Interactive System Productivity Facility (ISPF)

Configuring a Multilevel Secure System › Interactive System Productivity Facility (ISPF)

Interactive System Productivity Facility (ISPF)

ISPF/Program Development Facility (PDF) is an optional component in an MLS system configuration. In particular, CA Examine uses ISPF services to display and control its dialogs. If you are using CA Examine in an MLS system, you must also install ISPF/PDF.

Executed under a TSO/E subsystem session as an unauthorized program, ISPF is a dialog manager. A dialog is a “conversation” between a person using an interactive display terminal and a computer executing a program for a particular application.

Support for MLS ISPF

The following is supported when MLS is active on an CA Top Secret system:

ISPF/PDF provides services for dialogs to support full screen panels, message display, table storage, and skeleton JCL use.
ISPF dialogs can be written in many programming languages and scripting languages (CLIST and REXX). ISPF/PDF provides a subroutine call for these languages to use the ISPF dialog services.
ISPF/PDF provides a set of utility dialogs to: browse, edit, allocate, rename, delete, copy, move, print, compare, and list files.

Restricting Jobs to Specific Systems

A security administrator can restrict security labels to specific systems in a sysplex by defining security labels that can only be used on those systems to which the security label has been defined. Specifying one or more system IDs in the SYSID field of the SECLABEL Record and activating the MLSECBYS control option does this.

Note: If the SYSID field is excluded from the record, then the security label can be used on all systems.

When a security label is restricted to one or more systems, JES2 will ensure that a job that is using the security label is executed only on a system on which that security label is defined and active. This allows sharing of the CA Top Secret databases in a sysplex while keeping work segregated to different systems. If the security label of a job is not defined and active on any system, the job will remain in the conversion phase.

For more information about how to define and use “system-specific” security labels, see the “Implementing and Administering a Multilevel-Secure System” chapter. See also the manual, IBM JES2 Introduction, for more information about the conversion phase in JES2 processing.

Restrictions

If ISPF/PDF is used, the following restrictions apply when MLS is active on an CA Top Secret system:

Do not make ISPF APF authorized
Protect ISPF administration libraries
Do not install ISPF session manager exits

Configuration Checklist ISPF

This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.

Requirement	Complete
Do not make ISPF APF authorized	□
Protect ISPF administration libraries	□
Do not install ISPF session manager exits	□

Protecting ISPF Administration Libraries

It is typical for users to concatenate their own ISPF CLIST, panel, skeleton, and message libraries, in order to tailor the way ISPF works to meet their needs. In most cases, this is perfectly acceptable in an MLS configuration. There is, however, one case when it is not acceptable. This is when a security administrator is using the CA Top Secret ISPF panels to administer security. In this case, the ISPF libraries and the CA Top Secret ISPF libraries must be concatenated in front of any user libraries.

Example

This example shows the JCL for how the ISPF libraries and CA Top Secret ISPF libraries concatenation would look in a TSO LOGON procedure:

//ISPPLIB	DD DSN=ISP.V3R5M0.ISPPENU,DISP=SHR	ISPF panels
//		DD DSN=ISP.V3R5M0.ISRPENU,DISP=SHR	PDF panels
//		DD DSN=CAI.CAISPP,DISP=SHR		CA Top Secret panels
//		DD ...					User panels
//*
//ISPMLIB	DD DSN=ISP.V3R5M0.ISPMENU,DISP=SHR	ISPF messages
//		DD DSN=ISR.V3R5M0.ISRMENU.DISP=SHR	PDF messages
//		DD DSN=CAI.CAISPM,DISP=SHR		CA Top Secret messages
//		DD ...					User messages
//*
//ISPSLIB	DD DSN=ISP.V3R5M0.ISPSENU,DISP=SHR	ISPF skeletons
//		DD DSN=ISR.V3R5M0.ISRSENU,DISP=SHR	PDF skeletons
//		DD DSN=CAI.CAISPS,DISP=SHR               CA Top Secret skeletons
//		DD ...					User skeletons
//*
//ISTPLIB	DD DSN=ISP.V3R5M0.ISPTENU,DISP=SHR	ISPF tables
//		DD D5N=ISP.V3R5M0.ISRTENU,DISP=5HR	PDF tables
//		DD ...					User tables
//*
//SYSPROC	DD DSN=ISR.V3R5M0.ISRCLIB,DISP=SHR	PDF CLISTs
//		DD DSN=CAI.CAICLIB,D1SP=SHR		CA Top Secret CLISTs
//		DD ...					User CLISTs
//*

These libraries must be protected with CA Top Secret access rules so only system maintenance personnel can update them. In an MLS system, if the option to require security labels is activated, they should be labeled, SYSLOW, so they are accessible to all users.

Note: If CA Examine is included in the configuration, the CA Examine libraries must also be concatenated before any user libraries. See the Protect CA-Examine Libraries section for an example of the library concatenations with CA-Examine.

Note: Do Not Install ISPF Session Manager Exits. ISPF includes exit routines for SVC 93 (TGET/TPUT/TPG) and SVC 94 (STCC) to allow the session manager to be invoked under ISPF, instead of the more usual case of invoking ISPF under the session manager. These exits should not be installed in an MLS environment. For more information about these exits, see the IBM z/OS TSO/E Customization manual.

Configuring Network Job Entry (NJE) and Remote Job Processing (RJP)

If you want to successfully use NJE and RJP in an CA Top Secret MLS system, configure them as follows:

Assign a security label and write resource rules for each NJE and RJP input device in the JESINPUT resource class. NJE or RJP input devices are not multi-label devices-they can only handle data with the same security label. All work coming to a JES2 input device is assumed to have the same security label as the JES2 input device.
Assign a security label to each NJE and RJP printer in the WRITER resource class. The security label of the printer must dominate the security label of the work for JES2 to transmit the work to it.