eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret ® Securityfor z/OS and OS/390Security CookbookMay 2003

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is forthe end user’s informational purposes only and is subject to change or withdrawal by Computer AssociatesInternational, Inc. (“CA”) at any time.This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, withoutthe prior written consent of CA. This documentation is proprietary information of CA and protected by the copyrightlaws of the United States and international treaties.Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation fortheir own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Onlyauthorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of thelicense for the software are permitted to have access to such copies.This right to print copies is limited to the period during which the license for the product remains in full force andeffect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproducedcopies or to certify to CA that same have been destroyed.To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind,including without limitation, any implied warranties of merchantability, fitness for a particular purpose ornoninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct orindirect, from the use of this documentation, including without limitation, lost profits, business interruption,goodwill, or lost data, even if CA is expressly advised of such loss or damage.The use of any product referenced in this documentation and this documentation is governed by the end user’sapplicable license agreement.The manufacturer of this documentation is Computer Associates International, Inc.Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) orDFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.© 2003 Computer Associates International, Inc.All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Technical UpdatesMay 2003The following table lists May 2003 Cookbook updates introduced in thisdocument. This version completely replaces the October 2002 version.ChapterImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentImplementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmentDescriptionInformation on the BPXROOT acid addedto the "ACIDS Needed to Install UnixSystems Services" section.Information on how to concatenate theeTrust CA-Top Secret BPXWIRACmember ahead of the IBM REXX exec inthe "TSO ISHELL Support" section.Updated syntax for the ST command inthe "Tracing UNIX System Services(OMVS)" section.Additional syntax added to “How toDefine a Sysem Default User (UID) andGroup (GID)” section.Additional syntax added to “OS/390ServerPac Upgrade” section regardingadministering source protection in eTrustCA-Top Secret.Added “Third Party Vendor” section.Technical Updatesiii

ContentsChapter 1: Implementing eTrust CA-Top Secret in a z/OS orOS/390 Environmentz/OS and OS/390 Compatibility ............................................................... 1–2Upgrade Solutions ........................................................................ 1–2Upgrade Solution Updates ................................................................. 1–3Hyper Solution Delivery ................................................................... 1–3z/OS and OS/390 Product/Component Naming Convention ..................................... 1–4z/OS and OS/390 Release-Specific Security Concerns ............................................ 1–4z/OS V1R1 and Above .................................................................... 1–5z/OS and OS/390 V2R10 and Above........................................................ 1–5OS/390 V2R9 and Above .................................................................. 1–5OS/390 V2R8 and Above .................................................................. 1–5OS/390 V2R7 and Above .................................................................. 1–6CA LDAP Server for z/OS and OS/390 ......................................................... 1–6OpenEdition MVS / UNIX System Services Support ............................................. 1–6Controlling Access to UNIX System Services................................................. 1–8How to Define UNIX System Services Users ............................................. 1–8How to Define UNIX System Services Groups............................................ 1–9How to Assign Users to Groups under eTrust CA-Top Secret ............................. 1–10How to Dynamically Change Your Default Group ....................................... 1–10How to Define a System Default User (UID) and Group (GID) ............................ 1–10How to use the AutoUID/AutoGID Enhancement for eTrust CA-Top Secret ............... 1–11How to Refresh UID and GID Tables ................................................... 1–12How to List All UIDs and GIDs ........................................................ 1–12How to List Who Has UID(0) .......................................................... 1–12Password Assignment for UID(0) Acids .................................................... 1–13ACIDs Needed to Install UNIX System Services............................................. 1–13Defining the OMVS Started Task ACIDs ................................................ 1–13Defining Other OMVS Started Task ACIDs ................................................. 1–15TSO ISHELL Support..................................................................... 1–15How to Create the Superuser Administrator ACID .......................................... 1–15Contentsiii

Superuser Granularity ................................................................... 1–16CHOWN UNRESTRICTED (Control Option) ........................................... 1–18z/OS and OS/390 UNIX System Services: User Limits ...................................... 1–18z/OS and OS/390 ServerPac upgrade ..................................................... 1–19Logging UNIX System Services Security Calls .............................................. 1–19Tracing UNIX System Services (OMVS) ....................................................... 1–20UNIX System Services Reporting.......................................................... 1–21TSSOERPT Output Description ....................................................... 1–23Using TCP/IP............................................................................... 1–29Establishing Security for TCP/IP and OE/TCPIP (Communications Server IP for z/OS and OS/390)........................................................................................ 1–29TCP/IP SERVAUTH Class ............................................................... 1–30VMCF and TNF subsystems (eTrust CA-Top Secret started before JES) ....................... 1–31IP Address Protection .................................................................... 1–32Using FTP .................................................................................. 1–32How to Secure FTP ...................................................................... 1–33How to Secure FTP for UNIX System Services .............................................. 1–33Using TELNET.............................................................................. 1–35How to Secure TELNET for UNIX System Services ......................................... 1–35InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 Print Server) .......................... 1–36WebSphere Application Server for z/OS AND OS/390 ......................................... 1–36Authorization Checking.................................................................. 1–38Server Authorization Checking........................................................ 1–39Level of Trust and Authority for Regions............................................... 1–39User Identification, Authentication and Network Security ................................... 1–40Identification and Authentication ..................................................... 1–43WASADM .............................................................................. 1–43Security Auditing........................................................................ 1–47Lotus Domino Go Webserver ................................................................. 1–47Installing Domino Go Webserver on a eTrust CA-Top Secret-secured System.................. 1–48Lotus Notes Server .......................................................................... 1–50Lotus Notes and Novell Directory Services for z/OS and OS/390 ................................ 1–51Digital Certificate Support ................................................................... 1–51Associating a Unique Digital Certificate with a User ........................................ 1–52General Rules ........................................................................... 1–53Third Party Vendors ..................................................................... 1–53Adding a Digital Certificate to an ACID Record ............................................ 1–54Generating a Digital Certificate and Adding It to a User ..................................... 1–56Listing Digital Certificate Information ..................................................... 1–60Generating a Certificate Request .......................................................... 1–61Changing a User's Certificate ............................................................. 1–62ivSecurity Cookbook

Certificate Replacement (Renewal)......................................................... 1–62Changing a Certificate's Status ............................................................ 1–63Changing a Certificate's Label ............................................................. 1–63Removing a Certificate from a User ........................................................ 1–64Determining if a Certificate has been Added to eTrust CA-Top Secret ......................... 1–64Exporting Certificates to Data Sets ......................................................... 1–65Sharing Certificates on Key Rings.......................................................... 1–66Creating a Key Ring .................................................................. 1–66Adding a Certificate to a Key Ring ..................................................... 1–67Removing a Key ring from an acid ..................................................... 1–67Extracting Certificates from Key Rings ..................................................... 1–68Extracting Private Keys ................................................................... 1–68Reconnecting Private Keys ................................................................ 1–69Listing Key Ring Information ............................................................. 1–69Managing Certificate Serial Numbers ...................................................... 1–69CERTADM .............................................................................. 1–70Certificate Name Filtering Support ............................................................ 1–73Managing Certificate Name Filters......................................................... 1–75Managing Criteria Maps .................................................................. 1–77Creating Certificate Name Filter Scenarios.................................................. 1–78Listing Filtering Information .............................................................. 1–79Init ACEE Changes for Search Sequence.................................................... 1–79Search Sequence Scenario ............................................................. 1–80Kerberos .................................................................................... 1–81Local Server Configuration................................................................ 1–81Customizing your Local Environment...................................................... 1–82Defining Your Local Realm ............................................................... 1–82Defining Local Principals ................................................................. 1–84Password Change Server ACID ........................................................... 1–85Preparing Local Principal ACIDs for Kerberos .............................................. 1–85DCE Incompatibility.................................................................. 1–86Security Considerations ............................................................... 1–86Mapping of Foreign Environments ............................................................ 1–87Mapping Foreign Realms ................................................................. 1–87Mapping Foreign Principal Names......................................................... 1–89DCE Support ................................................................................ 1–90Distributed File Service (DFS) ................................................................. 1–90Distributed File Server SMB SUPPORT ........................................................ 1–91SMB ENCRYPTED PASSWORD SUPPORT................................................. 1–91NFS (Network File System) ................................................................... 1–92eTrust CA-Top Secret Support for z/OS and OS/390 NFS.................................... 1–93Contentsv

WLM (Workload Management)............................................................... 1–94z/OS and OS/390 Security Server Support..................................................... 1–94RACF .................................................................................. 1–95DCE Security Server ..................................................................... 1–96Firewall Technologies .................................................................... 1–97LDAP Server ............................................................................ 1–98DB2 Security Exit ........................................................................ 1–99Integrated Cryptographic Services ........................................................ 1–99Chapter 2: Controlling Access to the Hierarchical File SystemControlling HFS Using the Native UNIX Security Model ..........................................2–1Processes that Affect HFS Security ..........................................................2–3HFS FASTPATH Checking .............................................................2–3MOUNT NOSECURITY ................................................................2–3Program Control in the UNIX Environment ..............................................2–3Controlling HFS Using CA SAF HFS Security ....................................................2–4CA SAF File Access Security ................................................................2–4Path Name Translation .................................................................2–5HFSSEC Resource Class ................................................................2–6Permission Considerations..............................................................2–6Reporting .................................................................................2–7Securing HFS Functions........................................................................2–7System Functions ..........................................................................2–7System Functions (IBMFAC ATTRIBUTE)................................................2–8File Functions .............................................................................2–9File Functions (IBMFAC) ...............................................................2–9Sample Permissions...................................................................... 2–10Implementing CA SAF HFS Security .......................................................... 2–11HFSSEC Control Option ..................................................................... 2–12Exit Processing .......................................................................... 2–12Troubleshooting ......................................................................... 2–14Reporting ........................................................................... 2–14OPTIONS(32) ....................................................................... 2–14Diagnostics.......................................................................... 2–15TSSUTIL/SAF Reference Tables ....................................................... 2–15CA SAF HFS ADD/PERMIT Generation Utility ............................................ 2–22Messages ................................................................................... 2–27viSecurity Cookbook

Chapter 3: Using the Sysplex Coupling FacilityThe SYSPLEX XES Function ................................................................... 3–1The SYSPLEX XCF Function ................................................................... 3–3eTrust CA-Top Secret and the SYSPLEX XES Function............................................ 3–3eTrust CA-Top Secret and the SYSPLEX XCF Function ........................................... 3–5XCF(*) Control Option..................................................................... 3–5Controlling Access to XCF Policies.......................................................... 3–5Defining the Sysplex to eTrust CA-Top Secret ................................................... 3–6Managing the Coupling Facility ................................................................ 3–6CFRM Policy............................................................................... 3–7Altering the Coupling Facility Structure Size..................................................... 3–7Rebuilding the Coupling Facility Structure .................................................. 3–8Connecting to the Structure ................................................................ 3–9Defining SYSTEM LOGGER to eTrust CA-Top Secret ............................................ 3–9Appendix A: IMVSECURIMVSECUR ................................................................................. A–1Appendix B: RACF to eTrust CA-Top Secret TranslationADDGRP .................................................................................... B–3ADDUSER ................................................................................... B–3ALTUSER.................................................................................... B–3CLASS....................................................................................... B–3PERMIT ..................................................................................... B–4RDEFINE .................................................................................... B–4RACF Attribute Translation.................................................................... B–5IndexContentsvii

Chapter1Implementing eTrust CA-TopSecret in a z/OS or OS/390EnvironmenteTrust CA-Top Secret® Security for z/OS and OS/390 (eTrust CA-Top Secret)protects information systems and the data they manage from unauthorizeddisclosure, modification, and destruction. Since its inception, eTrust CA-TopSecret has maintained leadership in the OS/390 marketplace through aggressivedelivery of new releases, high-quality technical support services, and adapting tothe ever-changing mainframe marketplace.The initial release of OS/390 provided an installation vehicle that packagedtogether the products that you normally selected when building your baseoperating system (ESA 5.2.2 and major subsystems such as VTAM, Data FacilityProduct, Open Edition and JES). With each new release of z/OS, additionalcomponents have been added. Each component is tested together, providing ahigher level of quality assurance. In addition, this methodology also affordseTrust CA-Top Secret a more supportable environment.As each new release of z/OS is made available, eTrust CA-Top Secret providesfull support of new features. The required maintenance and administrativechanges are fully documented in the product informational solutions (seeUpgrade Solutions section of this document). The majority of changes to z/OS,which affect security, are related to UNIX System Services and the couplingfacility. This document discusses these topics in detail. Traditional security taskssuch as CICS and data set protection are largely unaffected by z/OS and OS/390and are covered in the standard eTrust CA-Top Secret documentation.This cookbook provides a "how to" guide for implementing eTrust CA-TopSecret in a UNIX System Services z/OS and OS/390 environment.The administrative commands used in this book are also included in Appendix Aand in CAI.SAMPJCL (IMVSECUR, WASADM) on the eTrust CA-Top Secretmaintenance tape.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–1

z/OS and OS/390 Compatibilityz/OS and OS/390 CompatibilityOur maintenance philosophy is to test each new z/OS and OS/390 release atminimum with the two most recent generally available genlevels. Any requiredcompatibility maintenance is prepared and published concurrently with IBM’savailability. It is not our intent to time releases of eTrust CA-Top Secret tocoincide with each z/OS and OS/390 release.In general, the first Service Pack published after a z/OS and OS/390 release willincorporate any compatibility maintenance. For those clients requiringcompatibility prior to Service Pack availability, CA has developed the followingmechanisms to provide this maintenance immediately. This information is madegenerally available in Upgrade Solutions through StarTCC on the Web or usingtelephone support.Upgrade SolutionsUpgrade solutions exist for each GA release of z/OS or OS/390. eTrust CA-TopSecret documentation changes (update packets) are normally sent out with eachnew eTrust CA-Top Secret genlevel. Changes to the support of z/OS or OS/390that occur between eTrust CA-Top Secret genlevels are documented in thesesolutions.These solutions:■■■Exist for each release of z/OS or OS/390Provide a list of the latest recommended maintenanceInclude z/OS or OS/390 release-specific informationTo receive the latest updates:■■Download Upgrade solutions from StarTCC (CA Support on the Internet)eSupport.CAI.COMCall Computer Associates Technical Support and request the specific z/OSor OS/390 release solutionTo download or view solutions from StarTCC, perform the following stepsstarting at the StarTCC main menu:1. Select SEARCH CA KNOWLEDGE BASE – SIMPLE.2. Select UPGRAD—GENERAL UPGRADE from the product drop-downwindow.3. Input TSSMVS as the keyword.4. Select the SEARCH button.1–2 Cookbook

z/OS and OS/390 CompatibilityThe list returned will include all of the eTrust CA-Top Secret upgrade solutions.In addition to the z/OS or OS/390 specific solutions, the COMPATIBILITY OFeTRUST CA-Top Secret WITH OTHER PRODUCTS solution will also be listed. Itis important that you review both the z/OS or OS/390 and compatibilitysolutions.Upgrade Solution UpdatesTo determine if an informational upgrade solution has been recently updated,perform the following steps from the StarTCC main menu:1. Select DISPLAY NEWS ITEMS.2. Select UPGRAD SOLUTIONS UPDATED SINCE xx/xx/xxxx (latest dateavailable).3. Finally, select and view the eTrust CA-Top Secret solution (will appear onlist if updated since date).The news items list provides 3 weekly "updated since" options at any given time.It is recommended that you check this option on a twice per month basis.Hyper Solution DeliveryStarTCC provides the option for you to receive an email automatically (sent toyour Internet email address) whenever an eTrust CA-Top Secret APAR ispublished as a Hyper. This includes any z/OS or OS/390-related Hypersolutions.To set up this Hyper Solution Delivery option under StarTCC, perform thefollowing steps, starting at the main menu:1. Select Hyper Solution Delivery2. Select TSSMVS—5.1 or 5.2—TSSMVS from the product group drop-downwindow3. Select the CHECKOFF buttonOnce you have completed these steps, an email is sent automatically to yourInternet email address (as specified in your StarTCC profile) whenever any newHyper maintenance or product announcements are made.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–3

z/OS and OS/390 Product/Component Naming Conventionz/OS and OS/390 Product/Component Naming ConventionAs each release of an operating system is made generally available, IBM oftenchanges the name of the supplied components or products. The following tablesprovide a reference for these supported releases.ProductTCP/IPCommunications Server IP for OS/390SecureWay Communications Serverfor OS/390Operating System ReleaseOS/390 Version 2 Release 4 and BelowOS/390 Version 2 Release 5 and AboveOS/390 Version 2 Release 8 and AboveProductOpen Edition MVSUNIX System Services for OS/390Operating System ReleaseOS/390 Version 2 Release 5 and BelowOS/390 Version 2 Release 6 and AboveProductInternet Connection Security ServerOperating System ReleaseOS/390 Version 1 Release 3 and BelowLotus Domino Go Webserver OS/390 Version 2 Release 4 & 5SecureWay Application Server forOS/390OS/390 Version 2 Release 8 and AboveProductCICSCICS Transaction ServerOperating System ReleaseMVS 5.1 and BelowMVS/ESA 5.2 and Abovez/OS and OS/390 Release-Specific Security ConcernsSeveral z/OS and OS/390 release-specific eTrust CA-Top Secret securityrequirements exist. In addition to the following information, it is important thatyou review the informational solutions discussed in the Upgrade Solutionssection of this document. These solutions contain the latest z/OS and OS/390release-specific implementation procedures and a list of the latest recommendedeTrust CA-Top Secret maintenance.1–4 Cookbook

z/OS and OS/390 Release-Specific Security Concernsz/OS V1R1 and AboveTwo new resource classes have been introduced by the Websphere ApplicationServer as EJBROLE and GEJBROLE. These classes are used to control access tomethods within Enterprise Java Beans (EJB). eTrust CA-Top Secret now allowsresource names to be in mixed case to support the functioning of these resourceclasses.eTrust CA-Top Secret now supports two new SAF callable services, R_cacheservand R_proxyserv. R_cacheserv is used to request the storage or retrieval ofinformation from a cache. R_proxyserv is used to request the LDAP Server toretrieve information from a directory information tree (DIT).z/OS and OS/390 V2R10 and AboveeTrust CA-Top Secret fully supports the Network and Privacy AuthenticationServer, known as Kerberos. eTrust CA-Top Secret stores and administersinformation about realms and principals for network authentication in the SDTand in the security file.In addition, eTrust CA-Top Secret fully supports the SERVAUTH class. Withz/OS and OS/390 V2R10, TCP/IP uses the SERVAUTH class to protect variousTCP/IP resources from unauthorized access.OS/390 V2R9 and AboveOS/390 V2R9 introduces support for Digital Certificate keyring and filteringfunctionality. Contact eTrust CA-Top Secret Support to obtain the requiredmaintenance for the above new features.OS/390 V2R8 and AboveOS/390 V2R8 introduces support for a more granular approach to securingsuperuser authorities. eTrust CA-Top Secret can be used to grant limited (orselected) subsets of superuser privileges to specific users, rather than having togrant complete superuser authority.OS/390 V2R8 also introduces support for User Limits. With this support you cancontrol the amount of resources consumed by individual OS/390 UNIX users.The BPXPRMxx member of PARMLIB determines resource limits for OS/390UNIX users (global setting). eTrust CA-Top Secret can be used to store supporteduser limit settings for each acid.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–5

