top Secret only) Master Facility
If you are using CA Top Secret, define a master facility and associate it with the CA Chorus started task. Use CAWEBSVR as the master facility. The master facility (MASTFAC keyword) lets users access the CAWEBSVR facility. Before you can use the facility as a master facility, define it to CA Top Secret as a user facility in the system facilities matrix.
Important! Perform this task only once. If you have added CAWEBSVR to the facilities matrix and you have activated the definition, do not repeat this task.
You then give permission to the CA Top Secret facility CAWEBSVR for every user ACID accessing CA Chorus.
Administrator User ID and Group ID
You run CA Chorus using one user ID (CHORADM by default), which has a defined UNIX System Services (USS) segment, so that the following conditions are met:
Note: We recommend that the home directory be the same as the CA Chorus installation path.
The following security user IDs are created when you run the ETJI095x job. If the default values are not used, change all occurrences of CHORADM, CHORGRP, and CHORTHD in the security job.
Started task user ID that is used to run CA Chorus.
Default group name. This group creates a relationship among all relevant security objects.
User ID for PassTicket requests related to applications.
Note: Unique USS UIDs and GIDs (user ID and group ID numbers) must be used for the CA Chorus started task user IDs. Select a UID and GID that numerically match to track them easier.
Important! All users, including the installer, must have access to the group specified in this member. The default group is CHORGRP.
Started Tasks
The following started tasks are defined when you run the ETJI095xx job. The default values are shown. If you do not use default names for the started tasks, change the names in the security job.
Note: We recommend that all CA Chorus tasks run as a started task with REGION=0M. If your site restricts the REGION=0M parameter, we recommend that you run with the maximum region size permitted.
Important! In the following content, CHORTSFB indicates the TSF Bridge started task; CHORNTSF indicates the TSF Server started task.
Started task name that is associated with the TSF Bridge.
Started task name that is associated with the Time Series Facility (TSF) Server.
Started task name that is associated with the TSF Relay for a remote TSF configuration. This started task is created only if TSF data relays are defined.
Started task name that is associated with the CA Chorus Application Server.
Resource Class
CA Chorus defines security resources in class CAMFC, which you define using your security product. You then assign permissions for users to the discipline-specific resources as applicable. For more information about the required user permissions, see the discipline-specific installation guides.
Note: CAMFC is a resource class specifically for CA Chorus. The name of the class and entries cannot be modified.
PassTickets for General Users
The CA Chorus server generates PassTickets that permit users to access the various back-end products that the CA Chorus disciplines use. As users access components, PassTickets are generated to validate the requests.
The CA Chorus PassTicket configuration includes the following systems:
The CA Chorus server system provides the entry point for CA Chorus users. Users can then access all of the CA Chorus remote systems that they have been authorized to use in your network of z/OS systems.
The PassTicket configuration for the security product must be done on each z/OS system that is hosting a component that CA Chorus uses. Configure PassTickets in your z/OS security products to enable the generation and validation of connections that are required for CA Chorus disciplines. If your site meets the following criteria, no additional security setup is required on the remote systems:
If the requisite products and components exist on a remote system that does not share the security database, additional security setup is required on the remote systems.
PassTickets for CA CSM Users
CA Chorus uses PassTicket security to let users launch CA Chorus™ Software Manager from the Quick Links module without requiring another user login. All systems using PassTickets must have identical application names and session keys for all nodes on the network. Note the following requirements:
Follow these steps:
Note: On CA Support Online, the links to the Version 4.0 security jobs are appended with two letters instead of one to differentiate these jobs from the Version 3.0 security jobs: ETJI095AC for CA ACF2, ETJI095TS for CA Top Secret, and ETJI095RA for IBM RACF.
The noted security requirements are met.
FACILITY(USERxx=NAME=CAWEBSVR) FACILITY(CAWEBSVR=PGM=********) FACILITY(CAWEBSVR=ACTIVE,SHRPRF,MULTIUSER,AUTHINIT)
User facility number. Use any available user facility number on your system.
Important! The xx value must match the value that you specified when you ran the security job.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|