Converting SMU Control Statements to CA Top Secret › Type 1 AOI Command Security Conversion › The TSSISMU3 Utility

The TSSISMU3 Utility

Use the TSSISMU3 utility to convert the transaction-based SMU security to a user-based security policy for the commands.

The TSSISMU3 utility processes the SMU statements. For each transaction in the SMU statements that can issue AOI type 1 commands, the utility determines who has access to the transaction. For each command the transaction can issue, the utility generates PERMIT statements to permit access to the command for every user that has access to the transaction. If the command specified in a TCOMMAND statement is * TSS PERMIT statements are generated for each IMS command eligible for AOI.

The TSS PERMIT statements generated by this utility require that AOI=YES be specified in the IMS system definition (IMS stage 1) in the TRANSACT macro for any transaction that issues AOI type 1 commands.

The utility optionally issues a report listing the transactions require AOI=YES in the IMS system definition (IMS stage 1).

The utility can optionally take as input a data set with the IMS system definition (IMS stage 1) statements containing the transaction definitions, and generate an updated set of statements that includes the AOI=YES parameter for the transactions that require it. The AOI=YES parameter is unconditionally added to the TRANSACT macro definition for any transactions that issue AOI type 1 commands, even if the TRANSACT macro already contains an AOI parameter specification. If two AOI parameters are specified on a TRANSACT macro, an error is generated during the IMS stage 1 process, allowing you to determine the correct specification.

Note: The utility processes a TSSCFILE data set containing the IMS transaction security policy defined in the OTRAN and TIMS resource classes, and uses it to create the security policy for the corresponding type 1 AOI commands. The utility does not support transaction security policy in the LCF resource class. If transaction security policy is defined in the LCF resource class, this utility cannot be used as a migration aid in the SMU conversion.

Examples: TSSISMU3 conversion

In this example, the SMU input is one of the following:

)( TCOMMAND DISPLAY
 CTRANS TRANAOI

)( CTRANS TRANAOI
 TCOMMAND DISPLAY

The users USER01 and USER02 have access to the TRANAOI transaction. The utility generates:

TSS PERMIT(USER01) CIMS(DIS)
                   FAC(imsfac)
TSS PERMIT(USER02) CIMS(DIS)
                   FAC(imsfac)

In this example, the SMU input is one of:

)( TCOMMAND *
 CTRANS TRANAOI

)( CTRANS TRANAOI
 TCOMMAND *

The users USER01 and USER02 have access to the TRANAOI transaction. The utility generates PERMIT statements for each user for every IMS command eligible for AOI:

TSS PERMIT(USER01) CIMS(ACT) FAC(imsfac)
TSS PERMIT(USER01) CIMS(ALL) FAC(imsfac)
TSS PERMIT(USER01) CIMS(ASS) FAC(imsfac)
. . .
TSS PERMIT(USER02) CIMS(ACT) FAC(imsfac)
TSS PERMIT(USER02) CIMS(ALL) FAC(imsfac)
TSS PERMIT(USER02) CIMS(ASS) FAC(imsfac)
. . .

TSSISMU3 Authorization Requirements

There are two steps to the TSSISMU3 utility process.

• Execute the TSSCFILE utility to obtain the current security policy for IMS transactions. This step should be executed by the MSCA to ensure that all policy information is obtained.
• Execute the TSSISMU3 utility. There are no authorization requirements for the TSSISMU3 utility.

TSSCFILE Sample JCL

The following sample JCL executes the TSSCFILE utility:

//    JOB …
//TSSCFILE     EXEC PGM=TSSCFILE
//OUT          DD   DSN=tsscfile.output,
//             DISP=(NEW,CATLG,DELETE),
//             UNIT=SYSDA,
//             VOL=SER=vvvvvv,
//             SPACE=(CYL,(10,10),RLSE),
//             DCB=(RECFM=FB,LRECL=300)
//PRINT        DD   SYSOUT=*
//IN           DD   *
TSS WHOHAS OTRAN(*) DATA(MASK)
TSS WHOHAS TIMS(*) DATA(MASK)
//

OUT

This DD statement specifies the output data set created by the TSSCFILE utility containing the output of the TSS WHOHAS commands. This data set is used as input to the TSSISMU3 utility.

This must be a sequential data set with a record length of 300.

PRINT

This DD statement specifies the utility report data set created by the TSSCFILE utility.

IN

This DD statement specifies the data set containing the TSS WHOHAS commands. These commands are required and must be entered exactly as shown.

TSSISMU3 Sample JCL

This example JCL executes the TSSISMU3 conversion utility:

//    JOB …
//TSSISMU3   EXEC PGM=TSSISMU3,PARM=imsfac                
//TSSCFILE   DD  DSN=tsscfile.input,DISP=SHR              
//SMU        DD  DSN=smu.input,DISP=SHR                    
//TSSCMDS    DD  DSN=tsscmds.output,DISP=SHR              
//REPORT	     DD  SYSOUT=*                   
//STG1IN	     DD  DSN=ims.stage1.input,DISP=SHR            
//STG1OUT    DD  DSN=updated.ims.stage1,DISP=SHR    
//                                                        

Imsfac

Specifies the facility name of the IMS control region whose SMU input is being converted. This value is used in the TSS PERMIT statements generated to give access to the command in the IMS region.

TSSCFILE

This DD statement specifies the input data set containing the TSSCFILE input for transaction access.

This must be a sequential data set with a record length of 300.

SMU

This DD statement specifies the input data set containing the SMU statements for the IMS region being processed.

This must be a sequential data set with a record length of 80.

TSSCMDS

This DD statement specifies the output data set created by the TSSISMU3 utility containing the TSS statements generated by the conversion utility.

This must be a sequential data set with a record length of 80.

REPORT

(Optional) This DD statement specifies the output data set created by the TSSISMU3 utility containing a report listing the transactions in the IMS system definition (IMS stage 1) that require the AOI=YES parameter.

If the DD statement specifies a data set rather than SYSOUT, the data set must be sequential with a record length of 80.

If the DD statement is not specified the report is not generated.

STG1IN

(Optional) This DD statement specifies the input data set containing the IMS system definition (IMS stage 1) statements that include the TRANSACT macro statements for all transactions.

This must be a sequential data set with a record length of 80.

If the DD statement is not specified, the IMS system definition update processing is not performed. If this DD statement is specified, the STG1OUT DD statement is required.

Note: The utility does not expand COPY statements or require the entire IMS system definition. The STG1IN input data set must contain the IMS system definition TRANSACT macro statements for all transactions.

STG1OUT

(Optional) This DD statement specifies the output data set created by the TSSISMU3 utility containing the updated IMS system definition (IMS stage 1) statements. The AOI=YES parameter is added to the TRANSACT macro definition for any transactions that issue AOI type 1 commands.

This must be a sequential data set with a record length of 80.

This DD statement is only required if the STG1IN DD statement is specified.

Notes:

• The STG1OUT DD statement should not point to the same data set as the STG1IN DD statement.
• The AOI=YES parameter is unconditionally added to the TRANSACT macro definition for any transactions that issue AOI type 1 commands, even if the TRANSACT macro already contains an AOI parameter specification. If two AOI parameters are specified on a TRANSACT macro, an error is generated during the IMS stage 1 process, allowing you to determine the correct specification.

How TSSISMU3 Processing Works

The TSSISMU3 conversion utility:

• Parses the facility value from the PARM= execution parameter in the TSSISMU3 job stream
• Processes the information from the TSSCFILE input data set containing the transaction access information.
• Uses the TSSCFILE information to create an in-storage table of all transactions and who has access to them.
• Processes the SMU information from the data set specified in the SMU DD statement in the execution JCL.
• Identifies )( TCOMMAND control statements and extracts the command name from the control statement .

  If the command name in the TCOMMAND statement is longer than three characters, the utility replaces it with the first three characters of the command verb.

  • Processes the CTRANS data statements that follow the )( TCOMMAND control statement.
  • Searches the in-storage TSSCFILE table to determine who has access to the transaction for each transaction identified in a CTRANS data statement.
  • Generates a PERMIT statement giving the ACID access to the command from the facility for the IMS region for each ACID with access to the transaction.

    If the command specified in the TCOMMAND statement is * TSS PERMIT statements are generated for each IMS command eligible for AOI.

• Identifies )(CTRANS control statements and extracts the transaction name from the control statement.
• Processes the TCOMMAND data statements that follow the )( CTRANS control statement.
• Extracts the command name for each TCOMMAND data statement.

  If the command name in the TCOMMAND statement is longer than three characters, the utility replaces it with the first three characters of the command verb.

• Searches the in-storage TSSCFILE table to determine who has access to the transaction.
• Generates a PERMIT statement giving the ACID access to the command from the facility for the IMS region for each ACID with access to the transaction.
• (If the command specified in a TCOMMAND statement is *) generates TSS PERMIT statements for each IMS command eligible for AOI.
• If the REPORT DD statement is specified in the utility JCL, generates a report listing all transactions identified in the SMU conversion process as issuing type 1 AOI commands.

  These transactions require the AOI=YES parameter in the TRANSACT macro transaction definitions in the IMS system definition (IMS stage 1) statements.

  Use this report to ensure that the appropriate transaction definitions are updated.

• Provide an updated IMS system definition if the STG1IN and STG1OUT DD statements are specified in the utility JCL.

  The utility copies the IMS system definition statements from the STG1IN data set to the STG1OUT data set. When it identifies a TRANSACT macro for a transaction identified in the SMU conversion process as issuing AOI type 1 commands, it adds an AOI=YES parameter to the end of the TRANSACT macro definition.

TSS Command Execution

Review the TSS commands generated by the TSSISMU3 utility for accuracy before you execute them.

This sample JCL executes the TSS statements in a batch TSO job.

//    JOB …
//IKJEFT01   EXEC PGM=IKJEFT01,REGION=0M    
//SYSTSPRT   DD  SYSOUT=*                  
//SYSPRINT   DD  SYSOUT=*   
//SYSTSIN    DD  DSN=tsscmds.input,DISP=SHR 
//                                          

To execute the TSS statements, the user must have an ACID with sufficient authority to perform the command PERMITs.