When CA Verify for VTAM runs multiple terminal test streams, it recreates, as much as possible, the same concurrences and order of events that existed when the test stream was originally logged.
During logging, CA Verify for VTAM records input and output screens in the order in which they pass through terminal control. During a run, input screens are transmitted in the same order in which they were logged. The application controls the order of outputs, but each time CA Verify for VTAM finds an output screen in the test stream, it waits for the application to write an output screen before transmitting subsequent input screens.
This method ensures that multiple terminal test streams produce consistent results. When you merge test streams, you must make sure that the new order of events represents a possible one. Failure to do so may cause mismatches, missing output, or a deadly embrace situation when you run the new test stream.
Follow these steps:
CA Verify for VTAM displays the Convert Test Stream to REXX menu.
ASMDEMO.OPTION1.001 -------------- CONVERT TO REXX ------------------17:14:50 ENTER COMMAND===> UE TEST STREAM TO CONVERT: TCADS.ASMDEMO.OPTION1.001 REXX SCRIPT FILE: DATA SET NAME ===>'USER02.VERIFY.SCRIPT' MEMBER NAME ===> (BLANK OR PATTERN FOR MEMBER SELECTION LIST) OPTIONS: APPLID ===> (LOGON APPLID) SCREEN LINES ===>03 (# OF SCREEN LINES TO INCLUDE: 0-43) PROTECT TARGET ===>N (Y/N) SHARE PDS ===>N (Y/N) DELAYS ===>Y (Y/N) ACTIVE PASSWORD SECURITY: CAPTURE FORMAT . . .TOKEN USERID . . . . . . .RYARO02 F1-HELP F3-END F4-RETURN
Identifies the name of the test stream to be converted. This is the name you specified on the Utilities or Test Stream Selection menu.
The data set name of the file in which to store the converted REXX script. The data set may be sequential or partitioned (PDS or PDSE) and must be catalogued, with a fixed record format and an 80-byte record length, The default value is userid.VERIFY.SCRIPT Modify the name as you wish.
The name of the REXX script member if the data set is partitioned (PDS or PDSE). It is blank by default. Specify the name of the REXX script to which the test stream will be converted, or leave the field blank for a member selection list.
The logon APPLID for the VTAM region on which the converted REXX script will be executed. It is blank by default. If no APPLID is specified, the LOGON statement is generated as "LOGON '????????'" in the REXX script. The question marks will need to be replaced with a valid APPLID before the script can be executed.
The number of lines from each screen image to be included as comments in the REXX script. The default value is 3. Enter a value from 0 to 43.
Indicates whether a REXX script should be protected if it already exists in the script file. The default value is 'N'. Enter 'Y' to prevent an existing REXX script from being overlaid.
Indicates whether multiple jobs and users can write to the same script file at the same time, if the script file is a PDS. The default value is 'N'. Enter 'Y' to share the script file PDS.
Indicates whether "DELAY" statements, which represent "user think time" should be included in the converted REXX script. The default value is 'Y'. Enter 'N' to omit "DELAY" statements.
The active password capture format used when converting a test stream to a REXX script. The password capture format may be modified from the REXX Password Security panel, or by updating and assembling default options member, VTEOT.
The active userid. This is a display field only and cannot be modified.
CA Verify for VTAM displays the Member Selection menu.
------------------ UTILITIES: MEMBER SELECTION ----------------------14:51:19 ENTER COMMAND ===> DATA SET NAME: 'USER02.VERIFY.SCRIPT' S-SELECT NAME MESSAGE SIZE CREATED CHANGED ID _ BASIC _ CA31 _ DEMA _ ISPF342 _ TEST _ TSO1 END OF DIRECTORY F1-HELP F3-END F4-RETURN F7-UP F8-DOWN
Select a member by typing S to the left of the member name and press Enter
Note: When converting a test stream to REXX the goal is to create a script that can be executed without changes. However the script may not exactly match everything that is in a test stream.
CA Verify for VTAM logging normally starts at a clear screen and when executed, they will be presented with the site's "Welcome to VTAM" screen. To resolve this, conversion will create a TYPE CLEAR statement that is not in the original test stream.
INVITE statements are required when an application unlocks the keyboard, but may subsequently send more output before input keystrokes are expected. Technically this is a between bracket issue. For example, this sometimes occurs during a TSO logon. The conversion creates INVITE statements as required, based on the converted test stream. However, since the number of outputs sent in this condition may vary, the script may have too many or too few INVITE statements.
An INVITE functions as a WAIT, and may slow the execution down if too many are coded.
If passwords were captured in REXX scripts converted from test streams or if passwords were coded in user written scripts or execs, then the REXX script would contain visible passwords that could be used to gain unauthorized access to protected system resources.
