Recovery and Accountability

Command Propagation Facility › Recovery and Accountability

Recovery and Accountability

The TSSRECVR utility provides security file recovery processing.

When you run TSSRECVR the TARGET is always local no matter what the original TARGET destination.

TSS Command Execution

Anyone with MISC2(TARGET) authority can enter a TSS command with a targeted destination. The command is executed at the remote machine under the authority the issuing ACID has on the remote node.

For example, ACID(HARRY) is defined as an SCA on his local machine, but on REMOTEB ACID(HARRY) is only a USER. Any command HARRY sends to REMOTEB is executed with his authority on REMOTEB—as a user.

If the security administrator issuing the command does not exist on the remote node you will receive the message:

TSS0324E ADMINISTRATOR'S ACID DOES NOT EXIST ON TARGET NODE

Security Files Among Networked Machines

Each command routed by CPF is executed at the remote machine as though it originated there.

Commands that work at one remote may fail at another. Commands executed at a remote node may not have their intended effect.

For example, if the MSCA gave ownership of DSNAME(SYS1) to ACID(HARRY) at his local node (where he is designated as an SCA) that command, if routed to REMOTEB through CPF, can give the same ownership to USER(HARRY).

System Entry Validation and Password Propagation

When a user is required to update his password as part of system entry validation, CA Top Secret notifies all other CPF connected nodes of the change. If a matching ACID is found on a remote node, CA Top Secret first compares the password of the "remote" ACID with the old password of the "local" ACID to verify that they are not two different ACIDs with the same ACID name. If the passwords match, the password on the remote node is updated.

For example, USER01 signs on to TSO on Node A. His current password of "remember" has expired and he changes it to "always". Through CPF, that change is sent to Node B, a remote node. When CPF finds a USER01 in the Security File of Node B, it asks "Is the current password ‘remember’?".

If the answer is yes, the password of USER01 on Node B is also updated
If the answer is no, CPF assumes that the USER01 on Node B is not the same person as the USER01 on Node A and leaves the Node B password unchanged

When CPF detects that the passwords do not match, the following message is sent to the CPF spool data set on the remote node:

TSS0422E PASSWORD VERIFICATION FAILED ON REMOTE NODE

Installation Exit

The installation exit routine can be called for CPF transmission on both the sending and receiving side, and may block the command at either point. The exit can also make some changes to the command text.

TSSCPR Utility

The TSSCPR utility is run against the CPF recovery file to produce a flat file record. This file can then be filtered through the TSSREPORT3 EARL report option or through another report writer to depict the contents of the CPF recovery file.

For more information, see the Report and Tracking Guide.