Command Propagation Facility
Command Propagation Facility
This section contains the following topics:
About CPF
CPF Features
CPF Architecture
O/S START TSS Commands
O/S STOP Command
CPF Related Control Options
CPF Related MODIFY Commands
Command Keywords Used With CPF
CPF Recovery File
CPF Journal Files
CPF Statistics
Recovery and Accountability
Define a Node
CPF Gateway Support
About CPF
CPF distributed security processing lets you administer security across multiple VTAM nodes, and between CA Top Secret and CA Common Services for z/OS platforms.
For example, with the appropriate authorization, a security administrator on one node can make modifications to the security file on another node. The CPF allows centralized control of the whole network or a smaller portion of that network.
The CPF provides the security environment with:
- Routing of security administration to all or selected nodes within the z/OS or z/VM security network—including CA Common Services.
- Optional synchronous or asynchronous remote command execution. (Synchronous waits for the command response to return from the remote node before continuing, asynchronous does not wait for a response before resuming processing.)
- TSS command execution with most CA Top Secret commands.
- Automatic update of passwords on all connected systems if changed by the user at logon.
- Propagation of user‑initiated suspensions for exceeding password and violation threshold limits.
- Optional Journal Files (SYSOUT, tape, or disk) to log commands transmitted to, and responses received from, remote nodes.
- Optional collection of asynchronous commands in a recovery file so that they can be retransmitted in case of network outage.
- Support CCI generic SYSPLEX node ID.
Synchronizing Information Across Nodes
CPF lets you automatically synchronize security administration on multiple nodes through the propagation of TSS commands, as well as user‑initiated changes—such as suspension and password changes.
Security administration propagation can be:
- Implicit—The CPF control options set system‑wide propagation rules
- Explicit—The CPF command keywords set propagation rules on a command‑by‑command basis
Controlling Access From Remote Nodes
When CPF transmits a command to a remote destination:
- It records the command image on the journal file for that node and associates an ID with that command.
- When a response is received from the remote node, CPF journals the response and the ID number so that the response can be matched to the command that prompted it.
- When the response is sent back, it is journalized with the ID and remote destination name.
By examining the appropriate journal file, an auditor can see exactly what came in, what went out, and the results of the action taken.
With support for CCI SYSPLEX generic resource name, multiple TSS systems within a SYSPLEX sharing the same security file, can be defined to remote TSS systems outside the SYSPLEX as a single CPF node.
Non‑SYSPLEX systems only define one node using the CCI generic SYSPLEX name and commands are transmitted into the SYSPLEX using the generic name as the target node. CCI then forwards the commands to the first available TSS system within the SYSPLEX. If a TSS system within the SYSPLEX becomes unavailable, CCI automatically routes incoming CPF traffic to another available TSS system within the SYSPLEX.
SYSPLEX XES and XCF Security
The coupling facility is a feature of MVS/ESA that allows systems in a sysplex environment to communicate and share data with each other. Security in a sysplex environment is based on:
- The communication function or Cross System Coupling Facility (XCF) that provides a way for each system in the sysplex to send messages or signals to all other systems.
- The data sharing function or Cross System Extended Services (XES) that provides the ability for systems in the sysplex to share common data that would normally be obtained from a database. This function saves system resources by reducing I/O to the database.
CA Top Secret supports the use of both of these functions for all CA Top Secret protected systems running in a sysplex environment. This support allows multiple systems to share one security file.
CPF Features
The CPF lets sites administer multiple Security Files across VTAM‑networked systems by propagating TSS commands and user‑initiated changes to all or selected nodes within that network.
The CPF provides the security environment with:
- Routing of security administration to all or selected nodes within the z/OS security network
- Optional synchronous or asynchronous remote command execution
- TSS command execution with most CA Top Secret commands— except MODIFY, LOCK, UNLOCK, HELP, and WHOAMI
- Automatic update of passwords on all connected systems if changed by the user during logon
- Propagation of user‑initiated suspensions for exceeding password and violation limits
- Optional Journal Files (SYSOUT, tape, or disk) to log commands transmitted to, and responses received from, remote nodes
- Collecting asynchronous commands in an optional Recovery File so that they can be retransmitted in case of network outage
- Support CCI generic SYSPLEX node id
- To perform distributed security processing, CA Top Secret relies on the Common Services for z/OS components CAIENF and CAICCI
Copyright © 2014 CA Technologies.
All rights reserved.
|
|