CA Verify for VTAM provides two password security options that allow passwords to be captured and used by CA Verify for VTAM REXX scripts while not being disclosed to or used by anyone other than their owners. There is also a third option, in which actual passwords are captured and are visible in converted REXX scripts. This option should only be used for test systems that do not need to be secure.
Token Security
Token Security captures symbolic password tokens instead of passwords in REXX scripts converted from test streams and allows the scripts to enter tokens instead of passwords to sign on.
Code Security
Code Security captures encoded password codes instead of passwords in REXX scripts converted from test streams and allows the scripts to enter codes instead of passwords to sign on.
Password Security
Password Security captures actual passwords in REXX scripts converted from test streams. This means that the passwords are visible in the scripts. This option should only be used on test systems which do not need to be secure.
The following topics discuss these security measures.
Token Security is a password encryption system that allows CA Verify for VTAM test streams that have been converted to REXX scripts to use passwords. A token protects test streams from being disclosed to or used by anyone other than their owner.
Token Security works with RACF, ACF2, CA Top Secret or any other security system that reliably establishes the user ID that owns address spaces in which CA Verify for VTAM is used in the manner prescribed by the z/OS System Authorization Facility (SAF).
Token Security may be used to capture tokens instead of passwords when a CA Verify for VTAM test stream is converted to REXX.
When a CA Verify for VTAM test stream is converted to REXX using Token Security and a password is encountered, the password is replaced by a token in the REXX script. The token and encrypted passwords are stored in the user's profile. The token is either an existing token for the password found in the user's profile or a new token that is automatically created for the password.
When a new token is created for a user:
A TOKEN footnote identifies each token captured in a converted screen image. The footnote in the following example identifies a captured token, UID1A, at screen row 8, column 20.
+Session Step(VTERM001 ENTER--> A31ITSO) Cursor(8,20) ------ |.------------------------------- TSO/E LOGON ---------------------------------- |. |. | .Enter LOGON parameters below: : | | . Userid ===>.BUCBR01. . | | . Password ===>.USER02A. . | +- TOKEN AT <8 20> -------------------------------------------------------------
The CA Verify for VTAM TYPE command TOKEN keyword identifies a token in a converted or user-written REXX script. For example:
" TYPE <8,20> TOKEN 'UID1C' ", " <8,24> ENTER "
When a CA Verify for VTAM REXX script is used to create a session and a token is used to enter a password, the user ID that owns the address space is used to decrypt the token data retrieved from the user's profile. The correct password can be recovered from the token data only in an address space owned by the user id that was used to encrypt the password.
Token Security not only allows CA Verify for VTAM REXX scripts to enter correct passwords that are not seen in the scripts, but also ensures that passwords represented by tokens are used only by their owners.
Token Security provides other safeguards that protect passwords from accidental disclosure, protect passwords sent by online systems to terminals, and protect passwords while they are in memory.
Examples:
When CA Verify for VTAM test streams are converted to REXX, screen images are captured that show each request sent by a user to a system and each response sent by the system to the terminal. To protect all passwords in captured data regardless of who sent them, Token Security replaces all data in modifiable non-display fields with tokens, and replaces data in protected non-display fields with tokens, if the data or a lower case version of the data matches a password referred to by any existing user token.
If a password is changed, and token security is used, then the token value (password) must be changed to the new password using the Token Security Panel. You can view and modify tokens from the Utilities menu of the TSO interface.
Note: The Token Security panel is not accessible through the VTAM interface.
Follow these steps:
CA Verify for VTAM displays the Utilities menu.
------------------------------- UTILITIES ---------------------------13:50:35 ENTER COMMAND ===> U1 C COPY A TEST STREAM A APPEND RECORDS TO A TEST STREAM R RENAME A TEST STREAM I INSERT RECORDS INTO A TEST STREAM D DELETE A TEST STREAM M MERGE TERMINALS INTO A TEST STREAM U UPDATE A TEST STREAM DIRECTORY X CONVERT A TEST STREAM TO REXX S SECURE DATA IN A REXX SCRIPT ENTER TEST STREAM NAME: DDNAME ===> TCADS APPLICATION ===> CCC (LEAVE APPLICATION, MEMBER, MEMBER ===> ORDERAPP OR VERSION BLANK AND PRESS VERSION ===> 002 ENTER FOR A SELECTION LIST) F1-HELP F3-END F4-RETURN
------------------- --------------- REXX TOKEN SECURITY ---------------15:42:02 ENTER COMMAND ===> UT C CODE SECURITY P PASSWORD SECURITY BLANK CREATE A NEW TOKEN OR UPDATE AN EXISTING TOKEN D DELETE A TOKEN TOKEN FILE: DATA SET NAME ===> 'USER02.VERIFY.TOKEN' MEMBER NAME ===> (BLANK OR PATTERN FOR MEMBER SELECTION LIST) (SELECT CODES: S - SELECT, D - DELETE) ACTIVE PASSWORD SECURITY: CAPTURE FORMAT ===> TOKEN (OPTIONS: TOKEN, CODE, PASSWORD) USERID . . . . . . . USER02
Specify the data set name of the token file. The data set must be partitioned (PDS or PDSE), with a fixed record format and a 135-byte record length. The default value is userid.VERIFY.TOKEN.