CA LDAP Server for z/OS and OS/390OS/390 V2R7 and AboveIf you attempt to access an MVS data set that represents a hierarchical file system(HFS) through ISPF 3.2 or 3.4, it is possible that you will get an "OBTAIN failed"message. The extended message reads:…"datasetname has unknown attributes, OBTAIN RC = 12 hex".This will occur if the HFS data set is not mounted to OMVS. This can occur onOS/390 2.7 and higher systems. When data set information is requested for anunmounted HFS data set, OS/390 UNIX services will write information to the/tmp directory. If the user making the request does not have write access, theerror message is displayed. To avoid this error, you must ensure that the publicaccess permission for the /tmp directory is set to allow all access. The permissionbits for the /tmp directory should be set to 777 to allow all access.CA LDAP Server for z/OS and OS/390eTrust CA-Top Secret permits secured access to user information throughstandard LDAP protocols. For example, an LDAP session can query, delete, add,and modify information including user-defined fields stored within the eTrustCA-Top Secret acid record. CA clients are able to take advantage of these LDAPcapabilities using the CA supplied LDAP-compliant directory server for thez/OS and OS/390 platform. The CA LDAP Server for z/OS and OS/390 includesthese capabilities:■■■■■■Integration with CA Common Services for z/OS and OS/390Access control for directory informationStrong LDAP server authenticationInteroperability with both CA and third party LDAP clientsA high-performance repositoryIntegration with the CA eTrust Solution SuiteOpenEdition MVS / UNIX System Services SupportIn distributed environments where users move across hardware platforms andoperating systems to access multiple n-tier applications, security is a majorconcern. Sites want and need the same control over, and accountability for, dataand resources accessed in an open system as they are used to having in theirmainframe environment.1–6 Cookbook

OpenEdition MVS / UNIX System Services SupportEach z/OS and OS/390 release has included new and more robust versions ofUNIX System Services (USS). Initially called OpenEdition by IBM, these servicesallow UNIX applications to run on a z/OS or OS/390 mainframe. Since, theirinitial appearance in MVS 5.2.2, eTrust CA-Top Secret has provided the ability toperform the UNIX security administration necessary to manage these servicesand the UNIX file system. Beyond the base requirements to support thisenvironment, eTrust CA-Top Secret provides powerful trace and reportingfunctions that allow you to audit UNIX security events.UNIX security is based on users and groups having a unique binary identifier, aUserID (UID) or a GroupID (GID). eTrust CA-Top Secret lets you to define UIDsand GIDs and give them to those users needing UNIX services. Additionally,eTrust CA-Top Secret provides the support to secure access to the UNIX filesystem.Specifically, eTrust CA-Top Secret supports the following services in a UNIXSystem Services z/OS or OS/390 environment:■■■■■■■■Callable servicesHierarchical File System (HFS)Userid (UID) and Groupid (GID) definitionsHome and Path definitionsUNIX System Services AuditingUNIX System Services Security Trace FacilityUNIX System Services MVS Shell Setup Utility (ISHELL)Digital CertificatesThis section discusses eTrust CA-Top Secret support for UNIX System Services(USS). Specifically, it covers these topics:■■■■■■■Acids needed to install UNIX System Services MVSDefining a default UID and GIDControlling access to UNIX System ServicesControlling access to the Hierarchical File SystemeTrust CA-Top Secret records for UNIX System ServicesLogging UNIX System Services MVS security callsTracing UNIX System ServicesFor explanations and syntax of eTrust CA-Top Secret command functions, seethe Command Functions Guide. For details on the reporting facility available witheTrust CA-Top Secret, see the Report and Tracking Guide.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–7

OpenEdition MVS / UNIX System Services SupportControlling Access to UNIX System ServicesWhen a user attempts to enter the UNIX System Services shell, eTrust CA-TopSecret verifies that the user is a USS user before the system initializes the shell.Before allowing access to the requested resource, eTrust CA-Top Secret alsoverifies that the user associated with a program attempting to access a USSresource is a USS user.To define an acid as an UNIX System Services user, you must:■■■■define the user to eTrust CA-Top Secretassign a UNIX System Services Groupassign a UNIX System Services UID to the userassign the user to a default groupHow to Define UNIX System Services UsersUNIX System Services recognizes acids by their assigned UID. UIDs can be anynumeric value from zero to 2,147,483,647. The OMVS segment of the acid definesan acid's UID, the user's home directory, and the initial program that the userwill run. The initial program is generally the shell program that the user invokes.The MSCA acid can not be used to sign on to USS.UID—A numeric keyword that accepts values from zero to 2,147,483,647. A UIDdefined with a value of zero indicates that this user is a superuser.This keyword must be unique to maintain individual accountability and control.A UID is required for all acids in UNIX System Services. eTrust CA-Top Secret willnot allow a UID to be given if it is already assigned to another acid. A UID(0) isthe only UID that can be given to more than one acid.HOME—Defines the initial directory pathname. This is the initial directory usedwhen a user enters the OMVS command or enters the ISPF shell. The HOMEkeyword accepts from one to 1024 characters. Both uppercase and lowercasecharacters are allowed. If HOME isn't defined, UNIX System Services sets theinitial directory for the user to the root directory. HOME is optional.OMVSPGM—Defines the user's UNIX System Services shell program. This isthe first program started when the OMVS command is entered or when an USSbatch job is started using the BPXBATCH program. The OMVSPGM keywordaccepts from one to 1024 characters. Both uppercase and lowercase characters areallowed. If OMVSPGM isn't entered, USS gives control to the default shellprogram. OMVSPGM is optional.1–8 Cookbook

OpenEdition MVS / UNIX System Services SupportThe following example shows how to define user OMVSUSR as a superuser.Since HOME and OMVSPGM aren't explicitly specified, the defaults are takenfor these fields.TSS ADD(OMVSUSR) UID(0)This example shows how to define user OMVSU2 as a regular user. The HOMEand PROGRAM keywords are also used.TSS ADD(OMVSU2) UID(199) HOME(/u/omvsu2) OMVSPGM(/bin/sh)SUPERUSER—A superuser passes all UNIX System Services security checksand, therefore, can access all UNIX files. An acid can become a superuser in oneof two ways:■or■Have a UID(0)Use the SU (switch user) command if resource IBMFAC(BPX.SUPERUSER)has been permitted to that user.Other than the required started task acids, the only acids requiring a UID(0) arethe system programmers responsible for installing USS. All other acids shouldhave a non-zero UID and be permitted the necessary authorities in the classIBMFAC plus file permissions. The eTrust CA-Top Secret resource class IBMFACis equivalent to the IBM FACILITY class.How to Define UNIX System Services GroupsUNIX System Services security is based on user and group ownership of filesand processes. eTrust CA-Top Secret uses the DFLTGRP and GROUP fields ofthe acid record to assign the user to a UNIX System Services group.eTrust CA-Top Secret requires that the UID be unique for each acid (except UID0) and that the GID is unique for each group acid. (Only UID 0 can be assigned tomore than one acid.)The GROUP type acid defines UNIX System Services groups to eTrust CA-TopSecret. The GROUP type acid contains the OMVS segment, which consists of onefield: the GID keyword.GID is a numeric field that accepts values from zero to 2,147,483,647. This valuemust be unique to maintain control over a particular group. You can assign up to256 groups to a user, using the GROUP field.The following example shows how to create an OMVS GROUP acid for a groupcalled OMVSGRP and assign it a GID of 1.TSS CREATE(OMVSGRP) TYPE(GROUP) NAME(‘OMVSGROUP’) DEPT(OMVSDEPT)TSS ADD(OMVSGRP) GID(1)At least one OMVS group acid must exist prior to implementation.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–9

OpenEdition MVS / UNIX System Services SupportFor more information about how to set the owner, group, and other permissionsfor a file, see the MVS/ESA UNIX System Services User's Guide.How to Assign Users to Groups under eTrust CA-Top SecretYou assign a user's default group by setting the DFLTGRP field in that user'sacid.This example shows how to assign acid OMVSU2 to group OMVSGRP and thenassign that group as its default.TSS ADD(OMVSU2) GROUP(OMVSGRP)TSS ADD(OMVSU2) DFLTGRP(OMVSGRP)How to Dynamically Change Your Default GroupYou can change your default group by specifying a group when you log on toTSO. eTrust CA-Top Secret validates the specified group by checking to see if itis in your GROUP list. If it isn't in your GROUP list, you won't have a defaultgroup for the current session.How to Define a System Default User (UID) and Group (GID)If a user has not been defined with a UID and group, eTrust CA-Top Secret canbe used to define default values. Sites must evaluate their own security policy todetermine if all users should be given their own UIDs and GIDs. Overuse of thedefault feature is not recommended because it limits your ability to audit accesspermissions under USS.eTrust CA-Top Secret provides support for default UID and GID through thecontrol options OMVSUSR and OMVSGRP. This is functionally equivalent toIBM's RACF implementation using FACILITY BPX.DEFAULT.USER.First, an acid must be defined with a valid OMVS segment. For example, a UID, aHOME and an OMVSPGM. This acid can then be used to provide these defaultsby specifying the OMVSUSR control option, which can be done dynamically orvia the TSS PARMFILE:TSS MODIFY(omvsusr(acidname))OMVSUSR(acidname)There are two methods for extracting the OMVS segment from a group. Bothmethods require a TYPE GROUP acid be defined. The first method is done usingcontrol option OMVSGRP:TSS MODIFY(omvsgrp(grpacid))OMVSGRP(grpacid)1–10 Cookbook

OpenEdition MVS / UNIX System Services SupportIf the OMVSGRP control option is not specified, the DFLTGRP from theOMVSUSR acid are used. Thus, the second way to specify a default group is toadd the default group to the OMVSUSR acid:TSS ADD('acidname') DFLTGRP('grpacid')To prevent a user with no UID or group from using the default values, add theNOOMVSDF attribute to the user acid.TSS ADD(acid) NOOMVSDFIf you define the BPX.DEFAULT.USER profile, all users will have access to z/OSor OS/390 UNIX. To limit access, define an OMVS segment with no UID. Doingthis will prevent unauthorized users from using a UNIX service. If users musthave anonymous access (for FTP or other socket use) without using the shell,define the initial program for the default user as /bin/echo. This allows users tohave a default UID without using the shell.How to use the AutoUID/AutoGID Enhancement for eTrust CA-Top SecretThe auto-assignment of the UID/GID numbers for the ADD or REPLACEcommand includes the following features:■■■User can define a default rangeUser can restrict the search for an open number by entering a specific rangeIf no number is assigned and no range is given, AutoUID/GID restricts thesearch by checking through the defined default range■ If no range is given and there is no default range, AutoUID/GID starts at 1and searches until an available UID/GID is found■Zeros are excluded in the range searchExamplesTSS ADD|REP(acid|Group Acid) UID|GID(?) RANGE(,)orTSS ADD|REP(acid|Group Acid) UID|GID(?)orTSS ADD|REP(acid|Group Acid) UID|GID(?) RANGE(300,400)GID—Group Identification Number. Used in OMVS.UID—User Identification Number. Used in OMVS.range—Specifies a low and high value to be searched through in order to assigna UID/GID. The range can be 1 up to 2,147,483,647.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–11

OpenEdition MVS / UNIX System Services SupportHow to Refresh UID and GID TableseTrust CA-Top Secret maintains in-storage tables of UIDs and GIDs and theirrelated acids. These tables are built during the initial startup of eTrust CA-TopSecret. These tables must be refreshed after a UID or GID is ADDed orREMOVEd from an acid. The following command will refresh these tables.TSS MODIFY(OMVSTABS)How to List All UIDs and GIDsA list of all UIDs and GIDs can be obtained by executing the followingcommands:TSS WHOOWNS UID(*)TSS WHOOWNS GID(*)How to List Who Has UID(0)A list of all users with UID(0) can also be obtained by executing the followingcommand:TSS WHOHAS UID(0)FACILITY Class Resources (IBMFAC)See the UNIX Systems Services Planning Guide for more details of the BPX facilityresources classes.BPX.SUPERUSER—Allows non-superusers to gain superuser authority.(Control over UNIX command su). BPX.SUPERUSER ownership needs to beestablished in the following fashion:TSS ADD(dept) IBMFAC(BPX.)TSS permit commands can then be used to grant access to specific resourceslisted below.TSS PER(acid) IBMFAC(BPX.SMF)BPX.DAEMON—Allows daemon programs to validate user password and thenchange identity of a spawned address space (control over setuid () and seteuid () ).BPX.SERVER—Allows daemon programs to customize the securityenvironment of a thread.BPX.SMF—To restrict access for C/C++ applications to generate SMF recordswithout requiring APF authorization.BPX.DEBUG—To allow users to use dbx to debug programs that run asAPF-authorized or with BPX.SERVER authority.BPX.WLMSERVER—To allow users to use WLM server functions.1–12 Cookbook

OpenEdition MVS / UNIX System Services SupportBPX.STOR.SWAP—To allow users to make address spaces nonswappable.BPX.FILEATTR.APF—To allow users to turn on the APF-authorized attribute foran HFS file.BPX.FILEATTR.PROGCTL—To allow users to turn on the program controlledattribute for an HFS file.TSS PER(acid) IBMFAC(BPX.SMF) ACC(READ)Password Assignment for UID(0) AcidsA potential security concern exists for all acids defined with NOPW and UID(0).In certain scenarios, unauthorized access can occur with these acids using Telnetor Rlogin. To eliminate this potential security concern, you should addpasswords to all UID(0) assigned acids.TSS REPL(acid) PASS(xxxx,0)Several of the created started task acid definitions described in this documentspecify a password. Started task acids with passwords will cause a passwordprompt at the console on startup. This prompting is optional and can be turnedoff using the following methods:■■Control option setting OPTIONS(4) eliminates the console password promptat startup for the password protected STC acids.The OPTIONS control option must be set via the eTrust CA-Top Secretparameter file. It can not be set with a MODIFY command.ACIDs Needed to Install UNIX System ServicesDuring the installation of UNIX System Services, you must create an acid for theOMVS started task and define the installer’s acid (typically a SYSPROG) as asuperuser via a UID(0).Defining the OMVS Started Task ACIDsUNIX System Services must be assigned an acid before you can begin usingeTrust CA-Top Secret in this environment. Follow the steps below to create theOMVS started task acid.Step 1—Create the GROUP acids to which the started task acid are attached byissuing the following TSS commands:TSS CREATE(OMVSGRP) TYPE(GROUP) NAME('OMVS GROUP') DEPT(OMVSDEPT)TSS CREATE(TTY) TYPE(GROUP) NAME('REQ OMVS TTY GROUP') DEPT(OMVSDEPT)USS requires that a group name "TTY" must also exist, and it must be connectedto the OMVS started task acid. See the UNIX System Services Planning Guide foran explanation of TTY.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–13

OpenEdition MVS / UNIX System Services SupportStep 2—Assign a GID (groupid) to the GROUP acids you created in Step 1.(Every group must have a GID number assigned to it.) A GID can be any numberfrom 0 to 2,147,483,647. Define a GID of 1 for the OMVSGRP group and a GID of2 for the TTY group by issuing the following TSS command:TSS ADD(OMVSGRP) GID(1)TSS ADD(TTY) GID(2)Step 3—You can now create the acid to be used for the OMVS started task.TSS CREATE(OMVSKERN) TYPE(USER) NAME('OMVS STC ACID') PASS(password,0)DEPT(dept) FACILITY(STC,APPC)FACILITY(APPC) is not required with OS/390 V2R4 and above.Step 4—Assign the acid to UNIX System Services MVS in the STC record.TSS ADD(STC) PROCNAME(OMVS) ACID(OMVSKERN)This example shows an acid created for OMVS as a started task.Step 5—Assign a UID to the STC acid created in Step 3. You must define theUNIX System Services MVS kernel started task acid as a superuser by assigningit a UID of 0.TSS ADD(OMVSKERN) UID(0)In accordance with UNIX System Services MVS requirements, giving an acid aUID of zero automatically designates her as a superuser.Step 6—Assign a default group to the STC acid.TSS ADD(OMVSKERN) DFLTGRP(OMVSGRP)Step 7—Assign the OMVSGRP and TTY groups to the OMVS acid by issuing thefollowing TSS commands:TSS ADD(OMVSKERN) GROUP(OMVSGRP)TSS ADD(OMVSKERN) GROUP(TTY)Step 8—Create the BPXROOT acid. The BPXPRMxx parameter SUPERUSER(xxxxxxx) identifies the userid to be used when a user issues 'SU' to change theirUID to 0. SU uses the function setuid() to accomplish this task. If theSUPERUSER(xxxxxxx) parameter is not specified in BPXPRMxx the useriddefaults to BPXROOT. This acid must be defined with a UID(0) and must nothave BPX.DAEMON authorization. Create this acid by issuing these commands:TSS CREATE(BPXROOT) TYPE(USER) NAME('BPXROOT ACID')PASS(password,0)DEPT(OMVSDEPT) FACILITY(APPC)TSS ADD(BPXROOT) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) UID(0)FACILITY(APPC) is not required with OS/390 V2R4 and above.Step 9—Refresh the UID and GID tables.The following command will refresh these tables.TSS MODIFY(OMVSTABS)1–14 Cookbook

OpenEdition MVS / UNIX System Services SupportNow that the UNIX System Services kernel acid has been defined to eTrustCA-Top Secret, you can start USS by issuing the standard operator command forstarted tasks. Starting with OS/390 V1R3, the OMVS kernel is part of BCP. Thestandard MVS start and stop commands no longer apply.Defining Other OMVS Started Task ACIDsDefine acids for other OMVS started tasks by issuing the following commands:TSS CRE(INETD) TYPE(USER) NAME('OMVS INETD STC')DEPT(dept) FAC(STC) PASSWORD(password,0)TSS ADD(INETD) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)HOME(/) OMVSPGM(/bin/sh)TSS CRE(RMFGAT) TYPE(USER) NAME('OMVS RMFGAT')DEPT(dept) FAC(STC) PASSWORD(password,0)TSS ADD(RMFGAT) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)HOME(/) OMVSPGM(/bin/sh)TSS ADD(STC) PROCNAME(INETD) ACID(INETD)TSS ADD(STC) PROCNAME(RMFGAT) ACID(RMFGAT)TSS ADD(STC) PROCNAME(BPXOINIT) ACID(OMVSKERN)TSS ADD(STC) PROCNAME(BPXAS) ACID(OMVSKERN)TSO ISHELL SupportThe eTrust CA-Top Secret TSSOPMAT file contains a replacement member forthe IBM REXX exec BPXWIRAC. Copy TSSOPMAT(BPXWIRAC) to a partitioneddata set compatible with your TSO SYSEXEC data sets. Assure that this file isconcatenated ahead of the IBM supplied SYSEXEC data sets. Failure to do thisresults in a S0C1 ABEND when entering the ISHELL.How to Create the Superuser Administrator ACIDThe UNIX System Services Shell and Utilities installation process createsdirectories in the Hierarchical File System (HFS). To perform the installationsteps, the user must have superuser authority.A superuser is a special User acid under UNIX System Services. The superuser isa trusted acid who can maintain the UNIX System Services system andadminister security in the HFS. It is important to note that assigning superuserauthority to an acid doesn't give the user any authority within eTrust CA-TopSecret, only authority in UNIX System Services. A superuser's UID has a value ofzero.Use caution when assigning acids the superuser authority. A superuser passes allsecurity checks, meaning the superuser can access any UNIX file in the filesystem.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–15

OpenEdition MVS / UNIX System Services SupportTo create a Superuser Administrator acid and give it the authority it needs,follow these directions:Step 1—Define the acid as a superuser by issuing the following TSS command:TSS ADD(acid) UID(0)ACID SYSPROG1 is defined as a superuser by setting the UID value to zero.Step 2—Define SYSPROG1 as a member of a group by issuing:TSS ADD(acid) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)The example shows ACID SYSPROG1 changed so that this user can sign on andbe validated as a member of group OMVSGRP. The acids of group OMVSGRPare a special subset of users who perform system-related tasks.Superuser GranularitySuperuser Granularity support lets you avoid giving users superuser authorityvia UID(0). This is accomplished by allowing non-superuser users to have accessto new resources in the UNIXPRIV class. At OS/390 V2R8 and above, if a userdoesn't have a UID=0, but they do have access to one of the new resources,access is allowed. The following table defines the new resources and what accessis allowed by the resource.eTrust CA-Top Secret SAF HFS security provides much greater superusergranularity than this method. See Chapter 2 of this guide for details onimplementing eTrust CA-Top Secret's SAF HFS security. Activating eTrustCA-Top Secret SAF HFS security will override the superuser granularitysupport described in this section if there is an equivalent SAF HFS securityresource for the UNIXPRIV resource. If there is no SAF HFS resource, theUNIXPRIV resource is checked instead.Resource Name Access Given Functions AffectedSUPERUSER.FILESYS.FILE (READaccess or higher)SUPERUSER.FILESYS.FILE(UPDATE access or higher)SUPERUSER.FILESYS.FILE(CONTROL Access)SUPERUSER.FILESYS.CHOWNAllows a user to read any HFSfile and read or search anyHFS directoryAllows a user to write to anyexisting HFS file.Allows a user to write to anyHFS directory.Allows a user to changeownership of any file.Open*( for read, opendir(),readlink(), stat(), realpath(0)Open() for writeLink(), mkdir(), rename(),mdir(), syslink(), unlink().Chown()1–16 Cookbook

