JES2 uses the system authorization facility (SAF) to pass security information about jobs and resources to CA Top Secret. CA Top Secret makes access decisions based on information in its databases and passes its decision back to JES2.
The following is supported when MLS is active on an CA Top Secret system:
In addition, CA Top Secret provides additional support beyond MLS requirements. You can control what data is output to a particular device and restrict certain users to specific output devices.
Certain JES2 functions should not be permitted in an MLS system when certain MLS options have been activated. The following restrictions apply when MLS is active on an CA Top Secret system:
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
|
Requirement |
Complete |
|---|---|
|
Control the use of JES2 operator commands |
□ |
|
Protect JES2 Spool Data Sets |
□ |
|
Define acid for JES2 started task |
□ |
|
Assign security label SYSMULTI to the JES2 started task ID |
□ |
|
Define access rules for JES2 started task |
□ |
|
Control job input |
□ |
|
Configure Network Job Entry (NJE) and Remote Job Processing (RJP) |
□ |
|
Restrict jobs to specific systems |
□ |
The security administrator must be able to audit all JES2 commands in an MLS system. It is also necessary to control who can issue commands, since it is possible to issue commands not only from an operator console, but also from batch JCL. In either case, access is validated based on the acid associated with the job.
To control JES2 commands and provide an audit trail for all JES2 commands:
JES2 commands have resource names that follow the example below:
jesname.command[.qualifier]
The name of the JES2 system requesting the command validation
The name of the JES2 command
The type of object the command specifies, such as JOB or SYS.
See the IBM z/OS JES2 Initialization and Tuning Guide to determine the resource name of the JES2 command. It provides a list of JES2 commands, their resource names, and the SAF access level required to issue the command.
The $C'jobname' command has the following resource name:
jesx.CANCEL.JOB.
A user requires UPDATE access to issue the command.
JES2 maintains data sets in the JES2 spool. Some of these data sets are JES2 system and user data sets. Others contain SYSIN and SYSOUT data for jobs in the system. This section describes how to protect the following types of JES2 spool data sets:
In order for any users to read or update classified JES2 spool data sets in an MLS system, their security labels must dominate the security labels of the spool data sets they are trying to access.
MLS protection mechanisms for JES2 SYSIN (for the job's input) and SYSOUT (for the job's output) data sets allow access to them only by the user who created the data sets. The user can also allow other users access.
When the MLS option to protect write-down is active, the system assigns the SYSIN and SYSOUT data sets the same label as the job. The subject that submits the job can access these data sets if their security label dominates the job's security label.
While a job executes, JES2 creates SYSIN and SYSOUT data sets using the following naming conventions:
nodeid.userid.jobname.jobid.dsnumber.name
The name of the node where the data sets reside. In an MLS system, this is always the local node. The ID of the local node appears in the job log of each job. Note: The variable, nodeid, is not part of the data set name. Rather, it is added to the front of the data set name for the SAF call.
The ID of the user associated with the job. This is the acid specified in the USER= keyword on the JCL JOB statement or the acid of the user who submits the job.
The name of the job as it appears in the NAME field of the JOB statement.
The job number JES2 assigns to the job. JES2 displays the job ID in messages sent to the submitter and in the job log of every job.
The unique data set number assigned by JES2 to the spool data set. D is the first character of the number.
The name of the data set as it is specified in the DSN= parameter of the DD statement in the job. The name cannot be JESYSMSG, JESJCLIN, JESJCL, or JESMSGLG. If the DSN= parameter is not specified in the DD statement that creates the spool data set in the JCL, JES2 uses a question mark (?) for the name.
USER01 submits a job named JOB01 to run on the local node HOME. JES2 assigns a job ID of JOB000l and the value of the DSN= parameter for a SYSOUT data set is OUTPUT. The name of the spool data set for this job is HOME.USER01.JOB01.JOB000l.DOQ000003.OUTPUT.
