|
|
|
The following suboptions are available for facilities of all types:
Resets the NOABEND suboption.
A multiuser address space facility (CICS, IMS, CA‑Roscoe) will not abend if one user in the region causes a violation. This does not imply that the ACID used to define the Facility itself is immune from security abends during startup.
If NOABEND is set, CA Top Secret will not cancel the user's activity even if the violations exceed the violation's threshold (VTHRESH). CA Top Secret locks the user's terminal.
Reactivates a facility that was deactivated via the FACILITY(facility=INACT) command.
CA Top Secret Status/Diagnostic Log listings displays “IN‑USE” to indicate that a facility is active.
For example, to allow signons to the IMSPROD facility, enter:
FACILITY(IMSPROD=ACTIVE)
Indicates that CA Top Secret‑authorized job submission is being used for the given facility.
Resets the ASUBM suboption
Audits all activity for users who subsequently logon to the specified facility.
For example, to audit all user activity of a newly activated facility, enter:
FACILITY(IMSPROD=AUDIT)
Deactivates auditing of users who subsequently logon to the facility.
Requires an application to execute APF authorized in order to execute a RACINIT or RACROUTE REQUEST=VERIFY. See the User Guide for more information.
(Not recommended) Allows an application which is not APF authorized to execute a RACINIT or RACROUTE REQUEST=VERIFY. NOAUTHINIT requires that the program issuing the request must come from an APF authorized library, whether or not it is running with APF authorization. Another requirement for NOAUTHINT is that the request cannot include the PASSCHK=NO parameter.
Assigns a default ACID used for access to the specified facility by users who do not have defined ACIDs but require access to the facility. The TSS CREATE function must be used to define this default ACID. For example, a production CICS default ACID can be defined so that users who do not require specific security requirements are governed by the blanket requirements that are defined by the default ACID.
The DEFACID under CICS is used to satisfy an ATS signon only. In CICS3.2.1 or above, a DEFACID is not recommended and using CICS DFLTUSR is preferred. For example:
FACILITY(TSO=DEFACID(TSODEF))
Note: DEFACID is not needed for CICS 3.2 and above.
Indicates that CA Top Secret derives the default ACID from the terminal or batch reader name, if the userid entered at signon is not defined as an ACID, or if the batch ACID is not supplied.
A default ACID for BATCH can be defined to handle RJE (Remote Job Entry) or NJE (Network Job Entry) job submission. If so defined, all jobs that are submitted derive a default ACID associated with the NJE or RJE node. This eliminates required JCL changes or possible viewing of passwords over the NJE or RJE lines.
A BATCH default ACID can also be defined for jobs submitted through a card reader. This will eliminate required JCL changes that include coding of passwords on the job card.
To establish a default ACID for RJE remotes 1, 2, and 3, the security administrator would specify the following the in the Parameter File:
FACILITY(BATCH=DEFACID(RDR*TERM))
The security administrator would then create and define ACIDS for remote readers 1, 2, and 3. CA Top Secret will use these ACIDS to derive the default ACIDS.
TSS CREATE(RM1) DEPARTMENT(XXX)
FACILITY(BATCH)
SOURCE(RM1)
NAME('DEFAULT‑FOR‑SHOP‑1')
The security administrator would continue to create ACIDS for readers 2 and 3. When a default ACID is assigned, the user receives message TSS7053I.
Removes the default ACID for the facility specified. For example:
FACILITY(BATCH=DEFACID(*NONE*))
Note: DEFACID should never be used with facility TSO.
Honors password validation in DORMANT mode when specified for a facility. A DORMANT mode user must give the correct password to log on. For details, see the WARNPW sub‑option.
Note: Message TSS7102E will only be issued for control type ACIDs.
Does not honor CA Top Secret password validation in DORMANT mode.
Controls how jobs are initiated and passwords changed for a facility when CA Top Secret's address space is inactive. There are six suboptions associated with the DOWN option:
Indicates that a RACINIT can be performed for the facility after a TSS ZEOD has been issued. Required for JES and Console facilities.
Indicates that a RACINIT cannot be performed for the facility after a TSS ZEOD has been issued.
Equals one or two alphanumeric characters that represents the facility for reporting purposes. This value is predefined in the Facilities Matrix Table and should not be changed unless defining or renaming a facility.
