Customization › Implementing Security with SAF › How to Use External Security › Use CA Top Secret to Secure CA Spool

Use CA Top Secret to Secure CA Spool

The following procedure shows how to configure CA Top Secret to secure CA Spool. This procedure includes steps for defining users and groups to both products and for defining the CA Spool started task to CA Top Secret. This procedure provides guidelines but is not necessarily comprehensive. See your CA Top Secret administrator to determine whether to perform more customizations for your site.

Important! Before you perform these steps, shut down CA Spool. After you complete these steps, start CA Spool.

To secure CA Spool with Top Secret, follow this process in CA Top Secret:

1. Perform one-time system setup tasks.
2. Define a default group for the userid and assign access rights to the userid.

Perform One-Time System Setup Tasks

Typically, you perform these steps once when you configure CA Spool to work with CA Top Secret.

1. Enter the following commands to define CA Spool (ESF) as a facility to CA Top Secret:

   TSS MODI FAC(USERnn=NAME=ESF)
   TSS MODI FAC(ESF=RES)
   TSS MODI FAC(ESF=MODE=mode)
   

   USERnn

   Specifies a user-defined facility in CA Top Secret that is not in use.

   mode

   Typically specifies FAIL in a production environment.

2. Enter the following commands to create the CA Spool started task ACID as a Master Facility:

   TSS CREATE(CASPOOL) TYPE(USER) NAME('CA SPOOL REGION ACID')
   DEPT(dept) MASTFAC(ESF) FAC(STC) PASS(xxxx,0)
   

   Note: The ACID associated with the CA Spool address space runs as a Top Secret Facility. We recommend that you give all started task ACIDs a password and OPTIONS(4) in the CA Top Secret parameter file.

3. Enter the following commands to define CA Spool to OMVS:

   TSS ADD(CASPOOL) UID(n) HOME(/) OMVSPGM(/bin/sh)
   TSS ADD(CASPOOL) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
   TSS MODIFY OMVSTABS
   

4. Enter the following command to define CA Spool to the started task table in CA Top Secret:

   TSS ADD(STC) PROCNAME(CASPOOL) ACID(CASPOOL)
   

5. Enter the following command to secure the ESFSECU high-level data set. This command adds ESFSECU as a department in the CA Top Secret DSN resource:

   TSS ADD(dept) DSN(ESFSECU.)
   

Define a Default Group and Assign Access Rights

Define a default group for the userid and assign the userid access rights to CA Spool resources. Repeat these steps each time that you grant a user access to CA Spool.

To log in to CA Spool, users require the following access:

• Access to the Facility associated with the CA Spool job or task
• Access to the SAFTYPE resources for the ACID role
• A group or node that is defined in the INSTDATA field of their ACID. CA Spool requires that a userid have both valid CA Top Secret login credentials and associated INSTDATA. Userids must meet one of the following requirements:
  • Have INSTDATA information that relates to the associated group (G000000x and ESFDGRP(x)).
  • Have either SUPER authority or access to the entry in the INSTDATA.

To meet these requirements, first define a default group for the userid in its installation data. Next, assign the userid access rights to the ESFSECU resources in the DSN resource class. Use the following steps as models:

1. Grant the userid access to the CA Spool facility (ESF) by entering the following commands:

   TSS ADD(USER001) FAC(ESF)
   

   TSS ADD(USER002) FAC(ESF)
   

   USER001 and USER002 are sample userids.

2. Associate the GROUP G0000001 with userids USER001 and USER002 by entering the following commands:

   TSS ADD(USER001) INSTDATA('ESFDGRP(1)')
   

   TSS ADD(USER002) INSTDATA('ESFDGRP(1)')
   

   The INSTDATA parameter ESFDGRP(1) specifies the default group of G0000001.

