Introduction › Why Use CA Top Secret? › Distributed Security Processing

Distributed Security Processing

As discussed earlier, distributed security processing can include Command Propagation Facility (CPF). This section focuses on the major component of distributed security processing—the Command Propagation Facility (CPF).

With the Command Propagation Facility, distributed security processing allows you to administer security across multiple VTAM nodes. For example, with the appropriate authorization a security administrator on one node can make modifications to the Security File on another node. The Command Propagation Facility allows centralized control of the whole network or even a smaller portion of that network.

What is the Command Propagation Facility?

The Command Propagation Facility (CPF) provides the security environment with:

• Routing of security administration to all or selected nodes within the security network.
• Optional synchronous or asynchronous remote command execution. The basic difference between the two types of command execution is that synchronous waits for the command response to return from the remote node before continuing, while asynchronous does not have to wait for a response before resuming processing.
• TSS command execution with most CA Top Secret commands.
• Automatic update of passwords on all connected systems if changed by the user at logon.
• Propagation of user-initiated suspensions for exceeding password and violation threshold limits.
• Optional Journal Files (virtual printers) to log commands transmitted to, and responses received from, remote nodes.
• Optional collection of asynchronous commands in a Recovery File so that they can be retransmitted in case of network outage.

Synchronizing Information Across Nodes

CPF allows you to automatically synchronize Security Administration on multiple nodes through the propagation of TSS commands, as well as user‑initiated changes, such as suspension and password changes. Security administration propagation can be either implicit or explicit. Implicit uses the CPF control options to set system‑wide propagation rules; while explicit uses CPF command keywords to set propagation rules on a command-by-command basis.

Controlling Access From Remote Nodes

When CPF transmits a command to a remote destination, it records the command image on the Journal File for that node and associates an ID with that command. A Journal File provides an historical record of the command traffic to and from CA Top Secret. When a response is received from the remote node, CPF journals the response and the ID number so that the response can be matched to the command that prompted it. When the response is sent back, it is journalled with the ID and remote destination name. By examining the appropriate Journal File, an auditor can see exactly what came in, what went out, and the results of the action taken.