The DB2FAC control option in the CA Top Secret Parameter File is used to associate a DB2 subsystem with an CA Top Secret facility. This association is used by CA Top Secret Option for DB2 to determine whether to protect the DB2 subsystem when it is started and whether to restrict access to a resource in the DB2 subsystem. DB2TEST and DB2PROD are the two predefined facilities in CA Top Secret that can be used for this purpose. You can group multiple DB2 subsystems with a single facility or you can assign each DB2 subsystem to its own facility. In the later case, we recommend that you define a new facility for the DB2 subsystem and name the facility the same as the DB2 subsystem.
There are three steps to identifying the DB2 subsystems. They are:
The following is a description of the DB2FAC control option. For a more detailed explanation of how control options operate in general, see the eTrust CA‑Top Secret for z/OS Control Options Guide.
DB2FAC logically groups DB2 subsystems under different facility names. This controls via MODE, whether the resources in a DB2 subsystem are protected. The facility chosen further determines what the settings are for other facility control options (LOG, ABEND, NOABEND, etc.)
|
Format |
Default |
Entry Method |
|---|---|---|
|
DB2FAC(ssid=facility) |
None |
All |
where:
Identifies the name of the DB2 subsystem.
Indicates the facility name to which the DB2 subsystem is associated.
The mode on the facility defined for the DB2 subsystem controls the protection of the DB2 subsystem resources. Specifying a non‑DORMANT mode for the facility associated with the DB2 subsystem, will protect its resources. A mode of DORMANT, or no DB2FAC control option specification for a DB2 subsystem, indicates that CA Top Secret Option for DB2 will not protect the resources in the DB2 subsystem. The facility mode also determines the default mode for all CA Top Secret Option for DB2 resource checks to the DB2 subsystem.
The entry shown next indicates that DB2 subsystems DB2A and DB2B are grouped under DB2PROD, while DB2 subsystems DB2C and DB2D are under DB2TEST:
DB2FAC(DB2A=DB2PROD) DB2FAC(DB2B=DB2PROD) DB2FAC(DB2C=DB2TEST) DB2FAC(DB2D=DB2TEST)
The entry shown next indicates that the subsystems identified to the DB2PROD facility are protected by CA Top Secret Option for DB2, while the subsystems identified to the DB2TEST facility are not protected by CA Top Secret Option for DB2:
FAC(DB2PROD=MODE=FAIL) FAC(DB2TEST=MODE=DORMANT)
Each DB2 region begins its execution as a started task. Therefore, an CA Top Secret ACID must be associated with each DB2 region. This ACID must be able to access the STC facility and must be authorized to all data sets used within the region since these data sets are opened by DB2 itself. This ACID is referred to as the DB2 region control ACID. The ACID is associated with the region via the STC table.
After setting the DB2FAC control option, you must define the following DB2 started tasks to the CA Top Secret STC Record:
(where xxxx = the four character subsystem id).
In addition, DB2 uses IMS Resource Lock Manager (IRLM) to manage the locking of DB2 resources. You specify the name of this started task during the DB2 install process.
For example, to secure the DSNXMSTR DB2 started task for the DSNX DB2 subsystem you would first create an ACID for that task:
TSS CREATE(DB2STC1) TYPE(USER) NAME('DB2 MSTR STC') DEPT(DB2DEPT)
PASSWORD(NOPW,0) FAC(STC) NOVOLCHK NODSNCHK NORESCHK NOLCFCHK
NOSUBCHK
Note: You can specify the NODSNCHK, NORESCHK, and NOLCFCHK attributes for the region control ACID. If you do not specify these attributes every resource and/or LCF‑protected transaction ID will have to be permitted to the region control ACID.
After each region is associated with a particular ACID, the next step is to define the actual started task to the CA Top Secret STC table. This is done via the following syntax:
TSS ADD(STC) PROC(procname) ACID(regionacid)
For example, the command shown next will add the DSNXMSTR STC to the STC Record and associate it with the DB2STC1 ACID.
TSS ADD(STC) PROC(DSNXMSTR) ACID(DB2STC1)
Access to specific DB2 subsystems is controlled outside of DB2. You do not signon to DB2; instead, DB2 calls the System Authorization Facility (SAF) when you connect to DB2.
The ACID associated with the DB2 connection request must be given the appropriate connection authorization via the DB2 resource class keyword. The syntax is as follows:
{(DSNR.ssss.BATCH)} for BATCH and TSO connections
{(DSNR.ssss.DIST) } for Distributed Data Facility (DDF) connections
DB2 {(DSNR.ssss.MASS) } for IMS connections
{(DSNR.ssss.SASS) } for CICS connections
ssss
Represents the subsystem name your site is using for DB2.
The ACID associated with a job is used to validate the connection for TSO and BATCH.
Individual user checking is not performed for IMS and CICS connections. Instead, the ACID associated with the IMS and CICS STCs or the associated MASTFAC ACID is used.
|
Copyright © 2011 CA Technologies.
All rights reserved.
|
|