|
|
|
Use the global command to define to TBESAF99 the default security profiles for all BES subsystems or to specify data sets eligible for encryption by using security profiles and rules.
This statement has the following format:
BES TYPE=GLOBAL,
SECURITY=your_security_system,
ENABLED={YES|NO},
COMMANDS=permissions,
UTILITIES= permissions,
CAEKMAPI=permissions,
KEYS=permissions,
TSSACID=accessor_ID,
TSSSTCACID=STC accessor_ID,
OWNER=userid,
DEFAULT=(BESn=(default_encryption_key))
Note: If you are generating GLOBAL control statements for CA ACF2, the COMMANDS=, UTILITIES=, and KEYS= statements are not supported. If you use these statements, a warning message is issued and the erroneous statement is discarded.
Indicates that this command applies to all BES subsystems. A global command must begin with BES, with no subsystem identifier.
Specifies that this is a global command that applies to all BES subsystems.
Defines the external security system to use. Options for this parameter are as follows:
Specifies IBM Security Server RACF.
Specifies CA ACF2.
Specifies CA Top Secret.
Indicates whether CA Tape Encryption should enable the CA Tape Encryption SAF Interface to the security system. Options for this parameter are as follows:
Specifies that the SAF interface component will be loaded.
Specifies that the SAF interface component is not loaded. No security processing will be performed.
(Optional for RACF and CA Top Secret, not supported on CA ACF2.) Defines the default protection profile for all commands on all BES subsystems. If you do not specify a value for this parameter, a default of PERMIT is used. Options for this parameter are as follows:
Specifies that all the commands are permitted.
Specifies that all the commands are protected.
(Optional for RACF and CA Top Secret, not supported on CA ACF2.) Defines the default protection profile for CA Tape Encryption utilities on all BES subsystems. If you do not specify a value for this parameter, a default of PERMIT is used. Options for this parameter are as follows:
Specifies that all the utilities are permitted.
Specifies that all the utilities are protected.
(Optional for RACF and CA Top Secret, not supported on CA ACF2.) Defines the default protection profile for the Option for Application Management on all BES subsystems. Options for this parameter are as follows:
Specifies that any user can user the Option for Application Management in any BES subsystem.
Specifies that no user can use the Option for Application Management unless explicitally permitted to do so.
Default: PERMIT
(Optional for RACF and CA Top Secret, not supported on CA ACF2.) Defines the default protection profile for all keys on all BES subsystems. If you do not specify a value for this parameter, a default of PERMIT is used. Options for this parameter are as follows:
Specifies that all keys are permitted.
Specifies that all keys are protected.
Required for CA Top Secret only. Specifies the accessor ID (ACID) that is used on the PERMIT statements with accompanying APPLDATA. This ACID is used to allow for the CA Tape Encryption SAF interface to extract CA@BES entities and their associated APPLDATA.
Required for CA Top Secret only. Specifies the accessor ID (ACID) that is assigned to the BESn started task(s).
Indicates the owner of the resource. This userid is different for each security system. Options for this parameter are as follows:
(Optional.) For IBM Security Server RACF only. Specifies the RACF user ID of the resource owner. If the owner of the resource is not specified, TBESAF99 uses a default user of CA@BES.
Note: The TBESAF99 utility generates the appropriate ADDUSER command. If you are creating your own control statements for RACF and you want to use a default owner name that has not been defined to your site, you must issue a RACF ADDUSER command before importing the remaining definitions into the security system.
Limits: 1-8 alphanumeric characters.
Default: CA@BES
(Optional.) For CA ACF2 only. Specifies a name to be generated as part of the $OWNER field on the key-set. If the owner of the resource is not specified, TBESAF99 uses BES-owner. In ACF2 this is a comment-only field within the rule set.
Default: BES-OWNER
(Optional.) For CA Top Secret only. Specifies the name of the department that owns each CA Tape Encryption resource class (CA@BES) and CA Tape Encryption operator command definitions (OPERCMDS). If the owner of the resource is not specified, TBESAF99 uses BESDEPT.
Default: BESDEPT
(Optional.) Specifies the name of the encryption key to use as a default for the specified BES subsystem. Everything to the right of DEFAULT= is enclosed in parentheses, and the name of the encryption parameter is also enclosed in parentheses. If the default encryption key is not specified, all eligible data sets selected from the security system must be defined to the CA@BES resource class, otherwise CA Tape Encryption will default to using the DFSMS data class definition for data set selection.
Indicates the BES subsystem. If no subsystem number is specified here, the default for the key applies to BES1.
Specifies the name of the default encryption key.
Example: Sample global default command for RACF
This example shows a sample global default command for IBM Security Server RACF.
BES TYPE=GLOBAL,
SECURITY=RACF, ENABLED=YES, COMMANDS=PROTECT, CAEKMAPI=PROTECT, UTILITIES=PROTECT, KEYS=PERMIT, OWNER=RACFUSER, DEFAULT=(BES2=(AES192_KEY))
Example: Sample global default command for CA ACF2
This example shows a sample global default command for CA ACF2.
BES TYPE=GLOBAL,
SECURITY=ACF2, ENABLED=NO, OWNER=BES, DEFAULT=(BES2=(AES128_KEY))
Example: Sample global default command for CA Top Secret
This example shows a sample global default command for CA Top Secret.
BES TYPE=GLOBAL,
SECURITY=TSS, ENABLED=YES, COMMANDS=PROTECT, CAEKMAPI=PROTECT, UTILITIES=PERMIT, KEYS=PERMIT, TSSACID=SECADMIN, TSSSTCACID=STCACID, OWNER=PRODDEPT, DEFAULT=(BES2=(AES128_KEY))
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |