Review the following security information.
The OPSLOG WebView server retrieves a security environment from the System Authorization Facility (such as RACF or CA Top Secret) for each client. The security environment controls, for each user, whether the user can perform certain actions, such as issuing host commands. To obtain the security profile for clients, the server must have UPDATE access to the BPX.SERVER. If the server runs z/OS 1.7 or later, the server must also have access to BPX.CONSOLE. Otherwise, the server must run as UID=0.
In addition, check if your Web Server (HTTPD or WebSphere) is secured with the program controlled attribute of your security package. If so, then the OPSLOGV program, which resides in OPS.CCLXPLD, and the OPMFSB program, which resides in OPS.CCLXLOAD, needs to be program-controlled. See the documentation for your security package for information on setting this attribute.
Secure the OPSLOG WebView data in transit using the SSL protocol for authentication and encryption.
Note: When you specify the S option, all data communications between the OPSLOG WebView server and the OPSLOG WebView client takes place using a secure protocol such as TLS1, TLS1.1 or TLS1.2. Since the OPSLOG WebView client code is initiated via a web server, we recommend that you disable SSLv3 in your Internet browser and on your web server before launching the client.
Enable SSL for the OPSLOG WebView server by specifying the S option for the OPSLOGSV started task.
Transport all data unencrypted, except password data, by not specifying SSL and specifying the U option for the OPSLOGSV started task.
If neither the S option nor the U option for the OPSLOGSV started task is specified, OPSLOG WebView server, by default, bypasses client and server authentication and encrypts data in transit using the XOR encryption scheme.
To enable OPSLOG WebView users to issue commands on a target system when OSFSECURITY is set to CHECKUSERID, a security rule must be enabled on the target system.
If no security rule is enabled on the local system, then default permissions apply on both local and remote systems.
If OSFSECURITY is set to CHECKUSERID and a security rule is written on both the local and the remote system, the OPSLOG WebView user must have permission to issue commands on the local system before the security is checked on the remote system. In other words, the OPSLOG WebView user must have permission on both the local and the remote system to issue commands on the remote system.
Note: If you fail to supply a security rule on the target systems, then commands sent there are not executed and you cannot see any indication of an error unless the DEBUGOSF parameter is set to a value of ON.
You can control access to CA OPS/MVS facilities from OPSLOG WebView through security rules by specifying which users can:
If there are no pre-existing security rules for controlling access to the OPSLOG, then default security permissions apply: from OPSLOG WebView, all users are permitted to view the OPSLOG but are not permitted to issue host commands.
To override default permissions to display OPSLOG messages, create a security rule to permit a user or list of users to view the OPSLOG. This authorization also enables the host command area, while enabling authorized users to enter host commands from OPSLOG WebView.
The following sample rule allows only users in the allow_users list to view OPSLOG messages:
)SEC OPSBRW )PROC allow_users = “TSOUSER1 TSOUSER2 TSOUSER3” user = sec.opauusid if WORDPOS(user,allow_users) = 0 then return “reject” else return “accept”
To override default security restrictions to issue host commands, create a security rule to permit a user or list of users to issue host commands.
The following sample rule allows users that are listed in the allow_users list to issue host commands:
)SEC OPSCMD )PROC allow_users = “TSOUSER1 TSOUSER2 TSOUSER3” user = sec.opauusid if WORDPOS(user,allow_users) = 0 then return “reject” else return “accept”
Members SECWEBV1, SECWEBV2, and SECWEBV3 of the distributed sample rules library provide examples of providing this security. For more information and a list of the steps that are required for granting security access, see the samples.
If you are currently using CA OPS/MVS security rules to secure these operational functions, then view these samples to determine the logic changes that you need to incorporate into your existing rules.
Before establishing an OPSLOG WebView session, OPSLOG WebView prompts each user to log in using a valid user ID and password for the target z/OS system. You can choose to use existing TSO user IDs or define new user IDs for this purpose. The only requirement is that the user ID be authorized to log on to the target system.
Note: You must define an OMVS segment to the user IDs that require OPSLOG WebView access. These user IDs need to log on to the system where the OPSLOGSV STC is running.
Copyright © 2014 CA Technologies.
All rights reserved.
|
|