OpenEdition MVS / UNIX System Services SupportResource Name Access Given Functions AffectedSUPERUSER.FILESYS.MOUNTAllows a user to issue mount,unmount, quiesce, andunquiesce requests. changeownership of any file.SUPERUSER.FILESYS.PFSCTL Allows a user to call pfsctl() Pfsctl()SUPERUSER.FILESYS.VREGISTERSUPERUSER.IPC.RMIDSUPERUSER.PROCESS.GETPSENTSUPERUSER.PROCESS.KILLSUPERUSER.PROCESS.PTRACESUPERUSER.SETPRIORITYAllows a user to issuevregister() to register as a vfsfile serverAllows a user to do ipcrm callsto clean up leftover IPCmechanismsAllows users to see allprocessesAllows user to send signals toany processAllows users to use dbx totrace any processAllows a user to increase hispriority.Mount(), unmount(), quiesce(),unquiesce()Vregister()Ipcrm command user ofIPC_RMID for msgct(),semctl(), shmctl()Getpsent()—ps commandKill()DbxSetpriority(), nice()Superuser Granularity examples:Before you can give a user access to a SUPERUSER resource in the UNIXPRIVclass, you must perform the following ADD command:TSS ADD(dept) UNIXPRIV(SUPERUSE)The following permission gives USER01 authority to read to any HFS file.TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.FILE) ACCESS(READ)The following permission gives USER01 authority to change ownership of a file.TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.CHOWN) ACCESS(READ)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–17

OpenEdition MVS / UNIX System Services SupportCHOWN UNRESTRICTED (Control Option)A new eTrust CA-Top Secret control option (CHOWNURS) exists to allow usersto use the CHOWN function to change file ownership for files that they own.This control option can be set using a TSS MODIFY command. To determine thecurrent active setting of CHOWNURS, issue a TSS MODIFY STATUS(BASE)command. This control option can be set to ON or OFF.ON—Allows users to use the chown function to change file ownership for theirfiles.OFF—User cannot change file ownership unless he is a superuser or is givenaccess to UNIXPRIV class SUPERUSER.FILESYS.CHOWN. This is the defaultsetting.z/OS and OS/390 UNIX System Services: User LimitsWith this support, you can control the amount of resources that are consumed byindividual z/OS or OS/390 UNIX users. Prior to OS/390 V2R8, the BPXPRMxxmember of the PARMLIB determined resource limits for most z/OS or OS/390UNIX users. At OS/390 V2R8 and above, you can now override, at the user level,the parmlib setting defined in BPXPRMxx. The following table defines the newresources and what access is allowed by the resource.TSS Resource Range Member inBPXPRMxxDescriptionOECPUTMASSIZE7 to2,147,483,64710,485,760 to2,147,483,647MaxcputimeMaxassizeMaximum time (seconds) a process isallowed to use.Maximum address space region sizeallowed per process created via rlogin ortelnet.OEFILEP 3 to 65,535 Maxfileproc Maximum number of files that a singleprocess can have active or openconcurrently.PROCUSER 3 to 32,767 Maxprocuser Maximum number of processes a user canhave open at the same time.THREADS 0 to 100,000 Maxthreads Maximum number of pthread_createdthreads, including those running, queued,and exited but not detached, that a singleprocess can have concurrently active.MMAPAREA 1 to 16,777,216 Maxmmaparea Maximum amount of dataspace storage(pages) that can be allocated for memorymapping of HFS files.1–18 Cookbook

OpenEdition MVS / UNIX System Services SupportThe following authorization will limit USER01 to a maximum of 200 openprocesses at the same time.TSS ADD(acid) PROCUSER(200)To remove the above PROCUSER authorization, issue the following command:TSS REMOVE(acid) PROCUSERz/OS and OS/390 ServerPac upgradePrior to restoring the HFS, you must ensure that the proper authority is given tothe user ID that will submit the dialog jobs. This user ID must be a superuser(UID=0). Just having access to the BPX.SUPERUSER facility class is not sufficient.This is because the PAX utility is used to unload the serverpac HFS and thisutility does not yet use the BPX.SUPERUSER facility class to establish superuseridentification.To authorize the acid to run the PAX utility follow these directions:Step 1—Define the acid as a superuser by issuing the following TSS command:TSS ADD(acid) UID(0)ACID SYSPROG1 is defined as a superuser by setting the UID value to zero.Step 2—Define SYSPROG1 as a member of a group by issuing:TSS ADD(acid) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)Step 3—IBMFAC authorizations:TSS PERMIT(acid) IBMFAC(BPX.FILEATTR.APF) ACC(READ)TSS PERMIT(acid) IBMFAC(BPX.FILEATTR.PROGCTL) ACC(READ)orTSS PERMIT(acid) IBMFAC(BPX.FILEATTR.) ACC(READ)Logging UNIX System Services Security CallsAudit capability at the file level exists within the UNIX System Servicesenvironment. To implement audit within UNIX System Services at the file ordirectory level use:CHAUDIT—specify audit options for individual files or directoriesOnce audit is set for a file or directory using the CHAUDIT command, SMFrecords are written for the file or directory designated activity. This can includeaccess, as well as, changes to permission bit settings.The full syntax of the CHAUDIT command is documented in the OS/390 UNIXSystem Services Command Reference Guide.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–19

Tracing UNIX System Services (OMVS)Tracing UNIX System Services (OMVS)The SECTRACE facility, used to trace SAF requests in the eTrust CA-Top Secretenvironment, also is available to trace SAF requests made by OMVS. The onlyallowable value for the DEST= parameter of the TYPE=OMVS SECTRACEcommand is DEST=SYSLOG.To start SECTRACE for OMVS, issue the following command:ST SET,TYPE=OMVS,FUNC=XXXX,DEST=SYSLOG,ENDFUNC ID=xxx can be one of seven values. Each function traces a set of relatedOMVS services.The seven functions and the services that they trace are:FunctionALLCHANGECHECKGETINITMAKEMISCSETServiceTraces all OMVS services.Traces R_chown, R-chaudit, and R_cmod.Traces ck_access, ck_priv, ck_process_owner,ck_file_owner, R_ptrace, ck_IPC_access,ck_owner_two_files, R_IPC_ctl, and R_dceauth.Traces getUMAP, getGMAP, R_getgroups,R_getgroupsbyname, get_uid_gid_supgrps, R_dceinfo,R_dcekey, R_dceuid, and R_usermap.Traces initACEE, initUSP, deleteUSP, and R_fork.Traces makeFSP, makeISP, and make_root_FSP.Traces audit, query_file_security_options, andquery_system_security_options.Traces R_umask, R_setegid, R_seteuid, R_setgid,R_setuid, R_exec, clear_setid, and R_admin.The OMVS services are documented in the IBM OS/390 Security Services CallableServices Guide. You should only use the OMVS SECTRACE when instructed to byeTrust CA-Top Secret Technical Support due to the large volume of trace entriespossible in the OMVS environment. It is usually easier to debug an OMVSproblem using the TSSOERPT report, because it shows more information thanthe trace. All of the OMVS services write SMF records when the service returnswith a non-zero return code.1–20 Cookbook

Tracing UNIX System Services (OMVS)Stopping the SECTRACE for OMVSTo disable the SECTRACE for OMVS, issue the following command, where xxxxis the identifier assigned to the SECTRACE:ST DISABLE,ID=XXXX,ENDYou can restart a disabled trace by entering an enable command. To start adisabled trace, issue the following command, where xxxx is the identifierassigned to the SECTRACE:ST ENABLE,ID=XXXX,ENDTo stop the SECTRACE for OMVS, issue the following command, where xxxx isthe identifier assigned to the SECTRACE:ST DEL,ID=XXXX,ENDUNIX System Services ReportingTSSOERPT UtilityAuthority and ScopeThe batch utility program, TSSOERPT, processes security-related activityrecorded in SMF data sets. To monitor user activity in a UNIX System Servicesenvironment, eTrust CA-Top Secret logs security events under UNIX SystemServices to SMF using the standard eTrust CA-Top Secret SMF record. Logrecords are written for any security event that denies the acid access to a UNIXSystem Services facility. These records can assist you in determining the UID andGID of the acid involved in the attempted access.eTrust CA-Top Secret performs authorization checking to determine whether theperson submitting the TSSOERPT job is authorized to view or manipulate theinput SMF data. You can only extract those incidents that are generated for acidswithin the scope of your authority. The scopes are:■■■■■■SCA—every eventLSCA—every event within the LSCAs scopeZCA—entire zone or specific divisions, departments or acids within the zoneVCA—entire division or specific departments or acids within the divisionDCA—entire department or specific acids within the departmentUSER—himselfImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–21

Tracing UNIX System Services (OMVS)The following sample JCL, or a user-written substitute for the job stream, can beused to run the TSSOERPT report.//TSSOERPT JOB 1,'UNIX SYSTEM SERVICES MVS RPT',MSGCLASS=A,TYPRUN=HOLD//*//REPORT EXEC PGM=TSSOERPT//SYSPRINT DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//RECMAN1 DD DSN=SYS1.MAN1,DISP=SHR//SYSIN DD.The selection criteria used in generating UNIX System Services MVS reports arelisted below, with brief descriptions. All selection criteria are described in detailafter the listing.TITLE(string)—Specifies a character string added to other title information at thetop of the report. This character string can be up to 35 characters in length. If youdo not specify this parameter, the report generator uses the first 35 characters inthe PARM field of the EXEC statement. If this character string is longer than 35characters, the first 35 characters are used.LINECNT(linecount)—The LINECNT(linecount) parameter specifies thenumber of output lines to be printed on a page. To prevent splitting ofinformation, eTrust CA-Top Secret report generators that issue multiple linereports check to see whether a complete report item will fit on a page. Themaximum number of output lines per page is limited only by the physicalconstraints of the output media being used, or to 99,999 lines.SDATE(00000|yyddd)—Specifies the start date of the report in Julian dateformat. SMF records generated before the SDATE value are ignored. The default,00000, specifies all available records.EDATE(99365|yyddd)—Specifies the ending Julian date from which reportinformation is selected. When combined with the SDATE parameter, thisparameter creates a window for report content. The default, 99365, specifies upto the time the job is run.STIME(0000|hhmm)—Specifies the start time for the interval from which SMFrecords are selected. Specifies the time at which reporting on the selected SMFrecords is to begin. This time is based on a 24-hour clock. Any SMF recordsgenerated before this specified time of day are ignored. The selection of recordsbegins at the STIME specified for each date in the SDATE/EDATE range. Thedefault, 0000, specifies midnight.ETIME(2359|hhmm)—Specifies the end time for the interval from which SMFrecords are selected. Specifies the time at which reporting on the selected SMFrecords is to end. Any SMF records generated after this specified time of day areignored. The default, 2359, specifies one minute before midnight.UID(value)—Specifies the UNIX System Services MVS UserID for which youintend to collect security information. Acceptable numeric values range fromzero to 2,147,483,647. This field is not maskable.1–22 Cookbook

Tracing UNIX System Services (OMVS)GID(value)—Specifies the UNIX System Services MVS GroupID for which youintend to collect security information. Acceptable numeric values range fromzero to 2,147,483,647. This field is not maskable.USER(acid)—Specifies the acid for which you want UNIX System Services MVSsecurity information collected. This field is not maskable.GROUP(acid)—Specifies the group for which you want UNIX System ServicesMVS security information collected. This field is not maskable.SERVICE(service)—Specifies the name of the SAF callable service for which youwant security information collected.TSSOERPT Output DescriptionTSSOERPT formats and reports security events occurring in the UNIX SystemServices environment. The output is extracted from the System ManagementFacility (SMF) data sets.The following is a sample of the output of TSSOERPT with DETAIL specified inthe job. TSSOERPT shows the logging of security events in an UNIX SystemServices MVS environment:02/02/98 98.033 11.54.44 — OMVS LOGGING REPORT — PAGE 1SERVICE USERID GROUP UID GID SAF RC RSNDATE TIME JOBNAME SOURCE SYSID CPUINIT_USP STRTE01 OMVSGRP 0 2 0 0 002/02/98 98.033 11:52:50 STRTE01 XE14 XE14Home : /U/STRTE01CHECK_ACCESS STRTE01 OMVSGRP 0 2 0 0 002/02/98 98.033 11:52:51 STRTE01 XE14 XE14Requested Access: SearchFunction: chdirUser Type: Security Defined Local UserPathname: /U/STRTE01Filename: /ROOTVolume : SMS001 Owner: rwx Group: --- Other: ---File Identifier: 000107000000000003Owning UID: 0 Owning GID: 0User Audit Options : Read Failure Write Failure Exec/Search FailureAuditor Audit Options: Read Failure Write Failure Exec/Search FailureDELETE_USP STRTE01 OMVSGRP 0 0 0 0 002/02/98 98.033 11:52:52 STRTE01 XE14 XE14This sample output shows one log entry for a INIT_USP request, one entry for aCHECK_ACCESS request, and one entry for a DELETE_USP request.In this example, the services of INIT_USP and DELETE_USP result in two-linelog entries consisting of field information. The CHECK_ACCESS request resultsin log entries that consist of two lines plus additional lines of information aboutthe request. This happens because different information is logged for differenttypes of requests.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–23

Tracing UNIX System Services (OMVS)Field definitions for these entries follow. Included are descriptions of the securityservices and fields that can appear on the TSSOERPT when DETAIL is specified.Output Report Field DescriptionsSERVICE—shows the types of service requested. The entries appearing in thisfield vary depending on whether Summary or Detail was specified in the inputparameters. All possible service requests and details are described on ServiceField Values.USERID—shows the acid of the user for which the request was made.GROUP—shows the GROUP with which the user is associated.UID—shows the UID number of the user.GID—shows the GID number of the user.SAF—shows the SAF return code. For all services:■■■0—Successful completion4—eTrust CA-Top Secret not active8—Request denied.RC—The eTrust CA-Top Secret return code. For all services:■■0—Successful completion8—Request denied.RSN—shows the SAF reason code. See explanation line.DATE—shows the Julian and Gregorian date when the access was attempted.TIME—shows the time of day when the access attempt occurred.JOBNAME—shows the name of the job under which the access was issued.SOURCE—shows the logical input source from which the request was issued.SYSID—shows the System CPU ID associated with the logging records.CPU—shows the SMF name of the CPU that validated the request.1–24 Cookbook

Tracing UNIX System Services (OMVS)Service Field valuesPossible values for the SERVICE field of the TSSOERPT report follows.Additional information that can appear on the report for each request when theDETAIL option is specified is a function of the particular call being made is alsoprovided.AUDIT—A record cut in addition to a security service record; it suppliesadditional information about the file being audited. For more information, seethe Security Credentials and File Security Packets section of this document.CHANGE_AUDIT_OPT—Indicates that a file's Audit Options have beenchanged.■■User Audit Options—Indicates the type of user access to this file that shouldbe audited.Auditor Audit Options—Indicates the type of auditor access to this file thatshould be audited.CHANGE_FILE_MODE—Indicates a file's permissions (mode) have beenchanged.■■File Type—The file type of the file whose permissions are being changed. Itindicates if a file is a directory, a regular file, or one of several special types offiles.File Permissions—The file access permissions assigned to the indicated file.These are displayed in the fields named Owner, Group, and Other. Valuesfor the fields are r for READ, w WRITE, x for EXECUTE, and s for SEARCH.CHANGE_OWNER_GRP—Changes a file's owning UID and GID to a newvalue.■■UID To Be Set— Changed UID number of the file's owning UID.GID To Be Set—Changed GID number of the file's owning GID.CHECK_ACCESS—Determines if a user has the requested access (READ,WRITE, EXECUTE or SEARCH) to the specified file or directory.CHECK_FILE_OWNER—Checks if a current process is a superuser or the ownerof the specified file. A process could be the owner of a file if the effective UID isequal to the file owner's UID.CHECK_PRIVILEGE—Determines if the calling process is a superuser.CHK_PROCESS_OWNR—Checks to see if the calling process is the owner of aprocess being called.CLEAR_SETID—Clears temporary access that has been given to a file ordirectory (i.e., resets the S_ISUID, S_ISGID and S_ISVTX bits in the file's ordirectory's access permissions back to zero.DELETE_USP—Indicates that the user's access to UNIX System Services MVSterminated.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–25

Tracing UNIX System Services (OMVS)EXEC_SET—Changes the effective and saved UID or GID or both.■■Set UID—Change made to UID.Set GID—Change made to GID.FORK_EXIT—Indicates that a call was made to get the security information for aforked process.GET_GMAP—Indicates that a call was made to determine the GID for agroupname or the groupname for a GID.GET_SUPPL_GROUP—Indicates that a call was made to determine whatgroups the current process or user belongs to.GET_UMAP—Indicates that a call was made to determine the UID for ausername or the username for a UID.GET_USERS_GROUPS—Indicates that a call was made to determine the groupsto which a specific userid belongs.INIT_USP—Indicates initial user access to UNIX System Services MVS.■■Home—The home directory of the user at initial access to UNIX SystemServices MVS.Program—The name of the program for the indicated user at initial access toUNIX System Services MVS.MAKE_FSP—Seen when a file or directory is created.■■File Type—The filetype of the file for which the FSP is being created. It tellswhether a file is a directory, a regular file or one of several special types offiles.File Permissions—The file access permissions to be assigned to the indicatedfile. These are displayed in the fields named Owner, Group, and Other.Values for the fields are r for READ, w for WRITE, x for EXECUTE, and s forSEARCH.MAKE_ROOT_FSP—Indicates that a new file system is being initialized in anew PDSE/x data set.PTRACE_AUTH_CHK—Indicates that a check was made to see if a callingprocess can ptrace a target process it is calling.QUERY_FILE_OPTS—Indicates that file security options were queried todetermine the settings.QUERY_SEC_OPTION—Indicates that system security options were queried todetermine the settings.1–26 Cookbook

Tracing UNIX System Services (OMVS)SET_EFFECTIV_GID—Changes the effective GID to a different GID.■■■■GID To Be Set—The GID which is to be set as the effective GID.Real GID—The actual GID of this user.Effective GID—The GID under which this user's accesses are beingvalidated.Saved GID—Internally used GID.SET_EFFECTIV_UID—Changes the effective UID to a different UID.■■■■UID To Be Set—The UID which is to be set as the effective UID.Real UID—The actual UID of this user.Effective UID—The UID under which this user's accesses are beingvalidated.Saved UID—Internally used UID.SET_FILE_MASK—Change of permissions that a program sets in a new file ordirectory when it creates a new file or directory.SET_GID—Change the real, effective and saved GIDs to a different GID.■■■■GID To Be Set—The GID, which is to be set as the current GID.Real GID—The actual GID of this user.Effective GID—The GID under which this user's accesses are beingvalidated.Saved GID—Internally used GID.SET_UID—Change the real, effective and saved UID to a different UID.■■■■UID To Be Set—The UID which is to be set as the current UID.Real UID—The actual UID of this user or process.Effective UID—The UID under which this user's accesses are beingvalidated.Saved UID—Internally used UID.SUMMARY—Specifies the report is to include a three-line entry for each eventlogged. Produces a three-line entry for each logged event.DETAIL—Specifies the report is to include all the information available for eachlogging event. Produces report entries that include all the information availablefor each logging event. The default is a detailed report.TITLE—'TITLE for TSSOERPT' specifies a character string added to other titleinformation at the top of the report.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–27

