Previous Topic: DescriptionNext Topic: CPIGNORE Record

Rules Facility GuideVMXRPI Configuration File ReferenceCPACTION RecordRecommended Use

Recommended Use

When initially configuring the CP component with the VMXRPI configuration file, specify the following CPACTION record:

CPACTION * ACCEPT

This record allows normal operation of the CP commands—AUTOLOG, DIAL, LINK, LOGON, SPOOL, STORE HOST, TAG, TRANSFER, and XAUTOLOG—when CA VM:Secure is not available. When first installing the Rules Facility, familiarize yourself with rules processing before you begin implementing strict security procedures. Later, you will want to restrict system access when CA VM:Secure is not available.

When you feel comfortable with your installation of the Rules Facility, you may want to reconfigure the CP components by changing the CPACTION records to the following ones:

CPACTION * REJECT
CPACTION OPERATOR ACCEPT
CPACTION AUTOLOG1 ACCEPT NOPASS
CPACTION VMSECURE ACCEPT
CPACTION VMBACKUP ACCEPT
CPACTION VMBATCH WAIT
CPACTION VMBAT001 WAIT
CPACTION VMBAT002 WAIT
CPACTION MAINT ACCEPT NOPASS
CPACTION VMANAGER ACCEPT

Give the CA VM:Batch worker machines CPACTION WAIT status. This ensures that jobs issuing any of the CP commands controlled by CA VM:Secure will be able to wait and retry the command.

If you are using CA VM:Backup, give the VMBACKUP user ID CPACTION ACCEPT status. You will then be able to use the backup program to recover any of the CA VM:Secure minidisks when it is down.

CA VM:Secure allows you to specify the following:

CPACTION * WAIT

However, this creates a very strict environment for users, and is appropriate only if security is extremely important at your site.

Decide which user IDs at your site that should default to native z/VM directory security when CA VM:Secure is not available. The records shown previously allow only the OPERATOR, AUTOLOG1, VMSECURE, VMBACKUP, VMBATCH, VMBAT001, VMBAT002, MAINT, and VMANAGER user IDs to access your system if the program is not available.

If you use telecommunications services such as TCP/IP, VTAM, or RSCS on your z/VM system to send data to or receive data from software vendors, add entries for these services to the VMXRPI CONFIG file.