CA Top Secret inserts USER= and PASSWORD= into the JCL.
CA Top Secret will not insert USER= or PASSWORD= into the JCL. Under the FTP facility, specify NOIJU to ensure FTP userid ACID is propagated.
Deactivates ability to sign on to the facility specified. Active users will continue normally. For example, FACILITY(IMS=INACT) prevents users from signing on to IMS.
Allows installation data to be stored within a region of the specified facility. See the User Guide for a description of INSTDATA.
For example:
FACILITY(TSO=INSTDATA)
Prohibits storing of installation data in a facility region. Usually done to conserve space in large user regions.
Indicates that the facility definition has been updated. It is used to determine if the facility should be displayed as a result of a TSS MODIFY, FACILITY(ALL) or a TSS MODIFY, STATUS command. FACILITIES are marked as IN‑USE as soon as a user signs on to them. Although it cannot be set directly, it is set by changing any option of the facility, through the PARMFILE or via a TSS MODIFY command. IN‑USE is turned on even if the option is set to its default value.
Can be set to equal the TCB protect key that the facility uses for storage.
Default: 8
Specifies that all LCF (Limited Command Facility) associated messages will refer to “Commands” in their text.
Specifies that all LCF‑associated messages will refer to “Transactions” in their text.
Assigns the amount of time after which a terminal connected to a specific facility will lock, if CA Top Secret does not detect activity. Facility specific locktimes are overridden by a user's or profile's locktime.
The following example indicates that terminals logged on to CICSPROD will lock if CA Top Secret does not detect activity after five minutes.
FACILITY(CICSPROD=LOCKTIME=5)
LOG indicates what types of security events CA Top Secret will record, and where it will record them.
The LOG option allows this to be done for all facilities (global) while the LOG suboption allows LOG options to be specified for each facility. Facility‑specific LOG options entered after any global LOG option will override the global option.
The security administrator might use the LOG suboption in one of three ways:
FACILITY(fac=LOG(ACTIVITY,ACCESS,SMF,INIT,MSG)) FACILITY(fac=LOG(NONE)) FACILITY(fac=LOG(ALL))
For example, to indicate that all events should be logged for CICS, enter:
FACILITY(CICSPROD=LOG(ALL))
CA Top Secret logs the user's terminal off when his locktime has expired for a second interval. Locktime transactions must be correctly installed. See the Implementation: CICS Guide for details.
(Default) CA Top Secret will not log the user off.
Requests that the system display the “last‑used” message when a user signs on to the specified facility. This operand only applies to USER type ACIDs running in other than DORMANT mode. USER type ACIDs will not display the “last‑used” message in DORMANT mode in any case. Administrator type ACIDs will always display the “last‑used” message.
For example:
FACILITY(CICSPROD=LUMSG)
Terminates the last‑used message display. This operand does not apply to administrator type ACIDs that will always display the “last‑used” message.
Activates the update of last used statistics for most successful signons. Automatic Terminal Signon (ATS) and preset terminal security normally do not update last used statistics. Last used statistics can be activated for these signons using OPTIONS(30) at TSS startup. This setting is the default for all facilities and should typically remain so.
Prevents updating of the last—used statistics for all successful signon events within this facility, regardless of the setting of the RACROUTE macro specification of the STAT=ASIS/NO parameter. Use NOLUUPD to reduce the amount of I/O to the security file when experiencing severe I/O performance problems.
This sub-option does not prevent the display of the last used messages. Use the NOLUMSG option for this.
With this sub-option set, the last used statistics are only updated when a user incurs a password violation in this facility. This event updates the password violation count and the last used statistics.
Specifies the maximum number of queued signon/signoff requests that are processed..
Default: 10
Range: 5 to 100.
For example, to manually set the threshold at 15.
TSS MODIFY FACILITY(CICSPROD=MAXSIGN=(15))
Note: The parentheses around the value are required.
Signon/signoff requests that exceed the threshold are requeued. For example, in the sample command shown next, additional attempts to sign on are requeued to CICS.