3. Grant users the required access rights to log in to CA Spool. Use one of the following options:
   • Make the user a SUPER type user. For example, make USER002 a SUPER type user by entering the following command:

     TSS PERMIT(USER002) DSN(ESFSECU.) ACCESS(UPDATE)
     

     This command grants access to all resources. This command also provides update authority to all the SAFTYPE records.

   • Grant the user access to its associated group or node. For example, make USER001 an ordinary user by associating it with the default group from the INSTDATA GRP1, as follows:

     TSS PERMIT(USER001) DSN(ESFSECU.NOGR++.G0000001) ACCESS(UPDATE)
     

     This TSS command provides the login authority that the following SAFTYPE 15 record requires:

     SAFTYPE 15,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',EXT,NOINT
     

4. Define users according to role. Assign access rights to the users to meet the requirements of the SAFTYPE statement that you want. Use the following sample commands as models.

Sample Commands for Defining Users According to Role

The following sample Top Secret commands illustrate how to define users with the appropriate authorizations for their type and access rights. Use the following examples as models.

Verify that the resource to which you grant access matches its appropriate SAFTYPE external entry. For a detailed explanation, see the example for the ORDINA user ORDINA01.

To define the SUPER user SUPER01, use the following commands as a model:

TSS ADD(SUPER01) FAC(ESF)
TSS ADD(SUPER01) INSTDATA('ESFDGRP(1)')
TSS PERMIT(SUPER01) DSN(ESFSECU.)             ACCESS(UPDATE)

To define the OPER user OPER01, use the following commands as a model:

TSS ADD(OPER01) FAC(ESF)
TSS ADD(OPER01) INSTDATA('ESFDGRP(1)')
TSS PERMIT(OPER01) DSN(ESFSECU.)              ACCESS(UPDATE)
TSS PERMIT(OPER01) DSN(ESFSECU.CMND.REINIT)   ACCESS(NONE)
TSS PERMIT(OPER01) DSN(ESFSECU.CMND.SHUTDOWN) ACCESS(NONE)

To define the JUNIOR user JUNIOR01, use the following commands as a model:

TSS ADD(JUNIOR01) FAC(ESF)
TSS ADD(JUNIOR01) INSTDATA('ESFDGRP(1)')
TSS PERMIT(JUNIOR01) DSN(ESFSECU.AUTH.GLACC)              ACCESS(READ)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.AUTH.ALLGR)              ACCESS(READ)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.NOGR++.G0000001)         ACCESS(UPDATE)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.NOGR++.G0000002)         ACCESS(UPDATE)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.FIGR++.G0000001.JUNIOR.) ACCESS(UPDATE)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.FIGR++.G0000002.JUNIOR.) ACCESS(UPDATE)
TSS PERMIT(JUNIOR01) DSN(ESFSECU.CMND.) ACCESS(READ)

To define the ORDINA user ORDINA01, use the following commands as a model:

TSS ADD(ORDINA01) FAC(ESF)
TSS ADD(ORDINA01) INSTDATA('ESFDGRP(1)')
TSS PERMIT(ORDINA01) DSN(ESFSECU.NOGR++.G0000001)         ACCESS(UPDATE)
TSS PERMIT(ORDINA01) DSN(ESFSECU.FIGR++.G0000001.)        ACCESS(READ)
TSS PERMIT(ORDINA01) DSN(ESFSECU.FIGR++.G0000001.ORDINA.) ACCESS(UPDATE)
TSS PERMIT(ORDINA01) DSN(ESFSECU.CMND.)                   ACCESS(READ)

To define the TINY user TINY01, use the following commands as a model:

TSS ADD(TINY01) FAC(ESF)
TSS ADD(TINY01) INSTDATA('ESFDGRP(1)')
TSS PERMIT(TINY01) DSN(ESFSECU.NONO++.PRT1A)        ACCESS(UPDATE)
TSS PERMIT(TINY01) DSN(ESFSECU.FINO++.PRT1A.TINY.)  ACCESS(UPDATE)
TSS PERMIT(TINY01) DSN(ESFSECU.CMND.)               ACCESS(READ)