eTrustâ¢CA-ACF2Â® Security for z/OS and OS/390 ... - SupportConnect

More documents

Recommendations

Info

RV Report – A summary index of access activity is provided in theACFRPTRV Resource Violation log report similar to the one provided inthe ACFRPTDS dataset report.RL and EL Report – A new parameter called CHANGES has beenadded that, when specified, reports on the entries deleted from or insertedinto a rule set.• NEXTKEY on Rule Decompiles. The DECOMPILE command fordata set and resource rules has been enhanced. When the new ALLkeyword is specified, both the target rule set and all associatedNEXTKEY rule sets found are decompiled.• Digital Certificate Administration. Release 6.5 provides the ability togenerate digital certificates and digital certificate requests. The ability toexport certificates with their private keys is also added. Otherenhancements include improving the display of certification information.• PDS Member-Level Protection Changes. Users of the PDS Member-Level Protection component prior to release 6.4 SP02 should note that achange has been made to the "bypass" check. A dataset validation ismade against a pseudo-dataset name called CAPDSSEC.BYPASS.classto determine whether member-level security is enforced for a user. Thecheck was formerly made for READ access to the pseudo-dsn, but it hasbeen changed to check for WRITE access. This was done toaccommodate users of the READALL privilege that also wantedmember-level security to be in effect. All users of member-level securitymust change their dataset rule for high-level qualifier CAPDSSEC fromREAD(ALLOW) to WRITE(ALLOW).• Profile Rule Record API. A new API called ACFCMPL3 has beenadded for compiled profile records. This API is similar to theACFCMPLR interface provided for Access and Generalized ResourceRule maintenance.• CPF Enhancement. The Command Propagation Facility (CPF) hasbeen enhanced to provide propagation of logonid status changes (i.e.SUSPEND) made via the ACTRM SVC-A call. AllF ACF2,RESET(logonid) operator modify commands will be propagatedas well.• New Password Controls. Six new password controls have been addedto provide the security administrator with greater control over the contentof passwords. The security administrator may, for example, forbid usersfrom entering passwords with recurring character sequences, may requirethat one or more vowels or numeric characters be specified, or mayrequire additional special characters to be used. Combined, thesecontrols can significantly strengthen your installation’s passwordcontrols.February 2003eTrust CA-ACF2 Security for z/OS and OS/390
• ACF NEWMOD Enhancements. In eTrust CA-ACF2 Release 6.5, theF ACF2,NEWMOD(SAF) can dynamically reload all of the reloadableSAF modules without an IPL.• ACCESS Subcommand. The ACCESS subcommand has beenenhanced to streamline performance and provide additional information.An in-storage Logonid/UID cross-reference table eliminates Logoniddatabase I/O and the Logonid scoping restriction placed on commandissuers. The new display format lists keys, Nextkeys, prefixes, matchingrulelines and associated Logonids.• ACL Support. z/OS 1.3 introduces support for Access Control Lists(ACL) for the HFS file system. ACL’s provide more granular control ofaccess to the HFS files and directories when using native HFS security.eTrust CA-ACF2 supports the new R_setfacl callable service request tocreate, modify, and delete ACL’s, and checks ACL’s when access to afile or directory is requested.• Message and Panel Changes. Release 6.5 provides support for thecorporate-wide rebranding effort of the product name fromCA-ACF2 for OS/390 to eTrust CA-ACF2 Security for z/OS andOS/390. This rebranding changed many administrative and reportpanels, help panels, clists, report headings, messages, and alldocumentation.• Started Task (STC) GSO Record. The new STC GSO record can beused to assign a Logonid and optional Groupid based on the started taskID. Use of masking allows a single STC record to pertain to multiplestarted tasks.Prior to Release 6.5, a started task (STC) was assigned a Logonid basedon the following:o The user could explicitly request a Logonid via the USER= JCLparameter, or eTrust CA-ACF2 would use a Logonid equal to theSTC procedure nameo The appropriate default STC Logonid would be used.With Release 6.5 and the new GSO STC record, this processing isslightly altered.An internal table called the STC table is built during eTrustCA-ACF2 initialization or during REFRESH processing from theappropriate GSO STC records that are defined. This table is then used aspart of the process of determining what Logonid to assign to a particularSTC. This process can be summarized as follows:o The user could explicitly request a Logonid via the USER= JCLparameter, or eTrust CA-ACF2 would use a Logonid equal to theSTC procedure name.February 2003eTrust CA-ACF2 Security for z/OS and OS/390
Page 5: Computer Associates International,
Page 9: • $NORULELNG on Rules. A new rule
Page 13 and 14: CICS Startup Messages - To provide
Page 15 and 16: Important Note for eTrust CA-ACF2 S
Page 17: END OF PIB PACKETFebruary 2003eTrus

eTrustâ¢CA-ACF2Â® Security for z/OS and OS/390 ... - SupportConnect

Create successful ePaper yourself

Delete template?

Save as template?

eTrustâ¢CA-ACF2Â® Security for z/OS and OS/390 ... - SupportConnect