Implementing Security for Non-CA Products › Omegamon › Define Command-level Security Using CA Top Secret

Define Command-level Security Using CA Top Secret

To implement command‑level security:

1. Create a facility entry for OMEGAMON with the following facility options: MULTIUSER, PGM=KOB.
2. Add the OMEGAMON facility to users, as shown below.

   TSS ADDTO(acid) FACILITY(OMEGAMON)
   

   Acid is the user's ACID.

3. Define a resource class to the RDT for Omegamon as shown below.

   TSS ADDTO(RDT) RESCLASS(KOMCANDL) RESCODE(nn)
   

   nn is any hexadecimal code between 01 and 3F that is not currently being used for another user‑defined resource.

   Note: The resource class name does not have to be KOMCANDL. However, the name chosen must be consistent with the resource in the command for steps 4 through 7 which follow.

4. Give ownership of the resource class using INITIAL as a prefix.

   TSS ADDTO(acid) KOMCANDL(INITIAL)
   

   acid is the department ACID.

   Omegamon issues resource checks using four different levels of authority: INITIAL0, INITIAL1, INITIAL2, and INITIAL3. These levels are associated with Omegamon commands in the Command Table (see Step 8).

5. PERMIT an Omegamon command level to users as shown below.

   TSS PERMIT(acid) KOMCANDL(INITIAL0)    For issuing level 0 commands
   TSS PERMIT(acid) KOMCANDL(INITIAL1)    For issuing level 1 commands
   TSS PERMIT(acid) KOMCANDL(INITIAL2)    For issuing level 2 commands
   TSS PERMIT(acid) KOMCANDL(INITIAL3)    For issuing level 3 commands
   TSS PERMIT(acid) KOMCANDL('INITIAL')   To change security levels acid is the user's ACID.
   

   The first four authorizations lock the user into one command level and disables the /PWD command (even if the user knows the password). The last PERMIT allows a user to change security levels using the /PWD password if the password is known; the trailing blank is required.

   The commands that a user can issue are the ones defined, through an Omegamon table, to be in his command level. Immediately after the RACINIT, a RACHECK is called to assign the user a command level. This is validated internally by Omegamon.

6. Set up rules for each command to be protected by CA Top Secret:

   TSS ADDTO(dept) KOMCANDL(PEEK)
   TSS PERMIT(acid) KOMCANDL(PEEK)
   

   Each command you protect requires that EXTERNAL=YES be specified in the Omegamon Security Table (see Step 8).

   Note: If you are securing a command that begins with a slash (/) or a period (.), you must change the command to begin with a dollar sign ($) instead of a slash (/) and an at sign (@) instead of a period (.).

7. Change the Omegamon RACF exit source as described below.
   • Remove the APPLICATION= parameter on the RACIMDL RACINIT MF=L and RACCMDL RACHECK MF=L macros near the end of the routine.
   • Replace the instructions at the beginning of the interface with:

       	MVI U#CHCLS,X'08'
     

       	MVC U#CHCLSD,=CL8'KOMCANDLE'
     

   • Put the instructions shown above after this instruction:

     	OI  U#CHAUT1,U@CH1RAC
     

   • Link the exit as instructed by Omegamon.
8. Set up the Omegamon Security Table by modifying the control statements in member KOMSUPDI in hlq.ROMDATA as follows:
   • Uncomment the MODULE command statement and enter the name of the exit KOMRACFX on the MODULE statement as shown below.

       	MODULE=KOMRACFX
     

   • Indicate which commands are to be validated by CA Top Secret rules by setting EXTERNAL=YES on the COMMAND control statements. Also indicate which level the command is to be checked to by setting LEVEL=n, where n is 0, 1, 2, or 3. A sample appears below.

       	COMMAND=APFU,LEVEL=3,EXERNAL=YES
     

   • Commands that are to be validated by Omegamon internal security are defined by setting EXTERNAL=NO. In addition, indicate which level the command is to be checked at by setting LEVEL=n, where n is 1, 2, or 3. A sample appears below.

       	COMMAND=XMLS,LEVEL=1,EXTERNAL=NO
     

   Note: The LEVEL associated with the COMMAND control statement corresponds to the suffix associated with the INITIAL resource PERMITted to users.

   The default for EXTERNAL is NO.

   • Modify and submit job KOMSUPD to update the Security Table (the JCL is provided by Omegamon).