Tracing UNIX System Services (OMVS)Security Credentials and File Security PacketsMany log entries show additional information about the request. Theinformation is contained internally as Security Credentials (CRED) and FileSecurity Packets (FSP). This information is common to many calls and can appearin the following fields on the TSSOERPT report if it is available:FUNCTION—The function attempted for a file or directory. (I.e., OPEN,SEARCH, etc.)PATHNAME—The full pathname of a file or directory, including the file ordirectory name itself. There could be two pathnames specified if the call involvedmore than one file or directory.FILENAME—The name of a file or directory. In the case of a CHECK_ACCESS,this field names the part of the path currently being validated for access (i.e., ifthe path is aa/bb/cc then three separate CHECK_ACCESS calls would be seen: thefirst with a filename of aa, the second with a filename of bb, and a third with thefilename of cc). There can also be two filenames specified if the call involvedmore than one file or directory.FILE PERMISSIONS—Access permissions for the file's owning UID (owner),the file's owning GID (group) and all others attempting access (other).OWNING UID—UID of the owner of the file or directory. If the real UID of auser/process attempting access to this file matches the owning UID, then accessis granted according to the owner file permissions.OWNING GID—GID of the owner of the file or directory. If the real GID of auser/process attempting access to this file matches the owning GID, then accessis granted according to the group file permissions. If the process/user does nothave the owning GID as its primary GID, but has a supplemental group thatmatches the owning GID, then access will also be determined by the group filepermissions.If neither the GID nor UID match the owner's GID or UID, then the other filepermissions are used to determine access.VOLUME—Volume on which the file system that contains the file resides.FILE IDENTIFIER—In some cases there can be no Pathname or Filenameindicated in a call. In this case, using the File Identifier validates access. Todetermine what the Path and Filename are for this call, find the last previous callwith the same File Identifier. The Pathname and Filename for that call are thesame as for the call in question.1–28 Cookbook

Using TCP/IPFILE AUDIT OPTIONS—There are two types of file audit options:■■User—Indicates the type of file access that should be logged for a user. Forexample, if the report shows 'Read Failure, Write All, Exec/Search None,' itmeans that all failed READ attempts, all WRITEs, but no EXECs orSEARCHes are to be logged to SMF for the user.Auditor—Indicates the type of file access that should be logged for anauditor. For example, if the report shows 'Read Failure, Write All,Exec/Search None,' it means that all failed READ attempts, all WRITEs, butno EXECs or SEARCHes are to be logged to SMF for the auditor.Using TCP/IPTCP/IP (Transmission Control Protocol/Internet Protocol) is a file transferprotocol used to store and forward jobs between nodes. TCP/IP is the protocolused on the Internet, which allows computers to talk to each other, and is wellestablished in the midrange and PC platforms.Prior to OS/390 V2R5, TCP/IP ran as a native MVS application, or as an UNIXSystem Services application. Starting with OS/390 V2R5, TCP/IP relies on UNIXSystem Services and must be configured as an UNIX System Services application.Security configuration depends on the environment in which it runs.Establishing Security for TCP/IP and OE/TCPIP (Communications Server IP for z/OSand OS/390)To establish a proper security connection, you must follow these steps.Step 1—Define TCP/IP to eTrust CA-Top Secret.To define TCP/IP to eTrust CA-Top Secret, you must add a facility definition forTCP/IP to the Facility Matrix Table. Add the definition by renaming a USERxxentry as shown in the following.FAC(USER11=NAME=TCP)FAC(TCP=PGM=xxx)FAC(TCP=NOTSOC,RES,NOIJU,AUTHINIT)Depending on the release of TCP/IP being used, the program name (xxx) are asfollows:■■■TCP/IP 3.1 PGM=MVPTCP/IP 3.2 PGM=EZATCP/IP 3.4 PGM=EZBImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–29

Using TCP/IPSet all other FACILITY parameters according to your site-specific needs.Note: If the RES attribute is omitted from the FACILITY definition, no user orprofile data set rules are loaded into the TCP address space.Step 2—Create a Region acid.The command used to create this acid should look like the example shown in thefollowing.TSS CRE(TCP) NAME('TCPIP/FTP REGION ACID') FAC(BATCH,STC)PASS(password,0) DEPT(DEPT) MASTFAC(TCP)NOVOLCHK NODSNCHK NOLCFCHK NORESCHK NOSUBCHKTSS ADD(TCP) UID(0) GROUP(OMVSGRP)DFLTGRP(OMVSGRP) HOME(/)OMVSGPGM (/bin/sh)The Region acid must have:■■The NODSNCHK attribute or a permit for DSN(*****) ACC(ALL).The NOSUBCHK attribute. If this attribute is omitted, DRC157 errors onsubmit of batch jobs from the TCP address space will occur.To properly secure job submission, the JES facility must be in FAIL MODE.Step 3—Define the TCP procedure to the eTrust CA-Top Secret STC Record.TSS ADD(STC) PROCNAME(TCPPROC) ACID(TCP)TCP/IP SERVAUTH ClassTCP/IP in OS/390 2.10 uses the SERVAUTH resource class to protect TCP/IPresources from unauthorized access. There are four functions protected by theSERVAUTH class. They are:Stack Access—Controls which users can get access to the TCP/IP stack.Resource name: EZB.STACKACCESS.sysname.tcpipidNet Access—Controls which users can access individual networks.Resource name: EZB.NETACCESS.sysname.tcpipid.netnamePort Access—Controls which users can use TCP and UDP ports.Resource name: EZB.PORTACCESS.sysname.tcpipid.portnameTN3270 controls which users can use the secured ports.Resource name: EZB.TN3270.sysname.tcpipid.PORTnnnn1–30 Cookbook

Using TCP/IPwheresysname is the name of the systemtcpipid is the name of the TCP/IP started tasknetname is the network name in PROFILE.TCPIPportname is the port name in PROFILE.TCPIPnnnn is the port number with leading zero'sSee the IBM OS/390 V2R10 IP Configuration Guide for additional informationabout these functions.Support for the SERVAUTH class is available beginning with eTrust CA-TopSecret 5.1 SP04. For earlier maintenance levels, you must apply APAR LO82040,which is required when using OS/390 2.10. This APAR adds an internal RDTentry for SERVAUTH. You must add rules giving READ access to theSERVAUTH resources to acids that require access. If no rule allowing accessexists, you can receive several different error messages, including:EDC5111I permission deniedThe EZB.STACKACCESS violation is seen on all systems running OS/390 2.10that do not have rules allowing access. Calls for the other three functions are notmade unless additional setup is done in PROFILE.TCPIP. See the IBM OS/390V2R10 IP Configuration Guide for additional information.To allow access to these resources, issue the following commands to define theresource to eTrust CA-Top Secret:TSS ADD(dept) SERVAUTH(EZB.)TSS PER(dept) SERVAUTH(EZB.STACKACCESS.) ACC(READ)TSS PER(dept) SERVAUTH(EZB.NETACCESS.) ACC(READ)TSS PER(dept) SERVAUTH(EZB.PORTACCESS.) ACC(READ)TSS PER(dept) SERVAUTH(EZB.TN3270.) ACC(READ)VMCF and TNF subsystems (eTrust CA-Top Secret started before JES)If a restartable VMCF and TNF subsystems are to be used, add to the eTrustCA-Top Secret STC table the following started task entries: VMCF, TNF,EZAZSSI.TSS ADD(STC) PROCNAME(VMCF) ACID(acid)TSS ADD(STC) PROCNAME(TNF) ACID(acid)The acids associated with these STCs require access to facility STC and data sethlq SEZATCP.TSS ADD(dept) DSNC(SEZATCP.)TSS PER(acid) DSN(SEZATCP.) ALL(READ)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–31

Using FTPIP Address ProtectionSecuring an IP address using eTrust CA-Top Secret (or any external securityproduct) requires that the TCP/IP product installed pass the IP address packet.Not all TCP/IP vendor products pass this information. IBM’s TCP/IP productdoes pass the IP address.IP address protection is not available if your TCP/IP product does not pass theIP address packet.The IP packet passed is generated from the user's originating IP address. Thus,these IP packets often have no resemblance to standard LU names. Each node ofthe IP address is translated into a character representation of the hex value of thenode. For example, the IP address 141.202.201.56 would appear as terminal8DCAC938. The hex value of 141 is 8D, the hex value of 202 is CA, and so on.eTrust CA-Top Secret allows you two mechanisms to implement security of an IPaddress. Dotted IP is converted to hex pairs. If you want to restrict a particularuser to enter the system only through a given IP address, you would use sourcerestriction. For example:TSS ADD(aicd) SOURCE(8DCAC938) equivalent to 141.202.201.56If you want to protect an IP address or range from use, you would useTERMINAL restriction. For example, to restrict use of all IP addresses starting141.202 for all users:TSS ADD(dept) TERMINAL(8DCA)To permit userid2 to use IP addresses starting 141.202:TSS PERMIT(userid2) TERMINAL(8DCA)To permit userid3 to use IP addresses starting 141.202.201:TSS PERMIT(userid3) TERMINAL(8DCAC9)Using FTPFTP is a feature of TCP/IP that allows users to transfer files to and from themainframe. In addition, remote users can submit jobs to MVS. Users are requiredto identify themselves when using FTP.FTP runs as an MVS or UNIX System Services application. Security configurationis similar for both.1–32 Cookbook

Using FTPHow to Secure FTPFTP runs as its own started task which needs to be associated with a Region acid,and the TCP/IP facility. The command used to create this acid should look likethe one shown in the following.TSS CRE(FTP) NAME('FTP SERVER ACID')FAC(BATCH,STC) PASS(password,0)DEPT(DEPT) MASTFAC(TCP)NOVOLCHK NODSNCHK NOLCFCHK NORESCHK NOSUBCHKNote: The use of the bypass attributes such as NODSNCHK and NOSUBCHK,are entered for simplicity. You can choose to omit them and explicitly permit theacid to all resources it will access.Define the FTP procedure to the eTrust CA-Top Secret STC record with thefollowing command:TSS ADD(STC) PROCNAME(FTPSERVE) ACID(FTP)How to Secure FTP for UNIX System ServicesPackaged with TCP/IP OE Application Services, OE/FTP is an OMVSapplication that executes under UNIX System Services to facilitate the filetransfer of HFS files throughout a TCP/IP network.OE/FTP is different than the more common mainframe FTP product. OE/FTPtypically executes under a started-task named FTPD whereas FTP typicallyexecutes under a started-task named FTPSERVE.To complement OE/FTP, the above package includes an optional message-logdaemon (called Syslog-D) which can be used to log both past and presentmessage traffic related to OE/FTP. This optional logging task should beconsidered because, without it, there is no ongoing log of OE/FTP activity.The following steps replace the IBM requirements when installing OE/FTP witheTrust CA-Top Secret.1. The O/E FTP started task (daemon) typically runs under a userid of FTPD.The exception occurs when the task is automatically started by OMVS, inwhich case it inherits the identity of the OMVS kernel, typically OMVS orOMVSKERN.If running as an FTPD, the following example shows the administrationneeded to properly define the acid.TSS CRE(FTPD) TYPE(USER) NAME('OE/FTP STC ID') DEPT(anydept)FAC(STC) PASSWORD(password,0) MASTFAC(TCP)TSS ADD(FTPD) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS ADD(STC) PROCname(FTPD) ACID(FTPD)If running under the OMVS kernel ID, no additional setup is necessary.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–33

Using FTP2. The FTP server acid requires the ability to perform work on behalf of userslogging on to FTP, and at times switch its identity to that of a user.Accordingly, it requires superuser authority. This can be done as shownabove, by adding UID(0) to the acid. Alternatively, you can give the acid anon-zero UID and permit it access to Superuser authority as follows:TSS PERMIT(FTPD) IBMFAC(BPX.SUPERUSER) ACCESS(READ)IBM recommends that you increase your level of security by protectingdaemon authority. This is accomplished in eTrust CA-Top Secret by owningthe resource IBMFAC(BPX.DAEM). Once this is done, you must explicitlypermit daemon authority to the server, even if it is running under UID(0), byentering the following command:TSS PERMIT(FTPD) IBMFAC(BPX.DAEMON) ACCESS(READ)3. The TSS Facility named "TCP" is used to control which end users are able toaccess OE/FTP. Access to the "TCP" Facility must be given to user acids thataccess OE/FTP.Considerations for Securing FTPUsers accessing FTP must log on to the service before using it. This requires themto supply their userids and passwords and for their userids to have access to theTCPIP facility. FTP also supports anonymous logons.In the FTPDATA configuration file, the parameter ANONYMOUS controlswhether this feature can be used. The parameter can be specified in one of threeways:ANONYMOUSANONYMOUS useridANONYMOUS userid/passwordIf the parameter is specified without a following userid, and an FTP userspecifies anonymous at logon time, RACINIT are issued for the acidANONYMOU. If this acid is defined to eTrust CA-Top Secret and has access tothe TCP/IP facility, the user is allowed to log on and run under the authority ofthe "ANONYMOU" acid.If the parameter is specified with a following userid, the user must provide thecorrect password for this userid. If the parameter is specified with both USERIDand PASSWORD, these values are used to sign on the user.The use of ANONYMOUS logon should be carefully considered, and if used, canbe a candidate for auditing.1–34 Cookbook

Using TELNETTerminal Source RestrictionFTP logons specify a terminal ID when logging on a user. This terminal IDsupplied is generated from the user's originating IP address. Thus, these terminalIDs often have no resemblance to standard LU names. Each node of the IPaddress is translated into a character representation of the hex value of the node.For example, the IP address 141.202.201.56 would appear as terminal 8DCAC938.The hex value of 141 is 8D, the hex value of 202 is CA, etc. To administer sourceprotection in eTrust CA-Top Secret, issue the following:TSS ADD(acid) SOURCE(8DCAC938)Using TELNETTELNET is a feature of TCP/IP, which allows users terminal access to a systemover a TCP/IP network. TELNET runs under both native MVS and UNIX SystemServices.If running under native MVS, users can be forced to log on to TELNET itself.This will occur if the TELNET configuration statements, in the TCP/IP profiledata set, do not specify a DFLTAPPL. If configured this way, users logging on toTELNET will require the TCP/IP facility. Alternatively, DFLTAPPL can bespecified, which directs all logons to a session manager such as Unicenter ®CA-TPX. The session manager then controls access through its securityinterface.How to Secure TELNET for UNIX System ServicesWhen using TELNET under OMVS, RLOGIN runs under its own acid until theuser successfully signs on. The ID of this acid is specified in the configuration fileetc/inetd/conf. It is delivered specifying an ID of OMVSKERN and must bedefined with both superuser and daemon authority.The following commands would define such an acid.TSS CRE(OMVSKERN) TYPE(USER)NAME('OMVS ACID') PASS(password,0)DEPT(dept)TSS ADD(OMVSKERN) UID(0) GROUP(OMVSGRP)DFLTGRP(OMVSGRP) HOME(/)OMVSPGM(/bin/sh)If you are using OMVSKERN, it is likely that this ID was defined as part of yourOMVS installation.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–35

InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 Print Server)In addition, if you are securing daemon authority, the TELNET server ID musthave the following permission:TSS PER(OMVSKERN) IBMFAC(BPX.DAEMON)InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 PrintServer)The z/OS and OS/390 Print Server available with OS/390 V2R5 allowed forconsolidation of print files from multiple servers into one central server. AtOS/390 V2R8, the Print Server was renamed to InfoPrint Server for z/OS andOS/390. Control of the resources defined under the Print Server requires thedefinition of two groups: AOPOPER and AOPADMIN. These are IBM defaults.AOPOPER is the operator group with authority to start and stop the printinterface. AOPADMIN provides authority to administer the printer inventoryand controls. If the separation of authority is not necessary, then one group namecan be defined for both functions.Use the following steps to define the security environment for eTrust CA-TopSecret:TSS CRE(AOPADMIN) TYPE(GROUP) NAME('PRINT SERVER') DEPT(dept)TSS ADD(AOPADMIN) GID(6)TSS ADD(admin acid) GROUP(AOPADMIN)TSS CRE(AOPER) TYPE(GROUP) NAME('PRINT SERVER') DEPT(dept)TSS ADD(AOPER) GID(7)TSS ADD(acid) GROUP(AOPER)TSS ADD(JDCSYS) IBMFAC(AOPADMIN)TSS PERMIT(dept acid) IBMFAC(AOPADMIN) ACCESS(ALL)WebSphere Application Server for z/OS AND OS/390WebSphere for z/OS supports access to resources by clients and servers in adistributed network. Part of your security strategy should be to determine howto control access to these resources and prevent inadvertent or maliciousdestruction of the system or data.1–36 Cookbook

WebSphere Application Server for z/OS AND OS/390These are the pieces in the distributed network that you must consider:■■■■You must authorize servers to the base operating system services in z/OS orOS/390. These services include eTrust CA-Top Secret security, databasemanagement, and transaction management.For the servers, you must distinguish between control regions and serverregions. Control regions run authorized system code, so they are trusted.Server regions run application code and are given access to resources, so youshould carefully consider the authorizations you give server regions.You must also distinguish between the level of authority given to run-timeservers compared to your own application servers. For example, the SystemManagement server needs the authority to start other servers, while yourown application servers do not need this authority.You must authorize clients (users) to servers and objects within servers. Thecharacteristics of each client requires special consideration:- Is the client on the local system or is it remote? The security of thenetwork becomes a consideration for remote clients.- Will you allow unidentified (unauthenticated) clients to access thesystem? Some resources on your system can be intended for publicaccess, while others must be protected. In order to access protectedresources, clients must establish their identities and have authorizationto use those resources.- What kind of objects will the client access? Enterprise beans and CORBAobjects have differing authorization mechanisms.If you must protect resources, identifying who accesses those resources is critical.Thus, any security system requires client (user) identification, also known asauthentication. In a distributed network supported by WebSphere for z/OS,clients can be accessing resources from:■■■■Within the same system as a serverWithin the same sysplex as the serverRemote z/OS or OS/390 systemsHeterogeneous systems, such as WebSphere on distributed platforms, CICS,or other CORBA-compliant systems.Additionally, clients can request a service that requires a server to forward therequest to another server. In such cases the system must handle delegation, theavailability of the client identity for use by intermediate servers and targetservers.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–37

WebSphere Application Server for z/OS AND OS/390Finally, in a distributed network, how do you ensure that messages being passedare confidential and have not been tampered? How do you ensure that clients arewho they claim to be? How do you map network identities to z/OS or OS/390identities? These issues are addressed by the following support in WebSphere forz/OS:■■■The use of SSL and digital certificatesKerberosDistributed Computing Environment (DCE)Network security is not required for your initial installation and customization ofWebSphere for z/OS. This information is provided to introduce you toWebSphere for z/OS security and allow you to make early planning decisionsabout system security. The following topics describe how WebSphere for z/OSsupports security. The descriptions are organized under the following subtopics:■■Authorization CheckingUser Identification, Authentication and Network SecurityAuthorization CheckingEach control region, server region, and client must have its own MVS user ID(more about user identification and authentication later). When a request flowsfrom a client to the server or from a server to a server, WebSphere for z/OSpasses the user identity (client or server) with the request. Thus each request isperformed on behalf of the user identity and the system checks to see if the useridentity has the authority to make such a request.ControlAccess control lists in LDAPCBIND classDATASET classDCEUUIDS and IBMFACclassesDSNR classEJBROLE classIBMFACAuthorizationControlled access to WebSphere for z/OSnaming and interface repository dataAccess to a serverAccess to data setsMapping DCE credentials to Top Secret userIdsAccess to DB2Access to methods in enterprise beansSSL key rings, certificates and mappings(IRR.DIGTCERT.GENCERT) &(IRR.DIGTCERT.LIST) &(IRR.DIGTCERT.LISTRING)1–38 Cookbook

WebSphere Application Server for z/OS AND OS/390ControlIBMFAC class(IMSXCF.OTMACI)IBMFAC Class(IRR.RUSERMAP)File permissionsGRANTs (DB2)LOGSTRM classOPERCMDS classPTKTDATA classSERVER classSOMDOBJS classSTCSURROGAT class (*.DFHEXCI)AuthorizationAccess to OTMA for IMS accessKerberos credentialsAccess to HFS filesDB2 access to plans and databaseAccess to log streamsStart and stop servers by DaemonPassticket enabling in the Sysplex (Thisrelates to the session keys in the NDT in TopSecret)Access to control region by a server regionAccess to methods in CORBA objectsAssociate procname and userid in the STCtableAccess to EXCI for CICS accessServer Authorization CheckingTo control access to WebSphere for z/OS resources, give greater authority tocontrol regions and less authority to server regions.Level of Trust and Authority for RegionsRegionControl regionServer regionLevel of trust and access authorityContains WebSphere for z/OS system code.Trusted, deals with multiple users. Greaterauthorization. Runs APF-authorized.Contains application code. Untrusted. Otherthan having authorization to get work and toattach to data stores, should rununauthorized.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–39

