Every console command goes through console facility security checking. The console facility lets you define individual consoles to CA Top Secret and customize user access to commands issued from the console.
For example, you could allow one user to issue any z/OS command from the console while restricting another user to a particular command or subset of commands. To issue protected console commands the operator must complete the signon process.
The console facility is delivered in WARN mode. Stay in WARN until you have verified that all users who need to issue console commands can do so without receiving error messages.
The console facility default control options stored in the Facility Matrix Table are:
TSS MODIFY(FACILITY(CONSOLE)) TSS9550I FACILITY DISPLAY FOR CONSOLE TSS9551I INITPGM=*** id=CN TYPE=02 TSS9552I ATTRIBUTES=IN‑USE,ACTIVE,NOSHRPRF,NOASUBM,MULTIUSER,NOXDEF TSS9552I ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD TSS9552I ATTRIBUTES=MSGLC,NOTRACE,EODINIT,DORMPW,NONPWR, TSS9553I MODE=FAIL DOWN=BYPASS LOGGING=ACCESS,INIT,SMF,MSG,SEC9 TSS9554I UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8 TSS9566I MAXUSER=03000 PRFT=003
The EODINIT attribute specifies that a RACINIT can be performed on the Console facility after an CA Top Secret ZEOD is issued. Without EODINIT, if the console has not been logged on prior to end‑of‑day shutdown, sign on fails and no commands are processed.
To define your consoles to CA Top Secret
TSS CREATE(CONSDEPT) NAME('Console Dept')
TYPE(DEPARTMENT)
TSS CREATE(CONSPROF) NAME('Console Prof')
TYPE(PROFILE)
FACILITY(CONSOLE)
DEPARTMENT(CONSDEPT)
This consolidates all consoles and console permits and attributes in one place.
This example assigns the console's ACID name as the console number, the CONSDEPT department, the CONSPROF profile, a password that does not expire, and access limited to the Console facility:
TSS CREATE(01) NAME('Console 01')
TYPE(USER)
DEPARTMENT(CONSDEPT)
PROFILE(CONSPROF)
PASSWORD(SHSH,0)
FACILITY(CONSOLE)
[NORESCHK]
You can name each console in the CONSOLxx member in SYS1.PARMLIB. In that case you would use the given name as the ACID.
TSS ADDTO(CONSDEPT) OPERCMDS(MVS.,JES2.,JES3.)
TSS PERMIT(CONSPROF) OPERCMDS(MVS.,JES2.,JES3.)
ACCESS(ALL)
TSS PERMIT(ALL) OPERCMDS(MVS.,JES2.,JES3.)
ACCESS(ALL)
You can permit only certain console commands to certain users. For information, see the IBM System Commands Manual for ESA 3.1.3 and above.
CA Top Secret supports the TSO/E Extended MCS Console Facility. The Multiple Console System (MCS) lets you define multiple consoles, enter console commands, and receive console messages from various terminals which are defined as remote consoles. Security administrators must have MISC8 authority to issue the MCS commands. CA Top Secret supports the MCS fields:
Assign an alternate group
Authorize command usage
Assign an AUTO keyword
Specify system to receive commands
Assign Delete Operator Messages (DOM) to a console
Assign a Key to a console
Specify level of messages for a console to receive
Log commands to the log file
Specify display format for messages
Assign a migration ID to a console
Specify how events are monitored
Specify routing codes
Define storage for message queuing
Assign delivery of undelivered action messages.
For more information, see the Command Functions Guide.
IBM documentation refers to the MCS fields as the OPERPARM segment. CA Top Secret also defines these fields as the OPERPARM segment.
This table lists the MCS fields supported by CA Top Secret and their equivalent names in IBM literature:
|
IBM |
TSS |
Usage |
|---|---|---|
|
ALTG |
MCSALTG |
Assigns an alternate group |
|
AUTH |
MCSAUTH |
Authorizes command usage |
|
AUTO |
MCSAUTO |
Assigns an auto keyword |
|
CMDSYS |
MCSCMDS |
Specifies system to receive commands |
|
DOM |
MCSDOM |
Assigns Delete Operator Messages (DOM) to a console |
|
KEY |
MCSKEY |
Assigns a key to a console |
|
LEVEL |
MCSLEVEL |
Specifies level of messages for a console to receive |
|
LOGCMDRESP |
MCSLOGC |
Logs commands to the log file |
|
MFORM |
MCSFRM |
Specifies display format for messages |
|
MIGID |
MCSMGID |
Assigns a migration ID to a console |
|
MONITOR |
MCSMON |
Specifies how events are monitored |
|
ROUTCODE |
MCSROUT |
Specifies routing codes |
|
STORAGE |
MCSSTOR |
Specifies storage for message queuing |
|
OPERUD |
MCSUD |
Assigns delivery of undelivered action messages |
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|