Backup and Restore › Recovery › How to Recover from a Security File Failure › Recover Data for a Non-Shared Security File (SHRFILE=NO)

Recover Data for a Non-Shared Security File (SHRFILE=NO)

Security file recovery occurs in two phases:

• TSSRECVR generates TSS commands from the recovery file.
• The batch Terminal Monitor Program executes the TSS commands and applies them to the backup security file.

Important! If the security file is compromised and the CA Top Secret address space stays up, ensure that your backup started task JCL is current prior to shutting down the address space.

Summary of steps:

1. Back up the damaged security file and VSAM file.
2. Run VSAMDEF7.
3. Edit and start TSSB.
4. Execute the recovery procedure.

Important! This procedure assumes you have implemented automatic backup (control option BACKUP) with command recovery (control option RECOVER(ON)). Additionally, this procedure is for environments that use a non-shared security file (SHRFILE=NO); a separate procedure exists to recover data for a shared security file.

The goal of this recovery scenario is to forward recover security files, ending up with the same data set names, which enables you to recover without changing the live TSS started task.

Follow these steps:

1. Back up the damaged security file and VSAM file (using DFSMS, FDR, or similar software).

   The backup information might be needed by CA Support to determine what occurred that led to security file problems.

2. Run CAIJCL member VSAMDEF7 (using the VSAM backup file as input) to create a new VSAM file.

   When running VSAMDEF7, steps 4 and 5 are skipped because we do not use AIX or PATH in a non-shared environment.

3. Edit the TSSB backup started task procedure, then restart the product with TSSB:
   1. Edit TSSB so that it has the following characteristics:
      • The SECFILE DD statement points to the backup security file of the security file that failed.

        Important! If you are using your only copy of the backup security file and suspect that a command function update damaged the security file, make a copy of the backup security file by running the TSSBCKUP or SMSBCKUP procedure JCL.

      • The VSAMFILE DD statement points to the VSAM file created by VSAMDEF7.
      • Automatic backup is turned OFF (no BACKUP or VSAMBKUP DD statements).

   Example of TSSB Started Task Procedure

   //TSSB  PROC PARMS='SYS1.PARMLIB',
   //           HL='CAI.TSSC0',
   //           PRINT='*'
   //*
   //*
   //* CA Top Secret SECURITY (TSS) STARTED TASK FOR USE
   //* DURING RECOVERY PROCEDURE ONLY
   //*
   //*
   //TSSB       EXEC   PGM=TSSMNGR4,DPRTY=(15,14),
   //                  TIME=1440,REGION=500K
   //SECFILE    DD     DISP=SHR,DSN=&HL..BACKUP
   //VSAMFILE   DD     DISP=SHR,DSN=&HL..VSAMCOPY - VSAMDEF7
   //RECFILE    DD     DISP=SHR,DSN=&HL..RECFILE
   //AUDIT      DD     DISP=SHR,DSN=&HL..AUDIT
   //PARMFILE   DD     DISP=SHR,FREE=CLOSE,DSN=&PARMS(TSSPARM0)
   

   1. Stop CA Top Secret:

      P TSS
      

   2. Start the product with TSSB:

      S TSSB
      

   Running TSSB ensures that your security environment is no more than 24 hours out of date. This should let most operations continue normally without an outage while you continue the recovery process.

4. Execute the recovery procedure:
   1. Turn off recovery (to avoid duplication of TSS command functions on the recovery file resulting from the recovery process):

      F TSS,RECOVER(OFF)
      

   2. Retrieve recovery file changes:

      START TSSRCVR1,DTE=DATE(yyddd)[,TME=TIME(hhmm)]
      

      hhmm

      Specifies the hour and minute for selecting recovery records. This value should be the time of the last security file backup.

      yyddd

      Specifies the earliest date for selecting recovery records.

      TSSRCVR1 retrieves the changes.

      A TSS command can contain the keyword TARGET. When placed in the recovery file on the system where it was entered, the TARGET keyword is commented out and replaced with TARGET(=). This change prevents duplicate permits on remote nodes when recovery is done on one system.

      Example: Replacing the TARGET Keyword

      In this example, you specify the following command:

      TSS TARGET(=,NODE2) PERMIT(USER1) DSNAME(ABC.) ACCESS(READ)
      

      In the TSSRCVR1 output, the command appears as follows:

      TSS TARGET(=) PERMIT(USER1) DSN(ABC.) ACCESS(READ)
      

   3. Add the TSSRCVR2 procedure to the product started task table:

      TSS ADDTO(STC) PROCNAME(TSSRCVR2) ACID(msca) STCACT
      

      To ensure that commands do not fail due to insufficient authority, TSSRCVR2 runs under Master Security Control ACID (MSCA) authority. The optional STCACT keyword prompts the operator console for a user ID and password when the procedure is started. The ID is written to the audit file.

   4. Start TSSRCVR2:

      S TSSRCVR2
      

   The changes that TSSRCVR1 collected are applied to the backup security file. You have recovered data.