WebSphere Application Server for z/OS AND OS/390Regarding the WebSphere for z/OS run-time servers, the rule of thumb is to giveless authority to the Daemon and Naming Server, and greater authority to theSystem Management Server, as explained in the following table:Run-time Server Region Required AuthoritiesDaemon Server Control STC Control, access WLM services,access to DNS, OPERCMDS access toSTART, STOP, CANCEL, FORCE &MODIFY other servicesNaming Server Control STC Control STARTED class, access toWLM servicesNaming Server Server STC control, READ auth to the SERVERclass, DBADM for the LDAP DatabaseSys. MGMT. Server Control STC ControlSys. Mgmt. Server Server Started class, Read auth. to the SERVERclass, OPERCMDS access to START,STOP, CANCEL FORCE and MODIFYOther servicesInterface RepositoryServerInterface RepositoryServerControlServerSTARTED classSTC Control, READ Auth. to theSERVER Class, DBADM for the LDAPdatabaseAssigning authorities to WebSphere for z/OS run-time server control and serverregions:■■Remember to protect the RRS log streams.Protect the WebSphere for z/OS environment files, especially if they containpasswords.User Identification, Authentication and Network SecurityLDAP uses access control lists to control client access to naming services.Usually, you set up a general ANYBODY user identity with read access to theLDAP name space, allowing any client to access naming services.1–40 Cookbook

WebSphere Application Server for z/OS AND OS/390You can use the CBIND class to restrict a client’s ability to access servers. Thereare two types of resources, WebSphere for z/OS uses in the CBIND class:■One that controls whether a local or remote client can access servers.The name of the resource has this form:CB.BIND.server_namewhere server_name is the name of the server.■One that controls whether a client can use objects in a server. The name ofthe resource has this form:CB.server_namewhere server_name is the name of the server.Note: When you add a new server, you must authorize all systemsmanagement user IDs (for example, CBADMIN) to have read access to theCB.server_name and CB.BIND.server_name resources.Example:CBADMIN needs read authority to the CB.BBOASR1 andCB.BIND.BBOASR1 servers:TSS ADD(deptacid) CBIND(CB.)TSS PERMIT(CBADMIN) CBIND(CB.BBOASR1) ACCESS(READ)TSS PERMIT(CBADMIN) CBIND(CB.BIND.BBOASR1) ACCESS(READ)Use the EJBROLE (or GEJBROLE) class in eTrust CA-Top Secret to control aclient’s access to enterprise beans. There are two distinct sets of tasks that arerequired to protect an application using EJB roles.■The security administrator must define the roles and set up access rights ineTrust CA-Top Secret.– Define a profile name using the EJBROLE (or GEJBROLE) class.Example:TSS ADD(dept) EJBROLE(ROLE_NAME)Where department is a department already defined in the Top Secretdatabase and role_name matches the security role attribute specified inthe jar file or for the application. A role name cannot contain blanks, andcannot exceed 245 characters. Role names, however, can be in mixedcase.Create membership in the role by permitting Top Secret userID’s orprofiles permission to the defined EJBROLE resource.Example:TSS PERMIT(acid) EJBROLE(role_name)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–41

WebSphere Application Server for z/OS AND OS/390■The application assembler must assign method permissions to the bean ormethod using the Application Assembly Tool.– Define the roles relevant to the application. These role names mustmatch the resource names defined to Top Secret.– Once defined, the role can be assigned to access an application (as amethod permission).– After the application assembly is complete, the application must bereinstalled using the Administration application.Use the SOMDOBJS class in eTrust CA-Top Secret to control a client’s accessto CORBA objects. Resource names in SOMDOBJS have the form:■server_name.home.methodWhere server_name is the server name. It must be 8 characters or less. homeis the home name. It must be 192 characters or less. method is the methodname. It can be up to the length of the remainder of 244 minus the sum of theserver and home name lengths.Example:If the server name is 8 characters, and the home name is:128 characters, the method name can be 108 (244 - (8 + 128)). If a method isprotected by SOMDOBJS and:– A client program is using the method to update an attribute of an object,give the client UPDATE authorization for the method.– A client program is using the method to read an attribute of an object,give the client READ authorization for the method.All names are folded into uppercase characters, regardless of how youenter them. Thus, there is no difference betweenMY_server.MY_home.MY_method andMY_SERVER.MY_HOME.MY_METHOD.In addition to the SOMDOBJS definitions, you must specifymethod-level access checking through the WebSphere for z/OSAdministration application. Check the box for method-level accesschecking when you define your application’s container.Resource managers such as DB2, IMS, and CICS have implemented theirown resource controls, which control the ability of clients to access resources.When resource controls are used by DB2, use the DSNR Top Secret class orissue the relevant DB2 GRANT statements.Access to OTMA for IMS access is through the IBMFAC Class(IMSXCF.OTMACI). Access to EXCI for CICS is through the SURROGATclass (*.DFHEXCI). You can control access to data sets through the DATASETclass and HFS files through file permissions or the HFSSEC class.1–42 Cookbook

WebSphere Application Server for z/OS AND OS/390Identification and AuthenticationFor identification, each control region and server region start procedure musthave its own user ID and you must define it in the STC record. Control regionsare trusted, while server regions are not. Because you should give differingresource authorizations to each, you should give different user IDs to controlregions and server regions.Additional user IDs are required for installation. We provide the definitions forthese user IDs in our eTrust CA-Top Secret sample. See the customizedinstructions produced when you run the customization dialog.■■■■User IDs for control regions and server regions.A user ID for the installation verification program and its application server.Our Top Secret sample uses CBIVP.A user ID called CBADMIN used by the Administration application.A default local and remote user ID associated with each server through theAdministration application. We use CBGUEST.Necessary user IDs and eTrust CA-Top Secret definitions for the WebSphere forz/OS run time are provided by our eTrust CA-Top Secret sample.Regarding authentication, an operator starts a server by using the STARTcommand and the control region start procedure. Authentication of the startprocedure’s user ID is made by virtue of the fact that an operator started the startprocedure—that is, no password is required. If you want to restrict an operator’sability to start servers, do so through the STC record in eTrust CA-Top Secret.WASADMThe following is a copy of the eTrust CA-Top Secret supplied CLIST, WASADM.This CLIST will run and execute the eTrust CA-Top Secret commands requiredto create the environment for the Websphere implementation. It can be found inthe SAMPJCL file on the eTrust CA-Top Secret installation tape.PROC 0/* =============================================================== *//* CREATING GROUPS AND PROFILES FOR WAS BASE SERVERS. *//* =============================================================== */TSS CREATE(WASDEPT) TYPE(DEPT) NAME('WAS DEPARTMENT')TSS CREATE(CBCTL1) TYPE(GROUP) NAME('WAS BASESERVER GRP') DEPT(WASDEPT)TSS ADDTO(CBCTL1) GID(2211)TSS CREATE(CBCTL1P) TYPE(PROF) NAME('WAS BASESERVER GRP') DEPT(WASDEPT)TSS CREATE(CBSR1) TYPE(GROUP) NAME('WAS BASESERVER GRP') DEPT(WASDEPT)TSS ADDTO(CBSR1) GID(2201)TSS CREATE(CBSR1P) TYPE(PROF) NAME('WAS BASESERVER GRP') DEPT(WASDEPT)/* =============================================================== *//* CREATE WAS CONFIGURATION GROUP. *//* =============================================================== */TSS CREATE(CBCFG1) TYPE(GROUP) NAME('WAS CONFIG GRP') DEPT(WASDEPT)TSS ADDTO(CBCFG1) GID(2300)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–43

WebSphere Application Server for z/OS AND OS/390/* =============================================================== *//* CREATING GROUP FOR WAS ADMINISTRATORS. *//* =============================================================== */TSS CREATE(CBADMGP) TYPE(GROUP) NAME('WAS ADMIN GRP') DEPT(WASDEPT)TSS ADDTO(CBADMGP) GID(2203)/* =============================================================== *//* CREATING GROUP FOR DEFAULT WAS USERID. *//* =============================================================== */TSS CREATE(CBCLGP) TYPE(GROUP) NAME('DFLT WAS USER GRP') DEPT(WASDEPT)TSS ADDTO(CBCLGP) GID(2202)/* =============================================================== *//* CREATING SERVER REGION GROUP AND PROFILE FOR IVP1 SERVER. *//* =============================================================== */TSS CREATE(CBASR1) TYPE(GROUP) NAME('SERVR REG GRP IVP1') DEPT(WASDEPT)TSS ADDTO(CBASR1) GID(2205)TSS CREATE(CBASR1P) TYPE(PROF) NAME('SERVR REG GRP IVP1') DEPT(WASDEPT)/* =============================================================== *//* CREATING GROUP FOR IVP1 USERIDS. *//* =============================================================== */TSS CREATE(CBIVPGP) TYPE(GROUP) NAME('IVP1 USER GRP') DEPT(WASDEPT)TSS ADDTO(CBIVPGP) GID(2209)/* =============================================================== *//* CREATING SERVER REGION GROUP AND PROFILE FOR IVP2 SERVER. *//* =============================================================== */TSS CREATE(CBASR2) TYPE(GROUP) NAME('SERVR REG GRP IVP2') DEPT(WASDEPT)TSS ADDTO(CBASR2) GID(2216)TSS CREATE(CBASR2P) TYPE(PROF) NAME('SERVR REG GRP IVP2') DEPT(WASDEPT)/* =============================================================== *//* CREATING GROUP FOR IVP2 USERIDS. *//* =============================================================== */TSS CREATE(CBIVPGP2) TYPE(GROUP) NAME('IVP2 USER GRP') DEPT(WASDEPT)TSS ADDTO(CBIVPGP2) GID(2217)/* =============================================================== *//* ADDING USERS FOR WAS CONTROL REGIONS. *//* =============================================================== */TSS CREATE(CBDMNCR1) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 DAEMON CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBDMNCR1) UID(2111)TSS ADDTO(CBDMNCR1) FAC(STC)TSS CREATE(CBNAMCR1) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 NAMING CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBNAMCR1) UID(2113)TSS ADDTO(CBNAMCR1) FAC(STC)TSS CREATE(CBSYMCR1) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 SYSMGT CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBSYMCR1) UID(2112)TSS ADDTO(CBSYMCR1) FAC(STC)TSS CREATE(CBINTCR1) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 INTFRP CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBINTCR1) UID(2114)TSS ADDTO(CBDMNCR1) FAC(STC)/* =============================================================== *//* ADDING USERS FOR WAS SERVER REGIONS. *//* =============================================================== */TSS CREATE(CBNAMSR1) DFLTGRP(CBSR1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 NAMING SR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBNAMSR1) UID(2105)TSS ADDTO(CBNAMSR1) FAC(STC)TSS CREATE(CBSYMSR1) DFLTGRP(CBSR1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 SYSMGT SR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBSYMSR1) UID(2104)TSS ADDTO(CBSYMSR1) FAC(STC)TSS CREATE(CBINTSR1) DFLTGRP(CBSR1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 INTFRP SR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBINTSR1) UID(2106)TSS ADDTO(CBINTSR1) FAC(STC)1–44 Cookbook

WebSphere Application Server for z/OS AND OS/390/* =============================================================== *//* ADDING USERS FOR IVP CONTROL AND SERVER REGIONS *//* =============================================================== */TSS CREATE(CBACRU1) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP1 CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBACRU1) UID(2107)TSS ADDTO(CBACRU1) FAC(STC)TSS CREATE(CBASRU1) DFLTGRP(CBASR1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP1 SR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBASRU1) UID(2110)TSS ADDTO(CBASRU1) FAC(STC)/* =============================================================== */TSS CREATE(STCRACF) DFLTGRP(SYS1) NAME('CB390 TRACE WRITER') -TYPE(USER) DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(STCRACF) FAC(STC)/* =============================================================== */TSS CREATE(CBACRU2) DFLTGRP(CBCTL1) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP2 CR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBACRU2) UID(2115)TSS ADDTO(CBACRU2) FAC(STC)TSS CREATE(CBASRU2) DFLTGRP(CBASR2) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP2 SR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBASRU2) UID(2116)TSS ADDTO(CBASRU2) FAC(STC)/* =============================================================== *//* ADDING WAS ADMIN USERID. *//* =============================================================== */TSS CREATE(CBADMIN) DFLTGRP(CBADMGP) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 ADMINISTRATOR') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBADMIN) UID(2103)TSS ADDTO(CBADMIN) FAC(STC,BATCH)/* =============================================================== *//* ADDING USERS TO RUN IVP1. *//* =============================================================== */TSS CREATE(CBIVP) DFLTGRP(CBIVPGP) TYPE(USER) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP1 USER') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBIVP) UID(2109)TSS ADDTO(CBIVP) FAC(STC,BATCH)/* =============================================================== *//* ADDING USERS TO RUN IVP2. *//* =============================================================== */TSS CREATE(CBIVP2) DFLTGRP(CBIVPGP2) TYPE(USER) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 IVP2 USER') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBIVP2) UID(2117)TSS ADDTO(CBIVP2) FAC(STC,BATCH)/* =============================================================== *//* ADDING DEFAULT CB390 USERID FOR BASE SERVERS. *//* =============================================================== */TSS CREATE(CBGUEST) DFLTGRP(CBCLGP) TYPE(USER) HOME(/tmp) -OMVSPGM(/bin/sh) NAME('CB390 DEFAULT USER') DEPT(WASDEPT) PASS(NOPW,0)TSS ADDTO(CBGUEST) UID(2102)TSS ADDTO(CBGUEST) FAC(STC,BATCH)/* =============================================================== *//* CONNECTING CB ADMINISTRATOR TO THE CB CONFIGURATION GROUP. *//* =============================================================== */TSS ADDTO(CBADMIN) GROUP(CBCFG1)/* =============================================================== *//* CONNECTING USERS TO THE CB CONFIGURATION GROUP. *//* =============================================================== */TSS ADDTO(CBDMNCR1) GROUP(CBCFG1)TSS ADDTO(CBNAMCR1) GROUP(CBCFG1)TSS ADDTO(CBSYMCR1) GROUP(CBCFG1)TSS ADDTO(CBINTCR1) GROUP(CBCFG1)TSS ADDTO(CBNAMSR1) GROUP(CBCFG1)TSS ADDTO(CBSYMSR1) GROUP(CBCFG1)TSS ADDTO(CBINTSR1) GROUP(CBCFG1)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–45

WebSphere Application Server for z/OS AND OS/390/* =============================================================== *//* CONNECTING IVP CR AND SR USERIDS TO THE CB CONFIGURATION GROUP. *//* =============================================================== */TSS ADDTO(CBACRU1) GROUP(CBCFG1)TSS ADDTO(CBASRU1) GROUP(CBCFG1)TSS ADDTO(CBACRU2) GROUP(CBCFG1)TSS ADDTO(CBASRU2) GROUP(CBCFG1)/* =============================================================== *//* CONNECTING STC ACIDS TO THE CB PROFILES *//* =============================================================== */TSS ADDTO(CBDMNCR1) PROF(CBCTL1P)TSS ADDTO(CBNAMCR1) PROF(CBCTL1P)TSS ADDTO(CBNAMSR1) PROF(CBSR1P)TSS ADDTO(CBSYMCR1) PROF(CBCTL1P)TSS ADDTO(CBSYMSR1) PROF(CBSR1P)TSS ADDTO(CBINTCR1) PROF(CBCTL1P)TSS ADDTO(CBINTSR1) PROF(CBSR1P)TSS ADDTO(CBACRU1) PROF(CBCTL1P)TSS ADDTO(CBASRU1) PROF(CBASR1P)TSS ADDTO(CBACRU2) PROF(CBCTL1P)TSS ADDTO(CBASRU2) PROF(CBASR2P)/* =============================================================== */TSS ADDTO(WASDEPT) LOGSTRM(DEFAULT_LOGSTREAM_NAME)TSS PERMIT(ALL) LOGSTRM(DEFAULT_LOGSTREAM_NAME) ACCESS(READ)TSS PERMIT(CBCTL1P) LOGSTRM(DEFAULT_LOGSTREAM_NAME) ACCESS(UPDATE)TSS PERMIT(CBSR1P) LOGSTRM(DEFAULT_LOGSTREAM_NAME) ACCESS(UPDATE)TSS PERMIT(CBASR1P) LOGSTRM(DEFAULT_LOGSTREAM_NAME) ACCESS(UPDATE)TSS PERMIT(CBASR2P) LOGSTRM(DEFAULT_LOGSTREAM_NAME) ACCESS(UPDATE)/* =============================================================== *//* DEFINE CBIND(CB.) *//* =============================================================== */TSS ADDTO(WASDEPT) CBIND(CB.)/* =============================================================== *//* DEFINING CBIND CB.BIND.GENERIC_SERVER. *//* =============================================================== */TSS PERMIT(CBCTL1P) CBIND(CB.BIND.CBDAEMON) ACCESS(CONTROL)TSS PERMIT(CBCTL1P) CBIND(CB.BIND.CBNAMING) ACCESS(CONTROL)TSS PERMIT(CBCTL1P) CBIND(CB.BIND.CBSYSMGT) ACCESS(CONTROL)TSS PERMIT(CBCTL1P) CBIND(CB.BIND.CBINTFRP) ACCESS(CONTROL)TSS PERMIT(CBCTL1P) CBIND(CB.BIND.BBOASR1) ACCESS(CONTROL)TSS PERMIT(CBCTL1P) CBIND(CB.BIND.BBOASR2) ACCESS(CONTROL)/* =============================================================== *//* DEFINING CBIND CB.GENERIC_SERVER. *//* =============================================================== */TSS PERMIT(ALL) CBIND(CB.) ACCESS(NONE)/* =============================================================== *//* DEFINING CBIND CB.GENERIC_SERVER ACCESS FOR CB SYSTEMS SERVERS *//* =============================================================== */TSS PERMIT(ALL) CBIND(CB.CBDAEMON) ACCESS(READ)TSS PERMIT(ALL) CBIND(CB.CBNAMING) ACCESS(READ)TSS PERMIT(ALL) CBIND(CB.CBSYSMGT) ACCESS(READ)TSS PERMIT(ALL) CBIND(CB.CBINTFRP) ACCESS(READ)/* =============================================================== *//* DEFINING CBIND CB.GENERIC_SERVER FOR IVP1 SERVERS AS UACC(READ) *//* =============================================================== */TSS PERMIT(ALL) CBIND(CB.BBOASR1) ACCESS(READ)/* =============================================================== *//* DEFINING CBIND CB.GENERIC_SERVER FOR IVP2 SERVERS AS UACC(READ) *//* =============================================================== */TSS PERMIT(ALL) CBIND(CB.BBOASR2) ACCESS(READ)/* =============================================================== *//* DEFINING SERVER CB.SERVER_INSTANCE.GENERIC_SERVER. *//* =============================================================== */TSS ADDTO(WASDEPT) SERVER(CB.)TSS PERMIT(ALL) SERVER(CB.) ACCESS(NONE)/* =============================================================== */1–46 Cookbook

