Using the NMSAF Security Solution › Implementing NMSAF

Implementing NMSAF

To implement the NMSAF security solution with user groups and modeling enabled, you must perform the following tasks:

1. Defining Your User Groups
2. Modeling Your User Groups
3. Enabling NMSAF

Note: If your UAMS data set is empty, you must log on with the INSTALL user ID before you perform these tasks. For more information, see Installation Guide.

Defining Your User Groups

To define your user groups

1. Define a set of logical user groups. Each group will have specific authority needs in your region. As well as the default user groups, there is also a special group for background user IDs.

   Note: You must manually define users with significant privileges using UAMS.

2. For each group, create a UAMS GROUP user definition with the appropriate set of privileges. These are the only comprehensive UAMS definitions that you must create.

   The following default groups are created automatically when a region starts for the first time:

   • $RMADMIN
   • $RMOPER
   • $RMNOPER
   • $RMMON
   • $RMBUSER

     You can recreate these GROUP definitions at any time by executing the supplied NCL procedure $NMUAINI.

     Note: For CA SOLVE:FTS, CA SOLVE:Access Session Management, CA SOLVE:InfoMaster, and CA SOLVE:NetMail, you must create your groups manually, because no default groups are created.

     To run $NMUAINI:

   1. Enter CMD from the primary menu to display the Command Entry panel.
   2. Enter $NMUAINI at the command prompt (===>).

Modeling Your User Groups

To model your user groups

1. For each defined GROUP user, create a single model user ID.

   The following default MODEL definitions are created automatically when a region starts for the first time:

   • $MDADMIN
   • $MDOPER
   • $MDNOPER
   • $MDMON

     Notes:

   • For CA SOLVE:FTS, CA SOLVE:Access Session Management, CA SOLVE:InfoMaster, and CA SOLVE:NetMail, you must create your model definitions manually, because no default definitions are created.
   • $RMBUSER has no model created, because it is used by background user IDs only.
2. Using your external security package, create resource names for each defined group. These must use the same resource class name as the SXCTL RCLASS setting (default FACILITY); for example:
   • NETMASTR.ADMIN, for an administrator
   • NETMASTR.OPER, for a system operator
   • NETMASTR.NOPER, for a network operator
   • NETMASTR.MON, for a monitor user

     Notes:

   • These resource names are generic. If you have several product regions, and you want users to have different profiles on each, you could use the ACB name or domain name of each region as part of the name (for example, NETMASTR.ADMIN.NM01).
   • If you use a different class name, you must define the class to the security system.
3. Issue commands to define and activate the resources in your external security system. Give PERMIT privileges with (at least) READ access to the appropriate resource, to all users that will access your region.
4. Set up the SXCTL file with the following statements:

   MODEL LIST
   MODELGROUP   resource.name.1   model1
   MODELGROUP   resource.name.2   model2
   MODELGROUP   resource.name.3   model3
   MODELGROUP   resource.name.4   model4
   

   Note: You must list the resource names in the order that you want them to be tested.

   If you want to allow a generic logon for any other users, add an additional line:

   MODELGROUP   *   dfltmodel
   

Enabling NMSAF

To enable the NMSAF security solution

1. Set the JCL parameter SEC to SEC=NMSAF.

   You can set SEC=NMSAF either during initial implementation of your product, or later.

   When you set SEC=NMSAF, you activate the NMSAF partial security exit, and so enable the NMSAF security solution.

   If you require other components of the NMSAF security solution, you must activate them separately.

   Use the procedures described in Customizing the SXCTL Parameter File and Additional Security Exits in this chapter.

   Note: For a full description of the JCL parameter SEC, see the Reference Guide.

   Note: If your Security product is CA Top Secret, you must create a region control definition for signon.

2. Restart your region (to allow the security exit to pick up the definitions).

Remote Background User IDs and NMSAF

When regions are linked, a remote region's background user (nnnnBSYS) may need to log on to the local region. To define the remote background user ID to the local region, perform the following tasks:

• Define the remote nnnnBSYS user ID to the local region's UAMS.

  For products that use the link and synchronize process to link regions, the remote region's user ID is automatically added to UAMS during synchronization. If this process fails or if links are established manually, the nnnnBSYS user must be added manually. Assign the user ID to group $RMBUSER.

• Define the remote nnnnBSYS user ID as a user to the external security package. No password is required:
  • For CA ACF2, use the following commands:

    ACF
    SET LID
    INSERT nnnnBSYS NAME(bsys_user_name) PASSWORD(NOPW)
    

  • For CA Top Secret, use the following command:

    TSS CRE(nnnnBSYS) TYPE(USER) DEPT(dept_acid) NAME('bsys_user_name') PASS(NOPW,0)
    

  • For RACF, use the following command:

    ADDUSER nnnnBSYS NAME('bsys_user_name')
    

    bsys_user_name specifies a text string to identify the user (for example, BSYS User 1).

Signon and Signoff with CA Top Secret

External security includes security for signon and signoff. The CA Top Secret security administrator must create a region control ACID, FACILITY and Started Task definition for the online STC (NETMASTR).

To create this definition

1. Create a region control ACID using the following commands:

   TSS CRE(netmacid) NAME('region_acid NETMASTR') DEPT(netmdept) PASS(NOPW,0) FAC(STC,NETMASTR) MASTFAC(NETMASTR) NOVOLCHK NORESCHK NOLCFCHK NODSNCHK NOSUBCHK
   

2. Create a NETMASTR FACILITY by placing the following statements into the CA Top Secret startup parameter file member:

   FAC(user15=NAME=NETMASTR)
   FAC(NETMASTR=NOABEND,ASUBM)
   FAC(NETMASTR=INSTDATA,KEY=8,LCFCMD,LOCKTIME=0,NOLUMSG)
   FAC(NETMASTR=MULTIUSER,PGM=NM0,NORNDPW,RES,SIGN(M))
   FAC(NETMASTR=SHRPRF,NOSTMSG,NOTSOC,WARNPW,NOXDEF)
   

3. Define the NETMASTR STC to the CA Top Secret STC Table using the following command:

   TSS ADD(STC)  PROCNAME(NETMASTR)  ACID(netmacid)
   

4. For any region control ACID to be used to sign on, authorize it to the NETMASTR FACILITY using the following command:

   TSS ADD(user1) IBMFAC(NETMASTR)