To allow other users access to this data set, enter:
The JESNEWS data set contains information for all JES2 users. All users should be able to read this data set. JESNEWS information prints after the header separator page of a job. The name of the JESNEWS data set takes the following form:
nodeid.jesid.$JESNEWS.STCtaskid.Dnewslvl.JESNEWS
The ID of the node where the JESNEWS data set was created. In an MLS system, this is always the ID of the local JES2 node.
Note: The variable, nodeid, is not part of the data set name. Rather, it is added to the front of the data set name for the SAF call.
The user ID associated with the JES2 system at your site.
The name of the task that created the JESNEWS data set.
The level of this copy of JESNEWS. The value can vary from 0000101 to 0065535.
The resource name for JESNEWS on HOME that is created by STC05998 is:
HOME.JES2.$JESNEWS.STC05998.D0000101.JESNEWS
The job that updates the JESNEWS data set should be assigned security label, SYSLOW, and the security administrator must create a resource rule in the OPERCMDS resource class to permit that job to update JESNEWS. The resource name for the update job is 'jesname.UPDATE.JESNEWS'.
The SYSLOG data set contains a record of a system's daily activities. To prevent unauthorized access to SYSLOG in an MLS system, the SYSLOG data set should be assigned the security label, SYSHIGH. This means that only trusted programs and processes that are part of or defined to the system can access the SYSLOG.
To allow an operator DAC access to the SYSLOG data set, a security administrator must create a resource rule for the JESSPOOL resource class and a resource name such as:
home.+MASTER+.-.-.-.SYSLOG.
Note: The variable, home, is not part of the data set name. Rather, it is added to the front of the data set name for the SAF call.
The JES2 spool space data sets hold JES2 sysin and sysout files for jobs that are waiting for execution or printing. The JES2 checkpoint data sets provide an index into the spool space, and allow communication between JES2 address spaces running on different members of a multi-access spool complex. JES2 issues SAF calls to protect individual sysin and sysout data sets. To prevent other jobs from circumventing JES2 security, only JES2 may be given access to the spool space and checkpoint data sets. Since the JES2 acid does not have any special privileges, JES2 must be explicitly granted access to these data sets. The following is an example of an access rule to give JES2 access to its spool and checkpoint data sets.
To prevent unauthorized access to JES2 checkpoint data sets in an MLS system, these data sets should also be assigned the security label, SYSHIGH, since they may contain data labeled with any label up to SYSHIGH.
Other JES2 data sets, such as the data set containing JES2 initialization parameters, and the SYSl.HASPSRC and SYS1.AOSH3 libraries, which contain JES2 source and object modules, must be protected from modification by unauthorized users. Access rules should allow access only by system programmers, and these data sets should be labeled, SYSLOW. (Since ordinary users use security labels that dominate SYSLOW, MAC dominance checks prevent them from writing to these data sets.) JES2 must be given explicit read access to the data set containing its initialization parameters.
Important! Do not use the JES2 Spool Offload Facility. Use of the JES2 spool offload facility should not be permitted in an MLS system. No OFFLOADx statements should be included in the JES2 initialization deck.
You must define an acid for the JES2 started task. This acid must have the STC attribute. No other attributes need be specified.
You should also assign a default security label of SYSMULTI to the JES2 started task. This will allow ACEEs with different security labels to be anchored in TCBs in the JES2 address space.
A security administrator can create resource rules to control which users can submit or cancel specific jobs and which input devices users can submit jobs from.
A site can optionally control which users can submit or cancel specific jobs, such as those that offload spool data sets. To do this the security administrator must activate the JESJOBS resource class and write resource rules for the SUBMIT and CANCEL resources.
The following rule allows OPER1 to submit the NEWSJOB job that updates the JESNEWS data set:
$KEY(SUBMIT) TYPE(JES) TSS PER(oper1) JESJOBS(submit.home.newsjob) ACCESS(read)
The name of the local JES2 node
The name of the job that updates the JESNEWS data sets.
ACCESS(READ) is sufficient to submit a job.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|