Tape Volume Protection

Protecting Resources › Tape Volume Protection

Tape Volume Protection

The type of tape volume protection that CA Top Secret provides is specified through the TAPE control option and is dependent on the tape management system in use.

The TAPE control option settings are:

TAPE(OFF): z/OS will not invoke CA Top Secret to validate a tape access request. This setting is appropriate when an external tape management package, such as TMS or TLMS, is in place.
TAPE(DEF): CA Top Secret validates access requests for defined tape volumes only.
TAPE(DSN): CA Top Secret validates tape data set access requests based on the full data set name specified in the DSN= parameter of the JCL. (z/OS limits the length of a data set name on a tape label to its last 17 characters.) With this option, tape security functions at the data set rather than the volume level.

Tape Management Packages

Any tape management package that issues SAF calls supports CA Top Secret at the tape volume and/or tape data set level. When used with tape management packages, CA Top Secret can manage scratch tapes, synchronize tape inventories, and remove and assign tape ownership.

CA Top Secret interfaces with most vendor tape management packages. If your installation is using BrightStor CA‑DYNAM/TLMS, CA‑Tape, or BrightStor CA‑1, CA Top Secret can provide full tape data set security.

Because of the limitations on tape data set security in the absence of a tape management package, use CA Top Secret to protect tapes at the volume level.

To activate the CA Top Secret interface to the CA‑Tape system, specify CA‑Tape as one of the operands for the PRODUCT control option.

Bypass Label Processing Security

A central security administrator can authorize designated ACIDs to run jobs that use bypass label processing (BLP). Special initiators do not have to be set up to run BLP jobs. An ACID is not allowed to use BLP processing unless explicitly authorized.

Authorization to use BLP can be given for a specific volume, a generically defined group of volumes, or all tape volumes. Authority can be for update‑level access or restricted to read‑only access.

To assign BLP authority, enter the command:

TSS PERMIT(acid) VOLUME(volser)
                 ACCESS(BLP,READ|UPDATE)

Volume permits with ACCESS(BLP,READ|UPDATE) are only used for tape volume access.

Example: securing bypass label processing

This example gives USER01 BLP processing authority to update any tape volume:

TSS PERMIT(USER01) VOLUME(*ALL*(G))
                   ACCESS(BLP,UPDATE)

Protect Tapes From Destructive Updating

CA Top Secret responds to security calls by DFP regarding the requested access of the tapes. The operator must remove the write ring from a tape when these conditions occur together:

The tape is opened for input processing
The ACID under which the job is running does not possess UPDATE access to the tape
The tape device is not a 3490 or a 3480 with the IDRC feature

To implement this capability set the TAPE control option to DSNAME or DEF, as appropriate to your environment.