Specify the name of the REXX token member. It is blank by default. Specify a member name or leave the member name blank for a member selection list.
Displays the active password capture format used when converting a test stream to a REXX script. If options are listed following the Capture Format field, a listed option may be entered to change the active capture format.
The capture format controls password security for all CA Verify REXX scripts for the user, regardless of when the scripts were created.
The active userid. This is a display field only and cannot be modified.
You can perform the following actions on this screen.
Note: The code security and password security options are displayed below the command line if they are available. The options are available if the settings in the REXX options table allow them.
------------------ UTILITIES: MEMBER SELECTION ----------------------20:30:32 ENTER COMMAND ===> DATA SET NAME: 'USER02.VERIFY.TOKEN' S-SELECT D-DELETE NAME MESSAGE SIZE CREATED CHANGED ID _ USER02A 00052 2012/08/05 2012/08/05 22:05 USER02 _ USER02D 00318 2012/08/14 2012/08/15 22:14 USER02 _ USER02H 00079 2012/07/23 2012/07/27 22:07 USER02 _ USER02L 00060 2012/07/23 2012/07/23 22:14 USER02 _ USER02P 00180 2012/07/23 2012/07/24 17:22 USER02 _ USER02R 00095 2012/07/16 2012/07/25 22:06 USER02 _ USER02S 00265 2012/07/14 2012/07/24 17:10 USER02 _ USER02V 00181 2012/07/21 2012/07/25 22:43 USER02
Example: Screen for a Token for a Script which logs on to a TSO Session
If the token was created for a script which logs on to a TSO session, the original screen looks like the following:
------------------------------- TSO/E LOGON ----------------------------------- TCA0579 - PRESS ENTER TO PROCEED OR PF3 TO CANCEL. Enter LOGON parameters below: RACF LOGON parameters: Userid ===> USER1 Password ===> New Password ===> Procedure ===> TSOPROC Group Ident ===> Acct Nmbr ===> 123456789 Size ===> 4096 Perform ===> Command ===> Enter an 'S' before each option desired below: S -Nomail S -Nonotice S -Reconnect -OIDcard PF1/PF13 ==> Help PF3/PF15 ==> Logoff PA1 ==> Attention PA2 ==> Reshow You may request specific help information by entering a '?' in any entry field
Hit Enter to proceed to the 'Change Token' screen, the 'Create token' screen or the 'Confirm Delete screen.
Example: Change Token screen
----------------------------- CHANGE TOKEN --------------------------16:16:13 ENTER COMMAND ===> US TOKEN FILE: DATA SET NAME . . . 'USER02.VERIFY.TOKEN' MEMBER NAME . . . . USER02B ENTER A NEW PASSWORD TO CHANGE THE TOKEN. NEW PASSWORD ===> CONFIRM PASSWORD ===>
To update the token, specify a new password in the non-display ‘New Password’ and 'Confirm Password' fields and hit Enter.
Example: Create Token screen
----------------------------- CREATE TOKEN --------------------------16:16:13 ENTER COMMAND ===> US TOKEN FILE: DATA SET NAME . . . 'USER01.VERIFY.TOKEN' MEMBER NAME . . . . USER01A ENTER A NEW PASSWORD TO CHANGE THE TOKEN. NEW PASSWORD ===> CONFIRM PASSWORD ===>
To create a new token, specify a password in the non-display 'New Password' and 'Confirm Password' fields and hit Enter.
Example: Confirm Delete screen
----------------------------- CONFIRM DELETE ------------------------16:22:55 ENTER COMMAND ===> US TOKEN TO BE DELETED: DATA SET NAME . . . 'USER02.VERIFY.TOKEN' MEMBER NAME . . . . USER02A SET TOKEN DELETE CONFIRMATION OFF? N (Y/N) PRESS ENTER TO CONFIRM DELETE. PRESS END OR RETURN TO CANCEL DELETE.
Hit Enter to delete the token. You can set delete confirmation off for the session by specifying 'Y' in the 'Set Token Delete Confirmation Off?' field.
Code Security is a password encoding system that allows the CA Verify for VTAM REXX component to capture and use passwords while ensuring that they are not disclosed to or used by anyone other than their owner.
Code Security provides effective password protection when:
When a CA Verify for VTAM test stream is converted to REXX using Code Security and a password was used in the test stream, the password is replaced by a code in the session data for the REXX script. A code is the encoded value of a password combined with the user ID of the person who owns the password.
