Using External Security for CA Datacom › Enabling Online Signons

Enabling Online Signons

The following steps can be used as a guide to enable external security for online signons to CA IPC based products and facilities such as CA Datacom Datadictionary online and CA Ideal. For sites that use external security to validate signons, you must use the SC00OPTS SECRTY=Y option over the traditional method which extracts the user ID from the value present in the TCTTEOI of the CICS TCTTE when SC00OPTS SECRTY=N.

Note: For information about coding SC00OPTS, see Step 6 and the CA IPC Implementation Guide.

Step 1

Ensure that CAISSF has been installed.

In z/OS sites, CAISSF is a subservice of the CAIRIM, a component of the CA Common Services for z/OS. Additionally, RACF users must follow the instructions for customizing CAISSF for RACF and RACF-compatible products in the CA Common Services for z/OS installation guide. CAS9SAFC must be assembled with CICS-YES if RACF is installed.

In z/VSE sites, CAISSF is a separate service of the CA CIS. See the CA CIS installation guide.

Step 2

Define the CA Command resource class in the security product. For CA ACF2 and CA Top Secret, the resource class should already be present.

Step 3

Authorize users for access to the CA Command resource for the SCF-based product or component of the product they need to access.

For more information, see Sample CA Command Resource Definitions.

Step 4

Define the "partition job card user" in the external security product if job submits take place. This has nothing to do with the SC00OPTS security option being set to yes, but what the security package is put into the job statement when a job is submitted through the TP monitor. For example, under CICS, CA Top Secret can be set to put the CICS user name and password into the job statement parameters.

At this point, establish the user access for each CA Datacom Datadictionary user. For more information, see User Access.

Step 5

For CA Ideal, establish a link between the security ID and user ID using one of the following methods. For other products, however, if you want to return to internal product security, we recommend that you keep the users in CA Datacom Datadictionary in synch with the external users you have enabled with CA Datacom Datadictionary authority using one of these methods.

• The CA Datacom Datadictionary or CA Ideal user name can match the security ID. If this is not already true, it is possible to modify existing user definitions by changing long names to match security ID names. This can be done using the CA Datacom Datadictionary DDUPDATE utility. However, it does require that all TEST and HIST status versions of the PERSON (USERS) entity-occurrence be deleted first.

  To change the person names, you can simply run the following transactions in a single DDUPDATE batch job. Use a set of these transactions for each PERSON entity-occurrence name you want to change. If you have a file of the old and new names, you could write a quick program to generate the transactions for you.

       -UPD PERSON,old-name(PROD,,ovrd)
       1000 NEWNAME,newname
       -END
  

  Note: This method modifies the CA Datacom Datadictionary user signon definition, but not the CA Dataquery user in entirety.

• If users are already defined and the security ID does not match the current user ID, add a CA Datacom Datadictionary alias to the PERSON entity-occurrence equal to the security ID. Aliases can easily be added in a single batch job executed in the CA Datacom Datadictionary DDUPDATE utility. The PROD status version of the PERSON entity-occurrences can be updated.
• Use the DFLTUSR option in SC00TRAN on a transaction basis. Under CA Ideal, it is also available in IDOPTS as an environment option. If a default user is specified for the transaction, it takes precedence over a default user specified in IDOPTS. This is only a viable alternative if the CA Ideal user definition used to sign on does not need to be known.

For CA Ideal, consider the impact the option you choose is going to have on the $USER-NAME or $USER-ID functions that may exist in CA Ideal programs. The values may be different depending on the method of implementation. In some cases, the new value may be the desired result, while others may require modification to existing CA Ideal applications or other applications that are accessing data CA Ideal may be updating. The most important fact to realize is that the values returned for $USER functions reflect the CA Ideal user definition used for signon and not the security ID or alias.

For CA Datacom Datadictionary, when a new user of online (who has authorization for the facility) attempts access to the Interactive SQL Service Facility, CA Datacom Datadictionary automatically places a PERSON entity-occurrence in CA Datacom Datadictionary that matches the security ID to tie the SQL default AUTHID to it.

Step 6

Reassemble SC00OPTS with SECRTY=Y. (For more information about coding SC00OPTS, see the CA IPC Implementation Guide.)

Step 7

For CA Ideal, reassemble IDOPTS for each region where a different SECPRFX is desired (UIDCHK and PSWCHK options in IDOPTSCB should be no as they are ignored when the security ID is extracted).

Step 8

Optionally in CICS, remove the user ID from SNT.

Step 9

CICS tables may need to be modified depending on the security product.

Step 10

To ensure unique signons, secure through the external security product. Optionally, you can use the CA IPC SET SITE option to check for duplicates. See the CA IPC documentation for details.

Step 11

Optionally, issue SET SITE ASYNCMSG for the region to suppress network print and compile messages that may not belong to the user if the CA IPC Print SubSystem (PSS) is active or CA Ideal is installed.

Step 12

If the CA Datacom Datadictionary or CA Ideal users are defined with passwords, you must set the System Resource Table (DDSYSTBL macro) parameter EXPBYPP=YES.