Part of the identification and authentication that takes place at system entry is the extraction and authorization of a subject's security label information. CA Top Secret determines a subject's security label at logon only if MLS is active.
To use a different security label to logon, you must log off first and then logon again with that security label.
Important! You cannot change your session security label by reconnecting to a TSO session with a different security label.
When you log on to a system, you can enter a security label. CA Top Secret verifies that you are authorized to use the label by checking your user ACID record. If you are authorized to use the security label, CA Top Secret maintains the security label in your address space and uses it to make access decisions until you log off.
You cannot alter your security label while logged onto the system. To change your security label, log off and log on using a different security label. This reduces the threat from Trojan horses and prevents inadvertent data disclosure.
To specify a label at logon, you can specify:
The security label must already be defined in the system and it must be added to your user ACID record.
There are two system-defined labels that you may be authorized to use at logon:
This label dominates all other labels in the system. The label must be assigned in your user ACID record.
This label is dominated by all others in the system.
If you have full-screen privileges in your ACID record, the logon panel displays after CA Top Secret validates your ACID and password. The SECLABEL field specifies the user's one- to eight-character security label. MLS must be active on the system before a value is specified in this field.
If the user on the logon command does not specify a label, one may default from the user's previous TSO session or ACID record. The user can override this label by specifying a different authorized one. The label specified must be defined and valid in the system. When the MLMODE control option is:
The user is prompted for a valid label until he specifies one or blanks out the value in the SECLABEL field.
The user is assigned SYSLOW if an invalid or unauthorized seclabel is specified in the SECLABEL field.
If MLS is active on the system, a user may specify a security label on the LOGON command, such as:
LOGON logonid/password SECLABEL(seclabel)
Supplying a security label is not required. CA Top Secret will attempt to default a security label for a user who does not supply a label. If a user does not specify a security label at logon, if there was a previous TSO/E session for the user, the security label from that session will be used (in full-screen mode, only). If there was no security label for the previous TSO/E session, CA Top Secret uses the security label from the TERMINAL or SERVAUTH class MLS resource record, if there is one. If the terminal or server does not have a security label, CA Top Secret uses the default security label from the SECLABEL field in the user acid record, if one exists for the user. If CA Top Secret cannot default a security label from any of these places, the user will be logged on with the system-defined security labels, SYSLOW, the lowest label in the system.
The TSS WHOAMI command is used to display your current active security label in an MLS environment once you are successfully logged onto the system. This security label is the one with which you entered the system and which endures for the duration of your session. It cannot be used to display any user's security label other than your own.
To specify a security label in JCL, specify a SECLABEL logon parameter with JCL JOB statement parameters:
SECLABEL=seclabel
Certain started tasks represent important system components that are required for z/OS to run properly. Security labels cannot be specified when a START or MOUNT command is issued at the console (started task) or when the TSO LISTBC command is issued or when system address spaces are started, such as CATALOG, SMF, DUMPSRV, CONSOLE, SMS, JES2, JES3. In these cases, the operating system generates a RACROUTE REQUEST=VERIFY call and assigns the TRUSTED parm a value of YES, indicating a “trusted” user is entering the system. When MLS is active, although you can assign a default security label to a started task, such as OMVS, by adding a SECLABEL to the acid record for it, if it is considered “trusted”, MAC security label checking will be bypassed, but logged (if the MLS mode is WARN, or FAIL), at system entry and for all requested access to data sets and other resources by the started task. In addition, MAC label checking is bypassed, and logged for BYPASS acids.
To specify a security label on the console at logon, enter:
SECLABEL=seclabel
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|