Previous Topic: 2.5.1 Authorization ConsiderationsNext Topic: 2.5.3 Shared DASD Considerations

2. PLANNING2.5 Special Considerations2.5.2 Security Package Considerations

2.5.2 Security Package Considerations


 VCC allocates and opens ICF and VSAM catalogs, VVDSs, and
 OS/VTOCs. Enterprise Security packages such as IBM's RACF,
 CA Top Secret, and CA ACF2 provide open exits that match the
 name of the data set being opened against a list of
 restricted names defined by your security officer. Quite
 often names of the aforementioned special data sets are in a
 list of secured names, which means that normal VSAM password
 protection functions are bypassed and handled instead by the
 security package.

 Note: To avoid security violations, you must thoroughly
 research the security in force for VSAM and ICF catalogs and
 VTOCs (if applicable) to ensure that the user ID under which
 the VCC scan is run has READ access to the names of the
 catalogs and VTOCs that VCC will be scanning. The user ID
 must also have read access to all PDSEs on which it will be
 collecting data. If HSM=Y is coded in the runtime parameters,
 the user ID under which the scan is run must have read access
 to the MCDS and BCDS that the scan job is accessing.

 VCC uses the Callable Assembler Interface to UNIX System
 Services to scan the Hierarchial File Systems. In order to
 access UNIX System Services, the userid assigned to the batch
 job must be defined to UNIX System Services security. The
 userid must be assigned a UNIX userid, a groupid, and a home
 directory. See the appropriate security product's manuals for
 additional information.

 Prior to scanning the mounted Hierarchial File Systems, VCC
 issues the function SETUID(0) (set USERID to SUPERUSER) in
 order to ensure having read access to all the files within
 the HFS structure. In order to function properly, VCC must
 have authority to the BPX.SUPERUSER resource in the FACILITY
 class. This will allow the SETUID(0) to function
 successfully.

 For the IBM z/OS Security Server RACF, see the IBM manual
 "UNIX System Services Planning" Chapter 16, (Establishing
 UNIX Security) for additional information. Review the
 sections of chapter 16 relating to BPX.SUPERUSER, Assigning
 Superuser Attributes, Using UNIXPRIV Class Profiles, and
 Setting up The BPX.* FACILITY Class Profiles BPX.SUPERUSER.
 For CA ACF2, the userid that is assigned to the batch job
 must be defined to CA ACF2 Unix System Services Security. See
 the CA ACF2 Administrator Guide, chapter 21 (z/OS UNIX System
 Services Support) for information about defining a
 userid and setting up the ability to execute the setuid(0)
 function.

 For CA Top Secret, the userid that is assigned to the batch
 job must be defined to CA Top Secret Unix System Services
 Security. See the CA Top Secret documentation for information
 about defining a userid and setting up the ability to execute
 the setuid(0) function.