The CA Verify for VTAM TYPE command CODE keyword identifies a password code in a captured or user-written REXX exec. For example:
" TYPE <8,20> CODE '1SJP' "," <8,24> ENTER "
To prevent accidental disclosure of passwords that could occur if codes were incorrectly typed in display fields, the CA Verify for VTAM TYPE command for REXX does not allow codes to be typed into display fields.
When a CA Verify for VTAM REXX script creates a session and uses a password code to sign on, the code is decoded using the user ID that owns the address space. The correct password can only be recovered from a code in an address space owned by the owner of the code. Because password codes can be seen without disclosing the password encoded and because they can be used only by their owner, codes are not confidential information.
If a password is captured as a code, and system options require password capture notification, the user is notified that a password was captured.
Update Codes When Password Changes
The Code Security Panel is used to create codes to be used in REXX scripts to enter passwords. Because a code contains a password, if a REXX script uses a code for a password and the password is changed, the code must be replaced by a code for the new password, wherever the old code is used.
You can create a new code from the Utilities menu of the TSO interface.
Note: The Code Security Panel is not accessible through the CICS interface.
Follow these steps:
CA Verify for CICS displays the Utilities menu. ------------------------------- UTILITIES ---------------------------13:50:35 ENTER COMMAND ===> U1 C COPY A TEST STREAM A APPEND RECORDS TO A TEST STREAM R RENAME A TEST STREAM I INSERT RECORDS INTO A TEST STREAM D DELETE A TEST STREAM M MERGE TERMINALS INTO A TEST STREAM U UPDATE A TEST STREAM DIRECTORY X CONVERT A TEST STREAM TO REXX S SECURE DATA IN A REXX SCRIPT ENTER TEST STREAM NAME: DDNAME ===> TCADS APPLICATION ===> CCC (LEAVE APPLICATION, MEMBER, MEMBER ===> ORDERAPP OR VERSION BLANK AND PRESS VERSION ===> 002 ENTER FOR A SELECTION LIST)
F1-HELP F3-END F4-RETURN
The code security panel displays:
------------------- --------------- REXX CODE SECURITY ---------------15:42:02 ENTER COMMAND ===> UC T TOKEN SECURITY P PASSWORD SECURITY PASSWORD/DATA TO ENCODE ===> CODE FOR USERID ===> USER02 ACTIVE PASSWORD SECURITY: CAPTURE FORMAT ===> CODE (OPTIONS: TOKEN, CODE, PASSWORD) USERID . . . . . . . USER02
A non-display field used to enter a password or other confidential data to encode.
The user ID for which the password is encoded. This field is available only if the CA Verify for VTAM REXX options allow codes to be created for use by other user IDs.
The active password capture format used when converting a test stream to a REXX script. If options are listed following the Capture Format field, a listed option may be entered to change the active capture format.
The capture format controls password security for all CA Verify REXX scripts for the user, regardless of when the scripts were created.
The active user ID. This is a display field only and cannot be modified.
You can perform the following actions on this screen:
Note: The token security and password security options are displayed below the command line if they are available. The options are available if the settings in the REXX options table allow them.
Password security neither encrypts nor encodes passwords. It is equivalent to having no security. When a CA Verify test stream is converted to REXX using Password Security and a password was used in the test stream, the actual password is used in the session data for the REXX script and is visible to anyone with the authority to browse or edit the script.
Important! Password security should only be used on test systems which do not require security.
If password security is active, the following panel displays:
--------------------------- REXX PASSWORD SECURITY ------------------15:16:45 ENTER COMMAND ===> US T TOKEN SECURITY C CODE SECURITY WARNING: REXX PASSWORD SECURITY IS NOT ACTIVE WHILE THE FORMAT IS "PASSWORD". IF YOU CONVERT A TEST STREAM TO REXX, THE ACTUAL PASSWORD WILL BE VISIBLE IN THE REXX SCRIPT. ACTIVE PASSWORD SECURITY: CAPTURE FORMAT ===> PASSWORD (OPTIONS: TOKEN, CODE, PASSWORD) USERID . . . . . . . USER02
The active password capture format used when converting a test stream to a REXX script. If options are listed following the Capture Format field, a listed option may be entered to change the active capture format.
The capture format controls password security for all CA Verify REXX scripts for the user, regardless of when the scripts were created.
The active user ID. This is a display field only and cannot be modified.
You can perform the following actions on this screen.
The new capture format is stored in the user's profile and the panel for the specified capture format is displayed.
Note: The token security and code security options are displayed below the command line if they are available. The options are available if the settings in the REXX options table allow them.
|
Copyright © 2012 CA.
All rights reserved.
|
|