Previous Topic: PDS Member ProtectionNext Topic: Terminal Protection

Protecting ResourcesConsole Protection

Console Protection

Every console command goes through console facility security checking. The console facility lets you define individual consoles to CA Top Secret and customize user access to commands issued from the console.

For example, you could allow one user to issue any z/OS command from the console while restricting another user to a particular command or subset of commands. To issue protected console commands the operator must complete the signon process.

The console facility is delivered in WARN mode. Stay in WARN until you have verified that all users who need to issue console commands can do so without receiving error messages.

Default Attributes for the Console Facility

The console facility default control options stored in the Facility Matrix Table are:

TSS MODIFY(FACILITY(CONSOLE))
TSS9550I FACILITY DISPLAY FOR CONSOLE
TSS9551I INITPGM=***     id=CN  TYPE=02
TSS9552I ATTRIBUTES=IN‑USE,ACTIVE,NOSHRPRF,NOASUBM,MULTIUSER,NOXDEF
TSS9552I ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,NORNDPW,AUTHINIT
TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD
TSS9552I ATTRIBUTES=MSGLC,NOTRACE,EODINIT,DORMPW,NONPWR,
TSS9553I MODE=FAIL  DOWN=BYPASS  LOGGING=ACCESS,INIT,SMF,MSG,SEC9
TSS9554I UIDACID=8  LOCKTIME=000  DEFACID=*NONE*  KEY=8
TSS9566I MAXUSER=03000  PRFT=003

The EODINIT attribute specifies that a RACINIT can be performed on the Console facility after an CA Top Secret ZEOD is issued. Without EODINIT, if the console has not been logged on prior to end‑of‑day shutdown, sign on fails and no commands are processed.

Define Consoles to CA Top Secret

To define your consoles to CA Top Secret

  1. Specify DEFAULTS LOGON(AUTO) in SYS1.PARMLIB (in the member CONSOLExx).
  2. Create a specific Department and Profile for the consoles. Assign the FACILITY(CONSOLE) attribute to the profile. For example: 
    TSS CREATE(CONSDEPT) NAME('Console Dept')
                     TYPE(DEPARTMENT)

    TSS CREATE(CONSPROF) NAME('Console Prof')
                     TYPE(PROFILE) 
                     FACILITY(CONSOLE)
                     DEPARTMENT(CONSDEPT)

    This consolidates all consoles and console permits and attributes in one place.

  3. Create an ACID for each console. Each ACID should have a type of USER and be assigned to the Console facility.
  4. Assign the ACIDs to the Console department and profile created in Step 2.
  5. To ease administration tasks, specify a non‑expiring password for the console ACIDs. Consider adding the NORESCHK bypass attribute if the ACID is using JES resources.

    This example assigns the console's ACID name as the console number, the CONSDEPT department, the CONSPROF profile, a password that does not expire, and access limited to the Console facility:

    TSS CREATE(01) NAME('Console 01') 
               TYPE(USER)
               DEPARTMENT(CONSDEPT)
               PROFILE(CONSPROF) 
               PASSWORD(SHSH,0) 
               FACILITY(CONSOLE) 
               [NORESCHK]

    You can name each console in the CONSOLxx member in SYS1.PARMLIB. In that case you would use the given name as the ACID.

  6. Allow the Console department and profile access to the appropriate resources by adding z/OS, JES2, and JES3 to the Console Department and permitting them to the Console Profile by using the OPERCMDS resource class keyword. For example: 
    TSS ADDTO(CONSDEPT) OPERCMDS(MVS.,JES2.,JES3.)

    TSS PERMIT(CONSPROF) OPERCMDS(MVS.,JES2.,JES3.) 
                     ACCESS(ALL)
  7. ADD z/OS, JES2, and JES3 to the ALL Record using the OPERCMDS keyword. For example: 
    TSS PERMIT(ALL) OPERCMDS(MVS.,JES2.,JES3.) 
                ACCESS(ALL)

You can permit only certain console commands to certain users. For information, see the IBM System Commands Manual for ESA 3.1.3 and above.

MCS Console Facility Support

CA Top Secret supports the TSO/E Extended MCS Console Facility. The Multiple Console System (MCS) lets you define multiple consoles, enter console commands, and receive console messages from various terminals which are defined as remote consoles. Security administrators must have MISC8 authority to issue the MCS commands. CA Top Secret supports the MCS fields:

MCSALTG

Assign an alternate group

MCSAUTH

Authorize command usage

MCSAUTO

Assign an AUTO keyword

MCSCMDS

Specify system to receive commands

MCSDOM

Assign Delete Operator Messages (DOM) to a console

MCSKEY

Assign a Key to a console

MCSLEVL

Specify level of messages for a console to receive

MCSLOGC

Log commands to the log file

MCSMFRM

Specify display format for messages

MCSMGID

Assign a migration ID to a console

MCSMON

Specify how events are monitored

MCSROUT

Specify routing codes

MCSSTOR

Define storage for message queuing

MCSUD

Assign delivery of undelivered action messages.

For more information, see the Command Functions Guide.

MCS Fields

IBM documentation refers to the MCS fields as the OPERPARM segment. CA Top Secret also defines these fields as the OPERPARM segment.

This table lists the MCS fields supported by CA Top Secret and their equivalent names in IBM literature:

IBM

TSS

Usage

ALTG

MCSALTG

Assigns an alternate group

AUTH

MCSAUTH

Authorizes command usage

AUTO

MCSAUTO

Assigns an auto keyword

CMDSYS

MCSCMDS

Specifies system to receive commands

DOM

MCSDOM

Assigns Delete Operator Messages (DOM) to a console

KEY

MCSKEY

Assigns a key to a console

LEVEL

MCSLEVEL

Specifies level of messages for a console to receive

LOGCMDRESP

MCSLOGC

Logs commands to the log file

MFORM

MCSFRM

Specifies display format for messages

MIGID

MCSMGID

Assigns a migration ID to a console

MONITOR

MCSMON

Specifies how events are monitored

ROUTCODE

MCSROUT

Specifies routing codes

STORAGE

MCSSTOR

Specifies storage for message queuing

OPERUD

MCSUD

Assigns delivery of undelivered action messages