Lotus Domino Go Webserver/* PERMITTING SERVER CLASS ACCESS. *//* =============================================================== */TSS PERMIT(CBNAMSR1) SERVER(CB.*.CBNAMING) ACCESS(READ)TSS PERMIT(CBSYMSR1) SERVER(CB.*.CBSYSMGT) ACCESS(READ)TSS PERMIT(CBINTSR1) SERVER(CB.*.CBINTFRP) ACCESS(READ)TSS PERMIT(CBASRU1) SERVER(CB.*.BBOASR1) ACCESS(READ)TSS PERMIT(CBASRU2) SERVER(CB.*.BBOASR2) ACCESS(READ)/* =============================================================== *//* ASSIGNING USERIDS TO STARTED TASKS. *//* =============================================================== */TSS ADDTO(STC) PROCNAME(BBODMN) ACID(CBDMNCR1)TSS ADDTO(STC) PROCNAME(BBONM) ACID(CBNAMCR1)TSS ADDTO(STC) PROCNAME(BBONMS) ACID(CBNAMSR1)TSS ADDTO(STC) PROCNAME(BBOSMS) ACID(CBSYMCR1)TSS ADDTO(STC) PROCNAME(BBOSMSS) ACID(CBSYMSR1)TSS ADDTO(STC) PROCNAME(BBOIR) ACID(CBINTCR1)TSS ADDTO(STC) PROCNAME(BBOIRS) ACID(CBINTSR1)TSS ADDTO(STC) PROCNAME(BBOWTR) ACID(STCRACF)TSS ADDTO(STC) PROCNAME(BBOASR1) ACID(CBACRU1)TSS ADDTO(STC) PROCNAME(BBOASR1S) ACID(CBASRU1)TSS ADDTO(STC) PROCNAME(BBOASR2) ACID(CBACRU2)TSS ADDTO(STC) PROCNAME(BBOASR2S) ACID(CBASRU2)/* =============================================================== *//* SETTING UP THE PASSTICKET. *//* =============================================================== */TSS ADDTO(NDT) PSTKAPPL(CBS390) SESSKEY(0123456789ABCDEF)/* =============================================================== */EXITSecurity AuditingSecurity auditing is handled in the usual way by the security product.WebSphere for z/OS uses the System Authorization Facility (SAF), whichprovides an auditing mechanism consistent with other functions in z/OS orOS/390.Lotus Domino Go WebserverThe Lotus Domino Go Webserver is an IBM offering that allows the MVSmainframe to act as an Internet web server. This offering is installed andmanaged as an UNIX System Services application. By default, the Domino GoWebserver materials are installed within the OMVS environment in a directorynamed /usr/lpp/internet.As documented by IBM, installation of the Domino Go Webserver includesseveral steps using the RACF security administrator. Listed below are thedeviations and equivalent commands needed when installing this offering andusing eTrust CA-Top Secret.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–47

Lotus Domino Go WebserverInstalling Domino Go Webserver on a eTrust CA-Top Secret-secured SystemNote: Previously defined UNIX System Services and TCP/IP requirements musthave been completed before you attempt to install the Domino Go Webserver.The examples in the following steps reflect default procnames, typical groupnames, and typical GID value. Overall, these commands simply ensure that avalid OMVS UID and GID exist for each of the started tasks that access OMVS.1. A TSS FACILITY should be created for the web server. Once created, thisfacility can be added to each user acid that is allowed to log on to the webserver. Tailor the following command and then add it to the existing eTrustCA-Top Secret startup control options:TSS MODIFY FAC(USERx=NAME=IMWEB)2. The Domino Go Webserver requires an acid for the web server started taskand for a web administrator. Both of these acids must be connected to anOMVS Group ID for the web server. The following commands accomplishthis using the IBM default values.The web server started task, whose procname is IMWEBSRV, is also referredto by IBM as the web server daemon. Also, changing the ID of the webadministrator is recommended; however, this change must be coordinatedwith updates to the web server configuration file.TSS CRE(IMWEB) TYPE(GROUP) NAME('WEBSERVER GROUP') DEPT(anydept)TSS ADD(IMWEB) GID(205)TSS CRE(WEBADM) TYPE(USER) NAME('WEB ADMINISTRATOR')DEPT(anydept) FAC(IMWEB) PASSWORD(password,0)TSS ADD(WEBADM) UID(206) GROUP(IMWEB) DFLTGRP(IMWEB)HOME(/usr/lpp/internet) OMVSPGM(/bin/sh)TSS CRE(WEBSRV) TYPE(USER) NAME('WEBSERVER DAEMON/STC')DEPT(dept) FAC(STC,IMWEB)PASSWORD(password,0)TSS ADD(WEBSRV) UID(0) GROUP(IMWEB) DFLTGRP(IMWEB)HOME(/usr/lpp/internet) OMVSPGM(/bin/sh)MASTFAC(IMWEB)TSS ADD(STC) PROCNAME(IMWEBSRV) ACID(WEBSRV)3. Three other user acids, each having their own connected group, are requiredunless "surrogate user" support is disabled. This feature permits users toaccess the web server without requiring a signon. CA recommends that thisfeature be disabled for security reasons.1–48 Cookbook

Lotus Domino Go WebserverTo disable this feature, change the "Userid" option to "%%CLIENT%%"within the web server configuration file. See IBM documentation. If notdisabled, the following commands will create acids and groups for surrogatesupport following IBM examples:TSS CRE(EXTERNAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EXTERNAL) GID(999)TSS CRE(EMPLOYEE) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EMPLOYEE) GID(500)TSS CRE(SPECIAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(SPECIAL) GID(255)TSS CRE(PUBLIC) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PUBLIC) UID(998) GROUP(EXTERNAL) DFLTGRP(EXTERNAL)HOME(/) OMVSPGM(/bin/sh)TSS CRE(INTERNAL) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(INTERNAL) UID(537) GROUP(EMPLOYEE) DFLTGRP(EMPLOYEE)HOME(/) OMVSPGM(/bin/sh)TSS CRE(PRIVATE) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PRIVATE) UID(416) GROUP(SPECIAL) DFLTGRP(SPECIAL)HOME(/) OMVSPGM(/bin/sh)4. The acid for the web server started task (that is, Daemon) requires access tothe following IBMFAC and SURROGAT resources. Note that the final threepermits are not needed if surrogate support is disabled:TSS ADD(dept) IBMFAC(BPX.)TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)TSS ADD(dept) SURROGAT(BPX.)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL) ACCESS(READ)5. IBM documentation includes one install step where "RACF program control"is discussed. In the first part of this step, all users are given read access tothree load libraries related to the web server. This part is easily translated asfollows:TSS ADD(dept) DSNAME(CEE.)TSS ADD(dept) DSNAME(IMW.)TSS ADD(dept) DSNAME(SYS1.)TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN)TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1)TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB)ACCESS(READ)ACCESS(READ)ACCESS(READ)This step also describes several (RDEFINE and SETROPTS) commandsneeded to exempt the above libraries from RACF "PADS" checking. Thesecommands are not applicable to eTrust CA-Top Secret and can be skipped.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–49

Lotus Notes Server(To RACF, these commands mark all programs in these libraries as"NOPADCHK". This means that any program-restricted data set accessshould not have to list any of the programs from these libraries. In otherwords, this marks all programs from these libraries as being trusted andtherefore exempt from any program accessed data set / PADS checks. Thesecommands are not applicable to eTrust CA-Top Secret.)6. Install steps, which discuss permission bits and the "sticky bit", are related toOMVS file security itself and are unrelated to RACF. Therefore, such stepsshould be followed as described.Lotus Notes ServerThe Lotus Notes Server (email) can run on a z/OS or OS/390 environment. Theexternal security interface requires a facility and a DOMINO console interface(identified in IBM as DOMCON). This interface facilitates sending commandsfrom z/OS or OS/390 to stop, start and manage Lotus Notes Server runningunder UNIX Systems Services.The Lotus Notes Server requires an acid for the server started task and a groupacid. The following commands accomplish this using the IBM default values.TSS CREATE(LOTUSGRP) TYPE(GROUP) NAME(LOTUSGROUP) DEPT(OMVSDEPT)TSS ADD(LOTUSGRP) GID(6789)TSS CREATE(DOMCON) TYPE(USER) NAME('LOTUS STC ACID') PASS(password,0)DEPT(OMVSDEPT) FACILITY(STC)TSS ADD(DOMCON) GROUP(LOTUSGRP) DFLTGRP(LOTUSGRP)TSS ADD(STC) PROCNAME(?????) ACID(DOMCON)The above command adding the stc should be done for all LOTUS PROCs. Therecan be multiple procs associated with this address space beginning with"DOMIN".TSS ADD(DOMCON) UID(0) HOME(/u/domcon) OMVSPGM(/bin/sh)TSS PERMIT(DOMCON) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS ADD(DEPTACID) DSN(DOMCOM.WTO.LOAD)TSS PERMIT(DOMCON) DSN(DOMCOM.WTO.LOAD) ACCESS(READ)1–50 Cookbook

Lotus Notes and Novell Directory Services for z/OS and OS/390Lotus Notes and Novell Directory Services for z/OS andOS/390This support was introduced at OS/390 V2R8. This enhancement enables eTrustCA-Top Secret to map a user identity from a Lotus Notes or Novell DirectoryServices for z/OS and OS/390 application to a eTrust CA-Top Secret acid. Afteran application has determined a user's eTrust CA-Top Secret acid, it mightchoose to use this acid when accessing MVS resources, such as data sets, andz/OS and OS/390 UNIX System Services (z/OS and OS/390 UNIX) files.An example of the eTrust CA-Top Secret command needed to map a Lotus Notesfor z/OS and OS/390 user identity name would be:TSS ADD(acid) SNAME(lotus user identity name)An example of the eTrust CA-Top Secret command needed to map a NovellDirectory Services for z/OS and OS/390 user identity name would be:TSS ADD(acid) UNAME(Novell Directory Services user identity name)Digital Certificate SupportDigital certificates are a secure method for identifying users, typically through aweb-based application. Digital certificates are encrypted packages issued by atrusted third party called a certificate authority (CA). A certificate is used as anacid and password substitute. Because they are encrypted, digital certificatescannot be tampered with easily. A server can only decrypt them with access tothe proper key. Thus, digital certificates are protected from inspection whilepassing through the network.A digital certificate is associated to a eTrust CA-Top Secret user through theuser's acid record, or the predefined acid CERTAUTH or CERTSITE. More thanone certificate can be issued to a user and eTrust CA-Top Secret allows morethan one certificate to be added to a user's acid record. Since each certificateissued by a certificate authority is unique to a particular user, a certificate cannotbe added to more than one acid. However, more than one acid can use the samecertificate when the certificate is attached to a key ring.A key ring is a collection of digital certificates associated with an individual user.Once a user has had their identity verified to a system by a certificate that isunique to the user, the user can have access to additional resources through thecertificates on their key ring. Key rings provide an installation-wide method toshare digital certificates across multiple servers. A user can have more than onekey ring.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–51

Digital Certificate SupportAn additional feature of eTrust CA-Top Secret lets you check to see if a certificatehas already been added to the eTrust CA-Top Secret Security File and with whatacid it is associated. Also, once a certificate has been added to eTrust CA-TopSecret it can be exported to a new data set.See the Command Functions Guide for expanded details beyond what ispresented in this Cookbook.The user ACID record can be administered with the TSS ADDTO, REPLACE,REMOVE, GENCERT, GENREQ, EXPORT, and CHKCERT commands.■■■■■■Use ADD and REPLACE to add or replace a certificate, label, or the START,FOR, UNTIL, TRUST, HITRUST and NOTRUST parameters.Use REMOVE only to remove the certificate from the user.Use GENCERT to generate a certificate from eTrust CA-Top Secret and addit to a user.Use GENREQ to generate a PKCS#10 base 64-encoded digital certificaterequest and writes it to a data set.Use EXPORT to export a certificate from eTrust CA-Top Secret to a new dataset.Use CHKCERT to see if a certificate has been added to the eTrust CA-TopSecret security file and with what acid it is associated.Associating a Unique Digital Certificate with a UserDigital certificates issued by a certificate authority are associated with a user byadding the certificate to the user's ACID record, or the predefined acidCERTAUTH or CERTSITE. If eTrust CA-Top Secret generates a certificate it isadded to the user's ACID record when the certificate is created using the TSSGENCERT command.The certificate must be unique to the user. A certificate can be added to only oneuser's ACID record. Certificates can be shared only when they are attached to akey ring.1–52 Cookbook

Digital Certificate SupportGeneral RulesThe following rules and procedures apply for eTrust CA-Top Secretadministrators. They must have ACID(MAINTAIN) for users within their scope,plus MISC4(authority levels). Details for authority levels of MISC4 can be foundin the Command Functions Guide. Administrators must be defined with anOMVS segment UID, Group, and Default Group to perform any digital certificatecommands and the Unix System Services (Open Edition) must be active.If the certificate is generated by the eTrust CA-Top Secret GENCERT command,it is to be used for SSL server authentication. The certificate must beexported/imported to the client’s side repository so the public key is available inorder to successfully decrypt the server’s certificate during the SSLauthentication handshake. Client software might be PC Workstation, Internetbrowser, AS400, Windows NT, MQSeries, FTPSSL, QWSSSL, etc. They also needauthority to the IBMFAC. To establish this authority, the IBMFAC must beowned:TSS ADD(tssdept) IBMFAC(IRR)Then permit to the administrator:TSS PERMIT(tssadmin1) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)If the administrator submits batch scripts for Digital Certificates, they mustinclude REGION=0M in their job statement within the JCL.Third Party VendorsAny certificate obtained from third party vendors, such as Verisign, can beregistered to eTrust CA-Top Secret via the TSS ADD command. Once thecertificate is received from the vendor it must be placed into a cataloged MVSdata set so that it can be accessed by eTrust CA-Top Secret. This data set wouldthereby represent the value specified in the DCDSN keyword of the TSS ADDcommand.TSS ADD(name) DIGICERT(namecert) DCDSN(name.certificate.data) TRUSTImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–53

Digital Certificate SupportAdding a Digital Certificate to an ACID RecordWhen adding a digital certificate, the DIGICERT and DCDSN keywords arerequired on the TSS ADD command. All other keywords are optional.The syntax for the ADD command follows:TSS ADD(acid|CERTAUTH|CERTSITE) DIGICERT(8-byte name) DCDSN(dsname)[START(sdate)][FOR(ddd)|UNTIL(date)][LABLCERT(label name)][TRUST|NOTRUST|HITRUST][ICSF][PKCSPASS(‘PKCSPASS PASSWORD’)]ACID—A user acid or you can specify:CERTAUTH—Is an acid in which your installation can maintain certificates thatwere generated by a third party certificate authority (CA). This acid ispre-defined in Top Secret. You cannot add a KEYRING to this ACID.CERTSITE—Is an acid in which your installation can maintain site-generatedcertificates. This acid is pre-defined in Top Secret. You cannot add a KEYRING tothis ACID.DIGICERT—Specifies a one- to eight-character ID that identifies the certificatewith the user acid.DCDSN—Specifies the MVS data set containing the digital certificate. The dataset must be defined as physical sequential (DSORG=PS) and variable blockeddata set (RECFM=VB). The data set name is entered as a fully qualified namewithout enclosed quotes. The data set must be cataloged and up to 26 characterlong (8.8.8.2).The certificate contained in the data set must be BER-encoded, PKCS-7BER-encoded, or Privacy Enhanced Mail (PEM)-encoded. PEM certificates mustbe transported to MVS as TEXT; the other formats must be transported asBINARY. The length of the serial number and certificate authority distinguishedname must be less than 246.An example for the DCDSN command follows:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001)START—Specifies an optional activation date. This date is not the same as theactivation date defined in the certificate itself. The web server validates that date.This date gives the security administrator the ability to specify when thecertificate will become active on MVS.An example for the START command follows:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) START(10/01/03)1–54 Cookbook

Digital Certificate SupportFOR|UNTIL—Specifies an optional expiration date. This date is not the same asthe expiration date defined in the certificate. The web server validates that date.This date gives the security administrator the ability to specify when thecertificate will expire on MVS.Examples for the FOR|UNTIL commands follow:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) FOR(30)TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) UNTIL(10/01/03)LABLCERT—Specifies the label to be associated with the certificate being addedto the user. Up to 32 characters can be specified for the label name. Spaces areallowed if you use single quotes. This label is used as an identifier instead of theserial number and issuer's distinguished name, and must be unique for theindividual user. If a label is not specified, the label field will default to the valuespecified within the DIGICERT keyword.An example for the LABLCERT command follows:TSS ADD(USER01) DIGICERT(DIGI0001) LABLCERT(‘label for digicert 001’)TRUST|NOTRUST | HITRUST—A certificate can be associated with a useronly when TRUST is specified. The default is NOTRUST.Examples for the TRUST|NOTRUST |HITRUST commands follow:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) TRUSTTSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) NOTRUSTTSS ADD(CERTAUTH) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) HITRUST ** Important! HITRUST is only valid for the Acid named CERTAUTH.ICSF—If ICSF is specified and the IBM ICSF feature is enabled,(ICSF is theinterface to the cryptographic hardware on z/OS and OS/390. You must havecryptographic hardware installed and enabled on your system) the private key isstored in the ICSF data facility.An example for the ICSF attribute follows:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER04.CERTIF.001) ICSFNote: If the certificate's private key resides in an ICSF storage facility and theformat of PKCS12DER or PKCS12B64 is specified in the TSS EXPORT command,the command is rejected and a TSS0533E message is issued.PKCSPASS—The PKCCS-password can be up to 255 characters, is case sensitive,and can contain blanks.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–55

Digital Certificate SupportGenerating a Digital Certificate and Adding It to a UserThe GENCERT command gives the administrator the ability to create a digitalcertificate and potentially a public/private key pair.The DIGICERT keyword is required on the TSS GENCERT command. If bothDCDSN and SUBJECTN are specified, the SUBJECTN information overrides therequest data set name. If SUBJECTN is specified, only one of the SUBJECTN subfields is required to be entered.The syntax for the GENCERT command follows:TSS GENCERT [{CERTAUTH|CERTSITE|acid}] DIGICERT(8-byte-name)[DCDSN(request-data-set-name)\][SUBJECTN ('CN="common-name"T="title"OU="organizational-unit-name1,organizational-unit-name2"O="organizational-name"L="locality"ST="2-character-only-state-or-province"C="country"')][ALTNAME('IP=numeric-IP-address DOMAIN=internet-domain-nameEMAIL=email-address URI=universal-resource-identifier')][ICSF][KEYSIZE(key-size)][KEYUSAGE(‘HANDSHAKE DATAENCRYPT DOCSIGN CERTSIGN’)][LABLCERT(label-name)][NBDATE(mm/dd/yy) NBTIME(hh:mm:ss)][NADATE(mm/dd/yy) NATIME(hh:mm:ss)][SIGNWITH(acid,digicert)]The sub keywords of the GENCERT function specify the information that is to becontained within the certificate that is being created.ACID—A user acid or you can specify.CERTAUTH—Is an acid in which your installation can maintain certificates thatwere generated by a third party certificate authority (CA). This acid ispre-defined in eTrust CA-Top Secret. You cannot add a KEYRING to this acid.CERTSITE—Is an acid in which your installation can maintain site-generatedcertificates. This acid is pre-defined in eTrust CA-Top Secret. You cannot add aKEYRING to this acid.DIGICERT—Specifies a one- to eight-character ID that identifies the certificatewith the user acid. The DIGICERT must be entered as part of all GENCERTcommands since this keyword indicates the name to be used in the digitalcertificate.An example for the DIGICERT command follows:TSS ADD(USER01) DIGICERT(DIGI0001)1–56 Cookbook

Digital Certificate SupportDCDSN(request-data-set-name)—Specifies the name of an optional data set thatcontains the PKCS#10 certificate request data. The request data set name can bethe output from a TSS GENREQ command. The request data contains the user'sgenerated public key and X.509 distinguished name. The request data must besigned, DER-encoded, and then Base64 encoded according to PKCS#10 standard.The data set must be cataloged and up to 26 characters long (8.8.8.2).If DCDSN is not specified, eTrust CA-Top Secret does not generate a key pairbecause this data set contains the user's public key. If DCDSN is specified,SIGNWITH must also be specified because the request-data-set-name (inDCDSN) does not contain a private key.An example for the DCDSN command follows:TSS GENCERT(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001)SUBJECTN—The attributes can consist of 229 characters if it is a self-signedcertificate. Otherwise, if it is a non-self signed certificate, the maximum length is225-characters. You can use A-Z and 0-9. The only exception is ST=STATE orPROVINCE. This is a 2-digit value field. If DCDSN or SUBJECTN is notspecified, the SUBJECTN will default to the acid name field. Note: If any of thevalues contain blanks, they must be enclosed in double quotes. The completeSUBJECTN phase must be enclosed in parenthesis and single quotes.An example for the SUBJECTN command follows:TSS GENCERT(USER01) DIGICERT(DIGI0001) SUBJECTN(‘CN=”Ted User” ST=NJ’)ALTNAME—Specifies the appropriate values for the SubjectAltname extension,of which one or more values might be coded. There is no default. The followingare possible values that can be used:■■■IP—Specifies a string containing a fully qualified IP address in IPV4 dotteddecimal form, which is four decimal numbers (each number must be a valuefrom 0-255) separated by periods.For example: 203.9.102.100DOMAIN—Specifies a string containing a fully qualified internet domainname.For example: CA.COMEMAIL—Specifies a string containing a fully qualified email address.For example: david@kindgom.netImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–57