TSS MODIFY FACILITY(CICSPROD=MAXSIGN=(100,RETRY))
Abends the signon/signoff transaction. When Kill is set and the number of users attempting to sign on equals the threshold, additional attempts to sign on are failed. For example, you can restrict the number of concurrent signons to a CICS facility called CICSPAY to a threshold of 15 by using the TSS MODIFY command like this:
TSS MODIFY FACILITY(CICSPAY=MAXSIGN=(15,KILL))
When coding MAXSIGN and MAXUSER in the CA Top Secret PARM field, the MAXUSER option must be coded before MAXSIGN. If MAXUSER is not coded first, an invalid data error will occur during CA Top Secret initialization.
Specifies the size of the ACID cross‑reference table in any multi‑user address space system. In order to increase the size of the cross‑reference table, you must recycle the address space. In CICS, the MAXUSER value specified is also used to calculate necessary USCB allocation at startup.
Default: 3000
Minimum: 256
Specifies a specific security mode for the facility:
Modes specified by facility must be entered after global or system‑wide mode selections in the PARMFILE. Thus, if the global mode is FAIL, but WARN is specified for the IMS facility, then all users initiating from IMS will operate in the WARN mode.
If the global mode is changed via an O/S Modify command:
F TSS,MODE(D|W|I|F)
MSGLC indicates that user violation messages are issued in mixed case. NOMSGLC indicates that user violation messages are issued in upper case only.
Used to indicate a multiuser address space.
A multiuser address space supports multiple users. Security is generally not handled by z/OS. The following facilities are examples of multiuser address space facilities: CICS, IMS, CA‑Roscoe, and CA‑IDMS.
An example of a multiuser address space appears next.
FACILITY(IMS1=MULTIUSER)
Changes the base name of a facility in the Facility matrix table. Once changed, the new facility name must always be used. To change a facility name from CICSPROD to CICSPAY, enter:
FAC(CICSPROD=NAME=CICSPAY)
Specifies whether a TSO or CICS facility supports password reverification. There is a default of two attempts for new passwords to be verified before complete logon sequence needs restarting. To set the threshold value for TSO and CICS, see NPWRTHRESH for details. When a user logs on to a facility that has activated the NPWR sub‑option of the FACILITY control option, and enters a new password, the following message is issued:
TSS7016A ENTER NEW PASSWORD AGAIN FOR REVERIFICATION
The user then enters the new password a second time for reverification. This ensures that the user correctly enters and remembers the new password. If the user enters an incorrect reverified password, he is prompted again. After the second attempt, if the reverified new password is still incorrect, the following message is issued and an accompanying DRC(015) is returned.
TSS7111E NEW PASSWORD CHANGE INVALID ‑ REVERIFICATION FAILED
Does not force password reverification.
Supplies all eight or just the first three characters of the program name issuing RACINIT SVC's. Online systems use RACINIT to support signon validation for individual users. This is the key to determining the (generic) facility. See the User Guide for details on RACINIT.
Specifies the size of the shared profile table in increments of 256 entries. A single shared profile table is allocated at the start of a region if its facility has SHRPRF set.
A region's shared profile table must have enough entries to hold the highest number of unique profiles that can be allocated for use within the region at any time.
For example, a region supporting 250 users, each sharing 3 common profiles, where each user also has 1 unique profile, must have a shared profile table with no less than 253 entries: PRFT=1. It supports profile sharing of up to 768 unique, active profiles with a region. If this value is changed via the TSS MODIFY command, the region must be recycled for the change to take effect.
Default: 3
FOR TSO ONLY: Makes it useless for users to enter their passwords with their userid when logging on. This helps prevent CA Top Secret from displaying passwords on the terminal. If a user enters his password and user ID at the same time, CA Top Secret will issue a warning message and lock the user's terminal for 10 seconds (the default), then prompt for the password.
Deactivates the PROMPT suboption.
Provides for the interpretation and recognition of maskable resources within the facility. Some examples of maskable resource classes are DATASET, JESSPOOL, DB2DBASE and DB2COLL. Without RES on the facility, security checks against these resource classes will fail. To identify a maskable resource class, see the Command Functions Guide.
Lists all the resource class translate entries defined to the translate table.
Specifies a resource class translate entry to be added to the translate table.
Specifies the source resource class.
Specifies the target resource class for the translation that occurs during the resource validation process.
