Using the TBESAF99 Utility to Generate Security Profiles › TBESAF99 Utility › Detailed Command Protection Profile Definitions for TBESAF99

Detailed Command Protection Profile Definitions for TBESAF99

Use the command control commands to define each console command you want to protect. Use this control statement as input to TBESAF99 to generate control statements for your security system.

You have the option to control each eligible CA Tape Encryption console command at the global level for all BES subsystems or at the local level for each BES subsystem. The following guidelines apply to this command:

• For CA ACF2 you only define the commands for which you want to grant access. By default, all CA Tape Encryption commands are protected by CA ACF2.
• For CA ACF2 you must specify the BESn subsystem.
• You can define a profile for the same command on multiple BES subsystems.
• You can define only one global profile for all BES subsystems for each command.
• Your use of command protection profiles for individual commands is optional, but if you create this type of profile, all the parameters are required.
• You must define each console command that you want to protect to each BES subsystem if the results you want are different from the global definition.

This command has the following format:

BESn TYPE=COMMAND,

 NAME=command_name.qualified_name

n

Indicates the BES subsystem. To specify a global command protection profile for a specified console command for all BES systems, start the command with BES and do not specify a BES subsystem.

Note: For CA ACF2, you must specify the BES subsystem number.

TYPE=COMMAND

Indicates that this control statement defines a protection profile for a console command.

NAME=command_name.qualified_name

Specifies the name of the CA Tape Encryption console command and its qualified name, if any. Only the commands listed here are eligible to be controlled by this feature. Some of these commands have qualifying command parameters and some do not. If a command that has qualifying command parameters is on this list and a qualifying parameter is not listed, all forms of the command are governed by the command protection profile, unless otherwise noted. If a command with a qualifying command parameter is on this list, only that form of the command is governed by the command protection profile. Options for this parameter are as follows:

COMPROMISE

Specifies the COMPROMISE= command.

DISPLAY

Specifies all forms of the DISPLAY command.

DUMP

Specifies the DUMP command.

MIGRATE

Specifies all forms of the MIGRATE= command.

PASSPHRASE

Specifies the RELOAD=PASSPHRASE command.

REFRESH.CAEKMAPI

Specifies the REFRESH=CAEKM_API_OPTIONS command.

REFRESH.CODEBOOKS

Specifies the REFRESH=CODEBOOKS command.

REFRESH.KEYRINGS

Specifies the REFRESH=KEYRINGS command.

REFRESH.NKMPARMS

Specifies the REFRESH=NKMPARMS command.

REFRESH.OPTIONS

Specifies the REFRESH=OPTIONS command.

REFRESH.SYMKEYS

Specifies the REFRESH=SYMKEYS command.

RELOAD

Specifies all forms of the RELOAD= command, except for the RELOAD=PASSPHRASE command.

SET.CONSOLE

Specifies the SET CONSOLE command.

SHUTDOWN

Specifies the SHUTDOWN command.

START.NKM

Specifies the START NKM command

STOP.NKM

Specifies the STOP NKM command.

Example: Global command definition for REFRESH=SYMKEYS command

This example defines to all BES subsystems the REFRESH=SYMKEYS command.

BES TYPE=COMMAND,NAME=REFRESH.SYMKEYS

Example: Local command definition for DISPLAY commands

This example defines to BES1 all commands that begin with DISPLAY. This includes any form of the DISPLAY command, for example, DISPLAY ACTIVE, DISPLAY BUFFER, DISPLAY SECURITY, and so on.

BES1  TYPE=COMMAND,NAME=DISPLAY

Example: Local command definition for RELOAD=PASSPHRASE command

This example defines to BES2 the RELOAD=PASSPHRASE command.

BES2 TYPE=COMMAND,NAME=PASSPHRASE