Digital Certificate Support■URI—Specifies the universal resource identifier.For example: www.ca.comNotes:– When you specify multiple parameters to ALTNAME, you must includeone single quote at the beginning and end of parameter list.For example: ALTNAME('IP=201.100.10.9 EMAIL=my.email@test.net')– Multiple parameters are separated with a space (see example above).ICSF—If ICSF is specified and the IBM ICSF feature is enabled, the private key isstored in the ICSF data facility.An example for the ICSF attribute follows:TSS GENCERT(USER01) DIGICERT(DIGI0001) ICSFKEYSIZE—Specifies the size of the private key in decimal bits. The maximumkey size is determined by United States of America export regulations and iscontrolled by non eTrust CA-Top Secret code in z/OS and OS/390. Currently,the standard sizes for keys are:■■■512—low-strength key768—medium-strength key1024—high-strength key (Default)Examples for the KEYSIZE command follow:TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) KEYSIZE(512)TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) KEYSIZE(768)TSS ADD(USER01) DIGICERT(DIGI0001) DCDSN(USER01.CERTIF.001) KEYSIZE(1024)KEYUSAGE—Specifies key attribute information, including the appropriatevalues for the KeyUsage certificate extension, of which one or more of the valuesmight be coded. For certificate authority certificates (CERTAUTH) the default isCERTSIGN and is always set. There is no default for certificates that are notcertificate-authority certificates. Valid values for KEYUSAGE include thefollowing:■■■■HANDSHAKE - Facilitates identification and key exchange during securityhandshakes, such as SSL, which set the digital signature and keyencipherment indicators.DATAENCRYPT - Encrypts data, which sets the data enciphermentindicator.DOCSIGN - Specifies a legally-binding signature, which set thenon-repudiation indicator.CERTSIGN - Specifies a signature for the other digital certificates and CRLs,which sets the keyCertSign an cRLSign indicators.1–58 Cookbook

Digital Certificate SupportNote: Include single quotes if specifying more than one value with KEYUSAGE.For example:KEYUSAGE('HANDSHAKE DATAENCRYPT')LABLCERT—Specifies an optional and case-sensitive label to be associated withthe certificate being added to the user. Up to 32 characters can be specified forthe label name. Spaces are allowed if you use single quotes. This label is used asa handle instead of the serial number and issuer's distinguished name, and mustbe unique for the individual user. If a label is not specified, the label field willdefault to the value specified within the DIGICERT keyword.NADATE/NATIME—The optional NADATE and NATIME keywords specifythe effective dates and times to not be used in the digital certificate. TheNADATE specifies the “not after” date after which a digital certificate cannot beused. The NATIME specifies the “not after” time after which the certificatecannot be used. The certificate is deactivated after this date and time.An example for the NADATE/NATIME command follows:TSS GENCERT(user1) DIGICERT(cert0001) DCDSN(user1.cert.data)NADATE(09/01/03) NATIME(00:00:01)Date and time fields are optional, except if time is specified, date is required. IfNADATE is omitted, the default is one year from the date the certificate isgenerated.NBDATE/NBTIME— The optional NBDATE and NBTIME keywords specifythe effective dates and times to be used in the digital certificate. The NBDATEspecifies the “not before” date which a digital certificate can be used. TheNBTIME specifies the “not before” time which the certificate can be used. Thecertificate is activated at the specified date and time.An example for the NBDATE/NBTIME command follows:TSS GENCERT(user1) DIGICERT(cert0001) DCDSN(user1.cert.data)NBDATE(09/01/02) NBTIME(08:00:01)Date and time fields are optional, except if time is specified, date is required.SIGNWITH—Specifies the certificate with a private key that is signing thecertificate. If not specified, the default is to sign the certificate with a private keyof the certificate that is being generated. This creates a self-signed certificate. IfSIGNWITH is specified, it must refer to a certificate that has a private keyassociated with it. If no private key is associated with the certificate, aninformational message is generated and processing stops. If DCDSN is specifiedon the GENCERT command, the SIGNWITH keyword is required.Self-signed certificates are always trusted, while all other certificates are createdwith the trust status of the certificate specified in the SIGNWITH keyword. If thecertificate specified in the SIGNWITH keyword is not trusted, an informationalmessage is issued, but the certificate is still generated.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–59

Digital Certificate SupportAn example for the SIGNWITH keyword follows:TSS GENCERT(USER01) DIGICERT(CERT0001) DCDSN(USER1.CERT.DATA) -SIGNWITH(USER02,CERT002)Listing Digital Certificate InformationTo list information about a digital certificate, identify the digital certificate by itscertificate name or label, or by both its serial number and the issuer'sdistinguished name, or by segment data. The syntax follows:TSS LIST(acid|CERTAUTH|CERTSITE) {LABLCERT('label name')}{DIGICERT(8-byte name)}{SERIALNUM(serial-number) ISSUERDN(issuer's DN)}{SEGMENT(certdata)}{SEGMENT(ALL)}{KEYRING(8-byte name)}{LABLRING(237-byte name)}For each certificate, the list command displays the following information:■■■■■■■■■■■serial numberissuer's distinguished namelabelstatusvalidity datesprivate key size (If private key is present)private key type (If private key is present)rings (If private key is present)keyusagealtnamesubject's name as found in the certificate itself, up to 256 bytesYou can list all the acids and the digital certificates associated with them byexecuting the following command:TSS LIST(SDT) DIGICERT(ALL)You can list all the acids and their keyrings associated with them by executingthe following command:TSS LIST(SDT) KEYRING(ALL)1–60 Cookbook

Digital Certificate SupportYou can list the associated SEGMENT information for a specific ACID byexecuting the following command:TSS LIST(USER01) SEGMENT(CERTDATA)TSS LIST(USER01) SEGMENT(RINGDATA)TSS LIST(USER01) SEGMENT(ALL)You can list the associated DIGICERT for a specific acid by executing thefollowing command. The command must contain the name of the DIGICERT orKEYRING already associated with the ACID.TSS LIST(USER01) DIGICERT(CERT001)orTSS LIST(USER01) KEYRING(ACCTRING)Generating a Certificate RequestYou can send a request to a certificate authority to verify the validity of a digitalcertificate. If eTrust CA-Top Secret generated the certificate, the request isimported to eTrust CA-Top Secret just as if the certificate authority was anothercompany.The request contains the subject's distinguished name and public key and issigned with the private key associated with the specified certificate. A PKCS#10base64-encoded request is generated and written to data set. The GENREQDCDSN must not be defined. Meaning the output DCDSN cannot be allocatedor cataloged, this happens when you use the GENREQ command. The data setcan be used as the DCDSN in a TSS GENCERT command.The syntax for the GENREQ command requires the DCDSN, and that youidentify the certificate using DIGICERT or LABLCERT (or both).TSS GENREQ(acid|CERTAUTH|CERTSITE) DCDSN(output data set name){DIGICERT(name)}or{LABLCERT('label name')}An example for the GENREQ command follows:TSS GENREQ(user1) DIGICERT(cert0001) DCDSN(USER3.CERT.DATA) LABLCERT(‘REQUEST 3’)ACID—A user acid or you can specify,CERTAUTH—Is an acid in which your installation can maintain certificates thatwere generated by a third party certificate authority (CA). This acid ispre-defined in Top Secret or you can specify. You cannot add a KEYRING to thisACID.CERTSITE—Is an acid in which your installation can maintain site-generatedcertificates. This acid is pre-defined in Top Secret. You cannot add a KEYRING tothis ACID.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–61

Digital Certificate SupportDCDSN(output-data-set-name)—The data set will be allocated and cataloged,and will contain the ouput data set from the genreq’ed digital certificate. Thedata set name will conform to the MVS standards, up to a maximum of 26characters.DIGICERT—Specifies a one- to eight-character ID that identifies the certificatewith the user acid.LABLCERT—Specifies an optional and case-sensitive label to be associated withthe certificate being added to the user. Up to 32 characters can be specified forthe label name. Spaces are allowed if you use single quotes. This label is used asa handle instead of the serial number and issuer’s distinguished name, and mustbe unique for the individual user. If a label is not specified, the label field willdefault to the value specified within the DIGICERT keyword.Changing a User's CertificateUse the REPLACE command to update a user certificate.If the certificate has a connection to a user key ring, the certificate is replaced andall key ring connections continue with the new certificate. This lets you update auser's certificate without the need to reconnect the certificate to key rings.On a REPLACE command, the digital certificate that you want to update can beidentified three different ways: by using DIGICERT or LABLCERT, or by usingboth SERIALNUM and ISSUERDN.The syntax for the REPLACE command to replace as user certificate requires theDCDSN parameter as shown next.TSS REPLACE(acid|CERTAUTH|CERTSITE) DCDSN(dsname){DIGICERT(name)}{LABLCERT(label name)}{SERIALNUM(serial number) ISSUERDN(issuer's dist' name)}SERIALNUM—Specifies the certificate's serial number.ISSUERDN—Specifies the certificate issuer's distinguished name.Certificate Replacement (Renewal)As part of the TSS Replace command processing, a certificate can be replacedwithout deleting and reinserting it. To replace an existing certificate, make surethat one of the following three(3) cases is satisfied:Case #1. The certificate being added is a duplicate of the existing certificate(i.e.,has the same serial number and issuer’s distinguished name) and the labels andrecord keys of both certificates are the same;1–62 Cookbook

Digital Certificate SupportCase #2. The certificate being added is NOT a duplicate of the existing certificate,has the same subject’s distinguished name, issuer’s distinguished name, andpublic key as the existing certificate, the end date and time on the certificatebeing added is later than on that of the existing certificate, the existing certificateis NOT expired, and the record keys of both certificates are the same;Case #3. The certificate being added is NOT a duplicate of the existing certificate,has the same public key as the existing certificate, there is a private keyassociated with the existing certificate in the database, the existing certificate isNOT expired, and the record keys of both certificates are the same.An example for the REPLACE command follows:TSS REPLACE(USER01) DIGICERT(DIGI0001) DCDSN(USER1.CERT.DATA)Changing a Certificate's StatusThe trust status of a certificate can be changed for a specified user or certificateauthority. The status of the certificate is updated according to whether TRUST,NOTRUST or HITRUST is specified on the command.Important! HITRUST is only valid for the Acid named CERTAUTH.On a REPLACE command, the digital certificate that you want to update can beidentified three different ways: by using DIGICERT or LABLCERT, or by usingboth SERIALNUM and ISSUERDN.The syntax for the REPLACE command follows:TSS REP(acid|CERTAUTH|CERTSITE) {DIGICERT(name)}{LABLCERT(label name)}{SERIALNUM(serial number) ISSUERDN(issuer's dist' name)}TRUST|NOTRUST|HITRUSTAn example for the REPLACE command follows:TSS REPLACE(user1) DIGICERT(cert0001) NOTRUSTChanging a Certificate's LabelThe label for a certificate can be changed. The syntax requires that the certificatefor which the label is being updated be identified using DIGICERT or by usingSERIALNUM and ISSUERDN.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–63

Digital Certificate SupportThe syntax for using the REPLACE command to change a label follows:TSS REPLACE(acid|CERTAUTH|CERTSITE) {DIGICERT(name)}{SERIALNUM(serial number) ISSUERDN(issuer's dist' name)}LABLCERT(label name)An example for the LABLCERT command follows:TSS REPLACE(USER01) DIGICERT(DIGI0001) LABLCERT(‘label for digicert 002’)Removing a Certificate from a UserYou can use the REMOVE command to remove a certificate from a user.If the certificate has a connection to a user key ring, the certificate is removedalong with any key ring connections it can have.On a REMOVE command, the digital certificate can be identified three differentways: by using DIGICERT or LABLCERT, or by using both SERIALNUM andISSUERDN.Use the following command to remove a certificate from a user:TSS REM(acid|CERTAUTH|CERTSITE) {DIGICERT(8-byte name)}{LABLCERT(label name)}{SERIALNUM(serial number) ISSUERDN(issuer's dist' name)}An example for the REMOVE command follows:TSS REMOVE(USER01) DIGICERT(DIGI0001)Determining if a Certificate has been Added to eTrust CA-Top SecretYou can check to see who has a certificate in a specified data set. The CHKCERTcommand determines whether the digital certificate in the specified data set hasbeen added to the eTrust CA-Top Secret security file and associated with an acid.Use the following syntax for TSS CHKCERT:TSS CHKCERT DCDSN(input data-set-name) PKCSPASS(pksc12-password)DCDSN(input-data-set-name)—Specifies the name of an optional data set thatcontains the PKCS#10 certificate request data. The request data set name can bethe output from a TSS GENREQ command. The request data contains the user'sgenerated public key and X.509 distinguished name. The request data must besigned, DER-encoded, and then Base64 encoded according to PKCS#10 standard.PKCSPASS—The PKCS-password can be up to 255 characters, is case sensitive,and can contain blanks.1–64 Cookbook

Digital Certificate SupportImportant! The password associated with PKCS#12 certificates are notviewable. It is the eTrust CA-Top Secret administrator's responsibility to keep track ofthe PKCS#12 password that is assigned to the digital certificate.Exporting Certificates to Data SetsYou can export a certificate from a eTrust CA-Top Secret security file to a newdata set using the TSS EXPORT command. The certificate to be exported can beidentified by its DIGICERT name or by its label. You cannot export a digitalcertificate with ICSF.Use the following syntax for TSS EXPORT:TSS EXPORT(acid|CERTAUTH|CERTSITE){DIGICERT(name) {LABLCERT{up to 32 characters)}{DCDSN(output-data set name) FORMAT(format type)}{PKCSPASS(PKCS#12 password)}ACID—A user acid or you can specify:CERTAUTH—Is an acid in which your installation can maintain certificates thatwere generated by a third party certificate authority (CA). This acid ispre-defined in Top Secret or you can specify. You cannot add a KEYRING to thisACID.CERTSITE—Is an acid in which your installation can maintain site-generatedcertificates. This acid is pre-defined in Top Secret. You cannot add a KEYRING tothis ACID.DIGICERT—Specifies a one- to eight-character ID that identifies the certificatewith the user acid. The DIGICERT must be entered as part of all GENCERTcommands since this keyword indicates the name to be used in the digitalcertificate.DCDSN(output-data-set-name)—The data set will be allocated and cataloged,and will contain the output from the exported digital certificate. The data setname will conform to the MVS standards, up to a maximum of 26 characters.FORMAT—The following operands can be used with the FORMAT keyword:■■■■CERTB64—Indicates Base64 encoded certificates (default).CERTDER—Indicates DER encoded X.509 certificates.PKCS12B64—Indicates DER encoded (then Base64 encoded) PKCS#12package.PKCS12DER—Indicates DER encoded PKCS#12 package.An example for the FORMAT command follows:TSS EXPORT(USER01) DIGICERT(DIGI0001) DCDSN(USER3.CERT.DATA) FORMAT(CERTDER)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–65

Digital Certificate SupportLABLCERT—Specifies an optional and case-sensitive label to be associated withthe certificate being added to the user. Up to 32 characters can be specified forthe label name. Spaces are allowed if you use single quotes. This label is used asa handle instead of the serial number and issuer’s distinguished name, and mustbe unique for the individual user. If a label is not specified, the label field willdefault to the value specified within the DIGICERT keyword.PKCSPASS—The PKCS-password can be up to 255 characters, is case sensitive,and can contain blanks.Important!■■The password associated with PKCS#12 certificates are not viewable. It is theeTrust CA-Top Secret administrator’s responsibility to keep track of thePKCS#12 password that is assigned to the digital certificate.If the certificate’s private key resides in an ICSF storage facility and theformat of PKCS12DER or PKCS12B64 is specified in the TSS EXPORTcommand, the command is rejected. A TSS0533E message is issued. Youcannot export a digital certificate with ICSF.Sharing Certificates on Key RingsA key ring is a collection of digital certificates for an individual user. Key ringsprovide an installation-wide method to share digital certificates across multipleservers. A user can have more than one key ring.Creating a Key RingUse the following syntax to add a key ring to a user's acid record:TSS ADD(acid) KEYRING(8-byte key ring name) [LABLRING(237-byte ring name)]KEYRING—Specifies the key ring being added to the user's acid. An individualacid can be a member of more than one key ring.LABLRING—Specifies the label to be associated with the keyring being added tothe user. Up to 237 characters can be specified for the lablring name. This label isused as an identifier of the digital certificate code and must be unique for the keyring.You can add digital certificates that were issued by a certificate authority to oneuser to another user's key ring. This allows the administrator to further definethe access that a user has to certain resources. Before a digital certificate can beadded to a key ring, it must have been added to the owner's acid record throughthe TSS ADD DIGICERT command.Note: You cannot add a KEYRING to predefined ACIDS (CERTAUTH orCERTSITE).1–66 Cookbook

Digital Certificate SupportAdding a Certificate to a Key RingThe following syntax shows how to add a digital certificate to a key ring:TSS ADD(acid) KEYRING(8-byte key ring name)[LABLRING(237-byte ring name)]{RINGDATA(acid,digicert)}{RINGDATA(CERTAUTH,digicert)}{RINGDATA(CERTSITE,digicert)}[DEFAULT][USAGE(PERSONAL|CERTAUTH|CERTSITE)]The sub keywords of the KEYRING function specify more detailed informationthat can be added along with KEYRING.KEYRING – The ring name is unique within the user, the name you specify inKEYRING will identify the key ring for a user.LABLRING – Provides the ability to add a 237-character label name to the keyring; can be used as a key to locate a certificate key ring. If not specified, the8-byte KEYRING name is automatically added to the LABLRING.RINGDATA—Specifies the acid and certificate label name (as specified byDIGICERT) of the certificate being added to the user.DEFAULT—Specifies that the certificate is the default certificate for the key ring.This parameter is optional. Only one certificate within the key ring can be thedefault. If a default already exists, its DEFAULT status is removed, and thespecified certificate becomes the default certificate.USAGE—Specifies how this certificate is used with the specified key ring. Thedefault usage is the same as the certificate that is being connected.■■■PERSONAL—Demotes a certificate to ensure that it is not used as acertificate authority in this key ring.CERTAUTH—Promotes an ordinary user certificate to that of a certificateauthority within this key ring.CERTSITE—Promotes an ordinary user certificate to that of a site certificate.Removing a Key ring from an acidTo remove a key ring, use the TSS REMOVE command with the followingsyntax:TSS REMOVE(acid) {KEYRING(8-byte name)|LABLRING(237-byte ring name)}This command also removes all key ring cross references from all acids that havecertificates that were attached to the key ring that is being removed.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–67

Digital Certificate SupportExtracting Certificates from Key RingsAuthorized applications, such as servers HTTP, TN3270, CICS, or LDAP, invokethe R_Datalib callable service (IRRSDL00) in order to retrieve certificates andprivate keys from a Key ring, and manage serial numbers for certain certificates.eTrust CA-Top Secret supports the R_Datalib functions using its Keyringsupport. You must authorize these accesses to IRRSDL00 functions byadministering IBM resource class (IBMFAC) facility permissions for theIRR.DIGTCERT.function. Where function could be LISTRING, LIST, orGENCERT.For example, to extract a user certificate from a key ring, the user would requireaccess to IBMFAC function LISTRING:TSS ADD(dept) IBMFAC(IRR.DIGTCERT)TSS PER(acid) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)TSS PER(acid) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(UPDATE)TSS PER(acid) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(UPDATE)Note: If the certificate user ID is the same as the user ID issuing the R-Datalibcall, the required authority is ACCESS (READ). If the user Id is not the same,then the required authority is ACCESS (UPDATE) or ACCESS (CONTROL).Extracting Private KeysAn application can extract the private key from a user certificate if the followingconditions are met:■■■■■The caller’s user ID is the user ID associated with the certificateThe certificate is connection to its key ring with the PERSONAL usageoption.An application can extract the private key from a CERTAUTH or CERTSITEcertificate if the following conditions are met:The caller’s user ID has at least CONTROL access to the IBMFAC resourceIRR.DIGTCERT.GENCERT.The certificate is connection to its key ring with the PERSONAL usageoption.1–68 Cookbook

