2.5.2 Security Package Considerations

2. PLANNING › 2.5 Special Considerations › 2.5.2 Security Package Considerations
2.5.2 Security Package Considerations


VCC allocates and opens ICF and VSAM catalogs, VVDSs, and
OS/VTOCs.  Enterprise Security packages such as IBM's RACF,
CA Top Secret, and CA ACF2 provide open exits that match the
name of the data set being opened against a list of
restricted names defined by your security officer.  Quite
often names of the aforementioned special data sets are in a
list of secured names, which means that normal VSAM password
protection functions are bypassed and handled instead by the
security package.

Note: To avoid security violations, you must thoroughly
research the security in force for VSAM and ICF catalogs and
VTOCs (if applicable) to ensure that the user ID under which
the VCC scan is run has READ access to the names of the
catalogs and VTOCs that VCC will be scanning. The user ID
must also have read access to all PDSEs on which it will be
collecting data. If HSM=Y is coded in the runtime parameters,
the user ID under which the scan is run must have read access
to the MCDS and BCDS that the scan job is accessing.

VCC uses the Callable Assembler Interface to UNIX System
Services to scan the Hierarchial File Systems.  In order to
access UNIX System Services, the userid assigned to the batch
job must be defined to UNIX System Services security. The
userid must be assigned a UNIX userid, a groupid, and a home
directory. See the appropriate security product's manuals for
additional information.

Prior to scanning the mounted Hierarchial File Systems, VCC
issues the function SETUID(0) (set USERID to SUPERUSER) in
order to ensure having read access to all the files within
the HFS structure. In order to function properly, VCC must
have authority to the BPX.SUPERUSER resource in the FACILITY
class.  This will allow the SETUID(0) to function
successfully.

For the IBM z/OS Security Server RACF, see the IBM manual
"UNIX System Services Planning" Chapter 16, (Establishing
UNIX Security) for additional information.  Review the
sections of chapter 16 relating to BPX.SUPERUSER, Assigning
Superuser Attributes, Using UNIXPRIV Class Profiles, and
Setting up The BPX.* FACILITY Class Profiles BPX.SUPERUSER.

For CA ACF2, the userid that is assigned to the batch job
must be defined to CA ACF2 Unix System Services Security. See
the CA ACF2 Administrator Guide, chapter 21 (z/OS UNIX System
Services Support) for information about defining a
userid and setting up the ability to execute the setuid(0)
function.

For CA Top Secret, the userid that is assigned to the batch
job must be defined to CA Top Secret Unix System Services
Security. See the CA Top Secret documentation for information
about defining a userid and setting up the ability to execute
the setuid(0) function.
Tell Technical Publications how we can improve this information