Security Implementation Considerations › Security Considerations for Cross-Platform Scheduling › CA 7 As Cross-Platform Client and CA7TOUNI Jobs

CA 7 As Cross-Platform Client and CA7TOUNI Jobs

The primary security considerations for CA7TOUNI cross-platform job definitions relate to the CA WA CA 7 Edition SUBMIT function.

• The MVS USERID under which the CA WA CA 7 Edition cross-platform tracking function runs requires both READ and UPDATE access to the CA WA CA 7 Edition XPS PROFILE partitioned data set. The USERID creates and updates a member for each remote system to which cross-platform requests are sent.
• All MVS USERIDs under which the CA WA CA 7 Edition cross-platform submit function runs must have READ access to the CA WA CA 7 Edition XPS PROFILE partitioned data set. It reads member CACCENV for global submit parameters. If the SYSIN data for a particular submit job is in a distinct data set, the MVS USERID under which the submit job runs must have READ access to the data set.
• CA WA CA 7 Edition cross-platform submit jobs are defined, scheduled, and/or demanded in the same manner as any other CA WA CA 7 Edition batch job. The MVS USERID under which the batch submit job runs is assigned in the same manner as your other CA WA CA 7 Edition batch jobs.
• A USERID is always passed to the target system. You can specify the USERID explicitly by the SUBUSER parameter in PROFILE or SYSIN. If no SUBUSER parameter is specified, the MVS USERID under which the batch job is running is extracted and used as a default for SUBUSER.
• A security call can be made to the external security system to determine whether the MVS USERID under which the batch job is running is authorized to submit on behalf of the USERID specified in the SUBUSER parameter. This validation is the same Submit Check that can be done in CA WA CA 7 Edition (see the specific chapter for your external security system to define rules for Submit authorization). If the SUBUSER parameter is more than eight characters, the value used for the Submit Check is the first eight characters of SUBUSER.

  The Submit Check security call is made under the following circumstances:

  • If the MVS USERID under which the batch job is running does not exactly match the SUBUSER USERID,

    - and -

  • Either the value of BSUBCHK for this instance is Y or the SUBCHECK=YES parameter is set in the CA WA CA 7 Edition XPS PROFILE member CACCENV. The BSUBCHK value controls CA WA CA 7 Edition security checking for processes outside of the CA WA CA 7 Edition address space (BTI, U7SVC, and so forth). The SUBCHECK= parameter cannot suppress Submit Checking when the value of the BSUBCHK is Y.

    CAIRIM sets the value of BSUBCHK for each instance. For more information, see the chapter "Execution" in the Systems Programming Guide.

    If the return code from the external security system indicates that the MVS USERID does not have authority to submit on behalf of the SUBUSER USERID, the cross-platform request is not sent to the target system. The batch Submit job fails.

• If the USERID assigned to SUBUSER is the value ROOT, an additional security check is made. The SUBROOT= parameter in the CA WA CA 7 Edition XPS PROFILE member CACCENV must be set to YES to authorize use of the ROOT USERID. Tightly control the USERID 'ROOT' because it has special meaning on UNIX platforms. If SUBROOT=YES is not specified, the cross-platform request is NOT sent to the target system, and the batch submit job fails.
• The target system sometimes requires that you supply a password with the USERID specified in SUBUSER. Use the SUBPASS parameter to specify a password to the target system. The MVS system makes no check to validate the password. To prevent unintended mismatches of USERIDs and passwords, the SUBPASS parameter is only honored if it comes from the same source as the SUBUSER parameter. That is, both SUBUSER and SUBPASS must be in the SYSIN data, or they must both be in the PROFILE data.

  The password value is encrypted before being sent across the network with the cross-platform request. If you want to use passwords, we recommend that you specify the SUBUSER and SUBPASS parameters in a distinct file pointed to by the SYSIN DD statement. You can use the standard facilities of your MVS security system to secure this file for READ and WRITE access.