Both old and new resource classes must exist in the RDT. An old class defined to the RDT as a type PIE or MRIE cannot be translated to a new class type RIE.
Specifies a resource class translate entry to be removed from the translate table.
Prevents the interpretation and recognition of maskable resources within a facility. In high performance transaction managers that do not normally make use of maskable resource classes, this can improve performance. However, security features, which do involve maskable resources, cannot be used.
Enables random password generation in a facility. Two methods are supported:
RNDPW is set by default for TSO, CICS, and IMS. Some facilities might not display new, randomly generated passwords. Each facility, therefore, should test RNDPW before placing it into production.
Note: When neither RNDPW facility suboption nor NEWPW(RN) option are set and a user enters RANDOM as a new password, RANDOM is evaluated literally and set the user's password to RANDOM. NEWPW(RN) global option must not be set if user‑initiated random password generation is required.
Cancels the RNDPW suboption.
Allows profile sharing in multiuser address space environments such as Advantage™ CA‑Roscoe®, IMS, and CICS where it is important to conserve storage. SHRPRF allows a copy of the profile to be shared by all users in the multiuser facility. Thus, storage is used efficiently.
After a profile has been updated, users must have their profile refreshed by the security administrator, or sign on again to access the new profile. If not, the user will continue to access the version with which he signed on.
Prohibits profile sharing for the specified facility.
Allows simultaneous logons with the same ACID for the specified facility.
Sets CA Top Secret to disallow simultaneous signon for an address space by the same ACID from different sources (e.g. network terminals). When a duplicate signon is sensed, CA Top Secret issues message TSS7172E and disallows the second session. In IMPL and FAIL mode, this restriction is strictly enforced. In WARN mode, only a message is issued: signon by the same ACID from multiple terminals is logged and the user is warned, but the restriction is not enforced.
Note: Keyword SIGNMULTI allows specific user ACIDs to sign on multiple times, when the facility sub‑option is SIGN(S) and you have specified TYPE=CICS as the FACILITY option. See information, see the Command Functions Guide.
Requests that the system display the status message when a user signs on to the specified facility. This operand only applies to USER type ACIDs running in other than DORMANT mode. USER type ACIDs will not display the status message in DORMANT mode in any case. Administrator type ACIDs will always display the status message.
Terminates the status message display. This operand does not apply to administrator type ACIDs that will always display the status message.
Used to indicate a single‑user address space. For the purposes of CA Top Secret, a single‑user address space requests data sets directly from z/OS. These facilities are single‑user address spaces: TSO, BATCH, and STC.
Allows entire facility to be traced. See SECTRACE for more information.
Deactivates the TRACE suboption.
Indicates that a facility is TSO compatible, the facility can handle TGET and TPUT SVCs.
Cancels the TSOC suboption.
When listing all facilities, a three‑digit numerical value (ranging from 000 to 100) displays for the TYPE= parameter. This parameter should not be changed except when defining or renaming a new CICS, AllFusion™ CA‑IDMS®, DB2, Advantage CA‑ROSCOE, or IMS facility. Then TYPE= must be specified as TYPE=CICS, TYPE=IDMS, TYPE=DB2, TYPE=ROSCOE, or TYPE=IMS. These changes will also update the facility ID numbers (CICS=004, IDMS=011, DB2=100, ROSCOE=007, and IMS=005.) A facility with no predefined keyword is assigned display type 099.
When used to modify a dummy facility, the keyword facility TYPE must be used as follows:
TSS MODIFY FACILITY(xxxxx=TYPE=IMS)
Specifies that the first n characters of an online userid is used to derive the ACID for the user.
Forces defined users and jobs to use their correct passwords during the WARN mode. The default for the WARN mode would normally allow a job to process, even if the user omitted his password or entered it incorrectly.
If the user signs on with a security administrator's ACID, and omits or enters an invalid password, CA Top Secret will FAIL the request regardless of the current security mode, or control option settings. CA Top Secret ignores the WARNPW option for undefined user ACIDS, and in DORMANT mode.
Cancels the WARNPW suboption.
Sets protection in place by default for all commands and transactions controlled by the facility. Explicit authorization is required through LCF (Limited Command Facility) or through OTRAN permission.
Indicates that transactions and commands need not be authorized through LCF before they can be used.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |