The TSSISMU2 Utility

Converting SMU Control Statements to CA Top Secret › AGN Security to RAS Conversion › The TSSISMU2 Utility

The TSSISMU2 Utility

Use the TSSISMU2 utility to simplify the conversion from AGN security to RAS. The utility:

Processes the SMU control statements for the IMS region being converted.
Determines what ACIDs have access to the AGN for each AGN defined in the SMU input.
Generates an ADDTO statement to give ownership of the resource for each element assigned to the AGN in the SMU input, if the resource is not currently owned in CA Top Secret.
Generates PERMIT statements to give access to the element to the same set of users that have access to the AGN. This allows the same access to the AGN element that was held on the AGN.

If the element for the AGN is ALL, the utility generates an ADDTO statement giving ownership of the *ALL* resource to the MSCA, and generates a PERMIT statement with a resource entity of *ALL*.

For information on the use of the *ALL* value in a PERMIT statement , see the Command Functions Guide.

Examples: TSSISMU2 conversion

In this example, the TSSISMU2 utility is executed with PARM='MASTER,IMSDEPT,IMSPROD', and the SMU input is:

)( AGN BMP1
  AGPSB PGMBMP1

The users USER01 and USER02 have access to the BMP1 AGN. The utility generates:

TSS ADDTO(IMSDEPT) IIMS(PGMBMP)
TSS PERMIT(USER01) IIMS(PGMBMP)
                   FAC(IMSPROD)
TSS PERMIT(USER02) IIMS(PGMBMP)
                   FAC(IMSPROD)

In this example, the TSSISMU2 utility is executed with PARM='MASTER,IMSDEPT,IMSPROD', and the SMU input is:

)( AGN MSG1
  AGPSB ALL

The users USER01 and USER02, have access to the MSG1 AGN. The utility generates:

TSS ADDTO(MASTER) IIMS(*ALL*)
TSS PERMIT(USER01) IIMS(*ALL*)
                   FAC(IMSPROD)
TSS PERMIT(USER02) IIMS(*ALL*)
                   FAC(IMSPROD)

Authorization requirements for the TSSISMU2 utility

There are two steps to the TSSISMU2 utility process.

Execute the TSSCFILE utility to obtain the current resource ownership information for IMS PSBs, transactions, and LTERMs and the current security policy for AGNs. This step should be executed by the MSCA to ensure that all security information is obtained.
Executes the TSSISMU2 utility. There are no authorization requirements for the TSISMU2 utility.

TSSCFILE Sample JCL

This sample JCL executes the TSSCFILE utility:

//    JOB …
//TSSCFILE       EXEC PGM=TSSCFILE
//OUT            DD   DSN=tsscfile.output,
//               DISP=(NEW,CATLG,DELETE),
//               UNIT=SYSDA,
//               VOL=SER=vvvvvv,
//               SPACE=(CYL,(10,10),RLSE),
//               DCB=(RECFM=FB,LRECL=300) 
//PRINT    DD    SYSOUT=*
//IN       DD    *
TSS WHOOWNS IIMS(*)
TSS WHOOWNS TIMS(*)
TSS WHOOWNS LIMS(*)
TSS WHOHAS APPL(*) DATA(MASK)
//

OUT

This DD statement specifies the output data set created by the TSSCFILE utility containing the output of the TSS WHOOWNS and WHOHAS commands. This data set is used as input to the TSSISMU3 utility.

This must be a sequential data set with a record length of 300.

PRINT

This DD statement specifies the utility report data set created by the TSSCFILE utility.

IN

This DD statement specifies the data set containing the TSS CFILE input commands. These commands are required and must be entered exactly as shown.

TSSISMU2 Sample JCL

This sample JCL executes the TSSISMU2 conversion utility:

//    JOB …
//TSSISMU2   EXEC PGM=TSSISMU2,PARM='msca,owner,imsfac'    
//TSSCFILE   DD  DSN=tsscfile.input,DISP=SHR              
//SMU        DD  DSN=smu.input,DISP=SHR                   
//TSSCMDS    DD  DSN=tsscmds.output,DISP=SHR              
//

msca

Specifies the ACID of the CA Top Secret MSCA. When an AGN element of ALL is processed, this value is used in the ADDTO statement giving ownership of the *ALL* resource to the MSCA.

owner

Specifies the ACID used in the ADDTO statement giving ownership of any AGN element resources not already owned. If different owning ACIDs are desired for different AGN element resources, a placeholder literal such as ???????? can be specified. The TSSCMDS data set can then be edited, and the correct values for the owning ACIDs substituted before the commands are executed.

imsfac

Specifies the facility name of the IMS control region whose SMU input is being converted. This value is used in the TSS PERMIT statements generated to give access to the AGN elements in the IMS region.

TSSCFILE

This DD statement specifies the input data set containing the TSSCFILE input for AGN access and AGN element ownership.

This must be a sequential data set with a record length of 300.

SMU

This DD statement specifies the input data set containing the SMU statements for the IMS region being processed.

This must be a sequential data set, with a record length of 80.

TSSCMDS

This DD statement specifies the output data set created by the TSSISMU2 utility, containing the TSS statements generated by the conversion utility.

This must be a sequential data set with a record length of 80.

How TSSISMU2 Processing Works

The TSSISMU2 conversion utility:

Parses the MCSA, owner, and facility values from the PARM= execution parameter in the TSSISMU2 job stream
Processes the information from the TSSCFILE input data set to create storage tables of AGN access and AGN element resource ownership
Processes the SMU information from the data set specified in the SMU DD statement in the execution JCL.
Identifies AGN control statements and extracts the AGN name from the control statement
Processes the AGPSB, AGTRAN, and AGLTERM data statements that follow the AGN control statement
- Extracts the AGN element name from the data statement for each AGN element
- Scans the resource ownership tables created in the TSSCFILE process to determine if the AGN element resource is owned.
- Generates an ADDTO statement to give resource ownership to unowned resources
  If the AGN element is ALL, the ACID in the ADDTO statement is the value of the MCSA operand in the PARM= execution parameters. If the AGN element is a specific resource, the ACID in the ADDTO statement is the value of the owner operand in the PARM= execution parameters.
Processes the AGN access table to generate the security policy for the AGN element.
Generates a PERMIT statement giving the ACID access to the AGN element from the facility of the IMS region for each ACID that has access to the AGN.
If the AGN element is ALL, the PERMIT statement is for the resource entity *ALL*, giving access to all resources

Executing the TSS Commands

Review the TSS commands generated by the TSSISMU2 utility for accuracy before you execute them.

This sample JCL executes the TSS statements in a batch TSO job:

//    JOB …
//IKJEFT01     EXEC PGM=IKJEFT01,REGION=0M            
//SYSTSPRT     DD  SYSOUT=*                           
//SYSPRINT     DD  SYSOUT=*   
//SYSTSIN      DD  DSN=tsscmds.input,DISP=SHR         
//

The user must have an ACID with sufficient authority to perform the command PERMITs.

Migrating AGN Security to RAS Security

To migrate from AGN security to RAS security:

Determine whether you want to perform RAS security. If the existing CA Top Secret PSB security is sufficient for your security requirements, a complete AGN to RAS conversion may not be necessary.
Decide if you want to assign resource ownership to a single ID, or use a substitution literal in the owner value of the PARM= execution parameters.
Determine the facility of the IMS region whose SMU security is being converted.
Run the TSSCFILE utility to obtain the security policy for access to AGNs, and the resource ownership information for the AGN element resource classes.
Run the TSSISMU2 conversion utility program using the TSSCFILE input and the SMU statements for the IMS region being converted.
Review the TSS command statements created by the TSSISMU2 utility for accuracy.
Execute the TSS commands to update CA Top Secret.
Change the IMS system definition (IMS stage 1) parameters to stop performing AGN security and start performing RAS security.
Run the IMS system definition.
Change the IMS execution parameter to ISIS=R.
Restart IMS.