Digital Certificate SupportReconnecting Private KeysWhen generating self-signed certificates using GENCERT, a public/private keypair is built and stored within the certificate. The private key always remainswith the certificate unless it is sent to a third-party as a certificate request. Whena GENREQ certificate request is sent to a third-party, the returned certificate willnot contain the private key. This happens because private keys are not shippedas part of a certificate request.To use a third-party certificate, the private key must be re-connected to thecertificate. This is accomplished automatically when a TSS ADD command isissued to re-connect the third-party certificate to the same user id that has the(model) certificate. The original, self-signed certificate private key, is connectedto the new certificate.As long as the user id is the same and the public key within the third-partycertificate matches the original certificate, the private key is connected.Listing Key Ring InformationYou can list all the acids and their keyrings associated with them by executingthe following command:TSS LIST(SDT) KEYRING(ALL)You can also list the associated KeyRing and LABLRING for a specific acid byexecuting the following command. The command must contain the name of theKeyRing or LABLRING already associated with the acid.TSS LIST(USER01) KEYRING(RING0001) orTSS LIST(USER01) LABLRING(LABELRING0002)Managing Certificate Serial NumbersAn application can invoke the R_Datalib callable service to manage serialnumbers for certificates.An application can increment the “last serial number issued” for a personal(user) certificate if the following conditions are met:■■The caller’s user ID is the user ID associated with the certificateThe caller’s user ID has at least READ authority to the IBMFAC resourceIRR.DIGTCERT.GENCERT.TSS PER(acid) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(READ)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–69

Digital Certificate SupportAn application can increment the “last serial number issued” for a CERTAUTHor CERTSITE certificate if the following conditions are met:■■The caller’s user ID is the user ID associated with the certificateThe caller’s user ID has at least CONTROL authority to the IBMFACresource IRR.DIGTCERT.GENCERTTSS PER(acid) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL)CERTADMThe following is a copy of the eTrust CA-Top Secret supplied command list,CERTADM. This list contains sample Digital Certificate commands that presentthe various Digital Certificate supported functional keywords./*=====================================================================*//*Basic Self-signed Digital Certificate *//*=====================================================================*/TSS CREATE(GENCDIV) TYPE(DIV) NAME('GENCERT DIVISION')TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV)TSS CREATE(MARY001) NAME('GENCERT USER MARY') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS GENCERT(MARY001) DIGICERT(MARYCERT)TSS LIST(MARY001) DATA(ALL,PASSWORD)TSS REPLACE(MARY001) DIGICERT(MARYCERT) -LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')TSS LIST(MARY001) LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')TSS LIST(SDT) DIGICERT(ALL)TSS LIST(MARY001) SEGMENT(CERTDATA)/*=====================================================================*//*Create 5 Digital Certificates & add to the same user acid) *//*=====================================================================*/TSS CREATE(GENCDIV) TYPE(DIV) NAME('GENCERT DIVISION')TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV) -NAME('GENCERT DEPARTMENT')TSS CREATE(JAMES01) NAME('GENCERT USER JAMES') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS LIST(JAMES01) DATA(ALL,PASSWORD)TSS GENCERT(JAMES01) DIGICERT(JIM01) LABLCERT('1ST D.CERT FOR JIM') -KEYSIZE(512) KEYUSAGE(HANDSHAKE) ALTNAME('IP=203.9.102.100')TSS LIST(JAMES01) DATA(ALL,PASSWORD)TSS LIST(SDT) DIGICERT(ALL)TSS GENCERT(JAMES01) DIGICERT(JIM02) LABLCERT('2ND D.CERT FOR JIM') -NBDATE(10/01/02) NBTIME(08:00:00) -NADATE(10/01/03) NATIME(09:00:00) -KEYUSAGE(DATAENCRYPT) KEYSIZE(768) ALTNAME(DOMAIN=CA.COM) -SUBJECTN('CN="JAMES SECOND DIGICERT"')TSS LIST(JAMES01) DIGICERT(JIM02)TSS LIST(SDT) DIGICERT(ALL)TSS GENCERT(JAMES01) DIGICERT(JIM03) -NBDATE(10/01/02) NBTIME(08:00:00) -NADATE(10/31/03) NATIME(09:00:00) -KEYSIZE(1024) -LABLCERT('3RD D.CERT FOR JIM') -KEYUSAGE(DOCSIGN) -ALTNAME('IP=201.100.10.9 EMAIL=JAMES03@TEST.NET') -SUBJECTN('T="THIRD BOOK OF JAMES" OU=PAYROLL')1–70 Cookbook

Digital Certificate SupportTSS LIST(JAMES01) DIGICERT(JIM03)TSS LIST(SDT) DIGICERT(ALL)TSS GENCERT(JAMES01) DIGICERT(JIM04) -SUBJECTN('CN="JIM DOUGLAS" O=CA ST="NEW JERSEY" C=US -T="TEST GENCERT" L="NO. BRUNSWICK"') -KEYSIZE(1024) -LABLCERT('4TH D.CERT FOR JIM') -KEYUSAGE(CERTSIGN) -ALTNAME(URI=WWW.CA.COM)TSS LIST(JAMES01) DIGICERT(JIM04)TSS LIST(SDT) DIGICERT(ALL)TSS GENCERT(JAMES01) DIGICERT(JIM05) -SUBJECTN('CN=JIM05 O=CA ST=NJ C=US') -NBDATE(10/01/02) NADATE(10/30/03) -NBTIME(08:00:00) NATIME(09:00:00) -KEYSIZE(1024) -LABLCERT('5TH DIGICERT FOR JIM') -ICSF -KEYUSAGE(CERTSIGN) -ALTNAME('IP=201.100.10.9 EMAIL=JAMES05@TEST.NET DOMAIN=CA.COM -URI=WWW.CA.COM')TSS LIST(JAMES01) DIGICERT(JIM05)TSS LIST(JAMES01) DATA(ALL,PASSWORD)TSS LIST(SDT) DIGICERT(ALL)/*=====================================================================*//*To Generate a Digital Certificate with keyword SIGNWITH & Remove *//* Digicert *//*=====================================================================*/TSS CREATE(GENCDIV) TYPE(DIV) NAME('GENCERT DIVISION')TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV) -NAME('GENCERT DEPARTMENT')TSS CREATE(MARY001) NAME('GENCERT USER MARY') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS GENCERT(MARY001) DIGICERT(MARYCERT) –LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')TSS LIST(MARY001) DATA(ALL,PASSWORD)TSS CREATE(TEDD001) NAME('GENCERT USER TEDD') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS LIST(TEDD001) DATA(ALL,PASSWORD)TSS GENCERT(TEDD001) DIGICERT(TEDCERT1) -SIGNWITH(MARY001,MARYCERT)TSS LIST(TEDD001) DATA(ALL,PASSWORD)TSS LIST(TEDD001) DIGICERT(TEDCERT1)TSS LIST(SDT) DIGICERT(ALL)TSS REMOVE(TEDD001) DIGICERT(TEDCERT1)/*=====================================================================*//*To Generate a Digital Certificate Request and write it to a data set.*//* (GENREQ) *//*=====================================================================*/TSS CREATE(GENCDIV) TYPE(DIV) NAME('GENCERT DIVISION')TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV) -NAME('GENCERT DEPARTMENT')TSS CREATE(MARY001) NAME('GENCERT USER MARY') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS GENCERT(MARY001) DIGICERT(MARYCERT) –LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')TSS LIST(MARY001) DATA(ALL,PASSWORD)TSS GENREQ(MARY001) DIGICERT(MARYCERT) -DCDSN(QAPRN.GENREQ.MARYCERT) -Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–71

Digital Certificate SupportLABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')TSS LIST(MARY001) LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')/*=====================================================================*//*To Generate a Digital Certificate for a new acid, using the output *//* (DCDSN) from the GENREQ Statement above *//*=====================================================================*/TSS CREATE(GENCDIV) TYPE(DIV) NAME('GENCERT DIVISION')TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV) -NAME('GENCERT DEPARTMENT')TSS CREATE(PAUL001) NAME('GENCERT USER PAUL') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS LIST(PAUL001) DATA(ALL,PASSWORD)TSS GENCERT(PAUL001) DIGICERT(PAULCERT) -DCDSN(QAPRN.GENREQ.MARYCERT) -LABLCERT('LABEL FOR PAUL001 W/MARY"S DCDSN') -SIGNWITH(MARY001,MARYCERT)TSS LIST(PAUL001) LABLCERT('LABEL FOR PAUL001 W/MARY"S DCDSN')TSS LIST(PAUL001) DIGICERT(PAULCERT)TSS LIST(PAUL001) SEGMENT(CERTDATA)/*========================================================================*//*To Generate a Digital Certificate for a user along with keyword SUBJECTN*//* And list the acid with different variations. *//*========================================================================*/TSS GENCERT(PAUL001) DIGICERT(PAULCT02) -SUBJECTN('CN=PAUL O=CA OU="RESEARCH AND DEVELOPMENT"')TSS LIST(PAUL001) -SERIAL(00) ISSUERDN('.CN=PAUL.OU=RESEARCH AND DEVELOPMENT.O=CA')TSS LIST(PAUL001) DIGICERT(PAULCT02)TSS LIST(PAUL001) SEGMENT(CERTDATA)TSS LIST(SDT) DIGICERT(ALL)/*=====================================================================*//*To EXPORT a Digital Certificate to an output data set NOT defined, *//* then do a CHKCERT command on the output DCDSN to verify that it *//* was EXPORTED. *//*=====================================================================*/TSS LIST(MARY001) DIGICERT(MARYCERT)TSS EXPORT(MARY001) DIGICERT(MARYCERT) -DCDSN(QAPRN.OUTPUT.MARYCERT)TSS CHKCERT DCDSN(QAPRN.OUTPUT.MARYCERT)TSS LIST(JAMES01) DIGICERT(JIM01)TSS EXPORT(JAMES01) DIGICERT(JIM01) -DCDSN(QAPRN.OUTPUT.JIM01) FORMAT(CERTDER)TSS CHKCERT DCDSN(QAPRN.OUTPUT.JIM01)TSS LIST(JAMES01) DIGICERT(JIM02)TSS EXPORT(JAMES01) DIGICERT(JIM02) -DCDSN(QAPRN.OUTPUT.JIM02) FORMAT(PKCS12B64) PKCSPASS(PSWDJIM2)TSS CHKCERT DCDSN(QAPRN.OUTPUT.JIM02) PKCSPASS(PSWDJIM2)TSS LIST(PAUL001) DIGICERT(PAULCT02)TSS EXPORT(PAUL001) DIGICERT(PAULCT02) -DCDSN(QAPRN.OUTPUT.PAULCT02) FORMAT(PKCS12DER) PKCSPASS(PSWDPAUL)TSS CHKCERT DCDSN(QAPRN.OUTPUT.PAULCT02) PKCSPASS(PSWDPAUL)/*=====================================================================*//* Create Digital Certificate KEYRINGS and different variations of *//* the LIST command. *//*=====================================================================*/TSS CREATE(GENCDEPT) TYPE(DEPT) DIV(GENCDIV) -NAME('GENCERT DEPARTMENT')TSS CREATE(MARY001) NAME('GENCERT USER MARY') TYPE(USER) -PASSWORD(123,0) DEPT(GENCDEPT)TSS GENCERT(MARY001) DIGICERT(MARYCERT) –LABLCERT('SELF-SIGNED PRIVATE KEY FOR MARY')1–72 Cookbook

Certificate Name Filtering SupportTSS LIST(MARY001) DATA(ALL,PASSWORD)TSS ADD(MARY001) KEYRING(ACCOUNTG) LABLRING(‘ACCOUNTING-DEBT’) -RINGDATA(PAUL001, PAULCT02) DEFAULT USAGE(PERSONAL)TSS ADD(MARY001) KEYRING(ACCOUNTG) LABLRING(‘ACCOUNTING-DEBT’) –RINGDATA(JAMES01, JIM02) USAGE(CERTSITE)TSS ADD(MARY001) KEYRING(PERSONEL) LABLRING(‘PERSONEL-NEW HIRES’) –RINGDATA(TEDD01, TEDCERT1) USAGE(CERTAUTH)TSS LIST(MARY001) KEYRING(ACCOUNTG)TSS LIST(MARY001) SEGMENT(ALL)TSS LIST(MARY001) DATA(ALL)TSS LIST(MARY001) SEGMENT(CERTDATA)TSS LIST(MARY001) SEGMENT(RINGDATA)TSS LIST(SDT) KEYRING(ALL)TSS LIST(SDT) DIGICERT(ALL)TSS LIST(SDT) LABLRING(‘ACCOUNTING-DEBT’)Certificate Name Filtering SupportPrior to this support level, digital certificates had to be individually defined toeTrust CA-Top Secret to be associated with an acid. Certificate name filtering(CNF) support allows certificates to be associated with users without having toadd each certificate to the eTrust CA-Top Secret security file. This decreases theamount of storage and the administration needed to support a large number ofcertificates.Certificate name filtering allows profiles based on the certificate subject/issuerdistinguished name to be used to select the acid to assign for a particularcertificate. Many certificates can be associated with a single acid. This supportprovides more granular access control and accountability.When a certificate name filter is defined, the information is stored in aCERTMAP record in the SDT on the security file. The filter definition specifiesthe significant portion of the issuer's or subject’s distinguished name that is usedto associate an acid with a certificate. Also, additional criteria can be specified toidentify the acid to be used. eTrust CA-Top Secret supports two system variables(system id and application id) that can be used to select the acid. Sites can alsodefine their own variables to be used as selection criteria. Criteria data is storedin a CRITMAP record in the SDT. CERTMAP and CRITMAP records are createdwith the TSS ADD command.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–73

Certificate Name Filtering SupportTo understand how certificate name filtering works, it is important to know afew directory concepts and to understand the models described by the X.500standard. The subject’s and issuer’s distinguished names on a certificate identifythe subject’s or issuer’s location in an X.500 directory information tree. Let’s lookat an example of a directory tree to help clarify this.In this X.500 directory information tree, Amy’s path name would be:/O=ABC Co/OU=Sales/OU=NY/OU=Dept3/CN=AmyOr, written in the address form used by eTrust CA-Top Secret:O=ABC Co.OU=Sales.OU=NY.OU=Dept3.CN=AmyThe nodes in this tree structure show that Amy works in department Dept3 inNew York in the Sales division of the ABC Co company. A user’s location in thehierarchy determines the access to resources that they have.eTrust CA-Top Secret supports this tree structure. Acids can be assigned to eachlevel at which you want to group users or they can be assigned at just one level.For example, node OU=Dept2 could be assigned to acid NYDEPT2 andOU=Dept3 could be assigned to NYDEPT3. When a user enters the system bypresenting a certificate, eTrust CA-Top Secret determines which acid to assign bymatching the subject’s distinguished name to a node name.1–74 Cookbook

Certificate Name Filtering SupportIf Amy entered the system with a certificate with a subject distinguished name:O=ABC Co.OU=Sales.OU=NY.OU=Dept3.CN=Amyshe would be assigned acid NYDEPT3. If acid AMYUSR was assigned to nodeCN=Amy, she would be assigned acid AMYUSR since that is a more specificmatch. Mapping is also done using the issuer name since two different certificateauthorities can issue a certificate with the same subject name. Acid assignmentcan be based on a combination of subject name and issuer name, only a subjectname or only an issuer name. Both full path names and partial path names can bedefined. Additional criteria (such as application id or system id) can be used toselect the acid to be assigned to a certificate.Managing Certificate Name FiltersThe TSS ADD|REM|REPL|LIST commands are used to manage certificatename filters. The acid specified on the commands will identify the user to beassigned if the filter is matched. A special acid of MULTIID is used to indicatethat additional criteria is used to select the acid. The syntax of the commandfollows:TSS ADD(userid) CERTMAP(recid)SDNFILTR(subject-dist-name-filter)IDNFILTR(issuer-dist-name-filter)CRITERIA(criteria-name-template)LABLCMAP(32 byte label)DCDSN(data set name)TRUST|NOTRUSTCERTMAP—Specifies a unique 8-byte record identifier.SDNFILTR—Specifies the significant portion of the subject’s distinguished namethat is to be used as a filter when associating an acid with a certificate. The valuespecified for SDNFILTR must begin with a prefix found in the following list,followed by an equal sign (X'7E'). Each component should be separated by aperiod (X'4B'). The case, blanks, and punctuation displayed when the digitalcertificate information is listed must be maintained in the SDNFILTR. Sincedigital certificates only contain characters available in the ASCII character set, thesame characters should be used for the SDNFILTR value.For example: SDNFILTR('OU=BobsAcc')Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–75

Certificate Name Filtering SupportValid prefixes for SDNFILTR and IDNFILTR are:ValuesCOUNTRY C=STATE/PROVINCELOCALITY L=Specified asST=ORGANIZATION O=ORGANIZATIONAL UNITTITLE T=COMMON NAMEDOMAIN COMPONENTPOSTAL CODEEMAIL E=STREET NAMEUSERIDOU=CN=DC=PC=STREET=UID=IDNFILTR—Specifies the significant portion of the issuer’s distinguished namethat is to be used as a filter when associating an acid with a certificate. The valuespecified for IDNFILTR should begin with a prefix found in the list above andmust be followed by an equal sign (X'7E'). Each component should be separatedby a period (X'4B'). The case, blanks, and punctuation displayed when the digitalcertificate information is listed must be maintained in the IDNFILTR. Sincedigital certificates only contain characters available in the ASCII character set, thesame characters should be used for the IDNFILTR value.For example: IDNFILTR('OU=Class 1 Certificate.0=BobsCertAuth')CRITERIA—Is specified with the MULTIID acid to identify variable data inaddition to SDNFILTR and IDNFILTR. Criteria defined by eTrust CA-Top Secretare CNFAPP and SYSID. Users can also define their own variables.LABLCMAP—Specifies the label to be associated with the certificate name filter.Up to 32 characters can be specified. It can contain embedded blanks andmixed-case characters, and is stripped of leading and trailing blanks. If a singlequotation is intended to be part of the label-name, you must use two singlequotation marks together for each single quotation mark within the string, andthe entire string must then be enclosed within single quotation marks.1–76 Cookbook

Certificate Name Filtering SupportDCDSN—Specifies the name of a data set that contains a digital certificate. TheSDNFILTR or IDNFILTR data must match a portion of the subject/issuer’sdistinguished name extracted from the certificate. The distinguished name fromthe point of the match to the end of the name is used as the filter data.TRUST/NOTRUST—When specified it indicates whether this mapping can beused to associate a userid to a certificate presented by a user accessing thesystem. If neither TRUST nor NOTRUST is specified, the default is NOTRUST.Managing Criteria MapsWhen the acid is MULTIID and the CRITERIA keyword was specified on the TSS ADDCERTMAP command, criteria data must be defined in CRITMAP records to identify theacid to be associated with a certificate. The acid name on the CRITMAP record identifiesthe user when the filter that matched the certificate was for acid MULTIID. The TSSADD|REM|REPL|LIST commands is used to manage criteria maps. The syntax of theADD command follows:TSS ADD(userid) CRITMAP(recid){SYSID(system identifier)}{CNFAPP(application name)}{CNFUVAR(site variable list)}Userid—Name of the acid to be associated with this filter.CRITMAP—Unique 8-byte record identifier.SYSID—The system identifier. A maximum of 4 characters can be specified andthe value can contain an asterisk (*) for masking.CNFAPP—The application variable. A maximum of 8 characters can be specifiedand the value can contain an asterisk (*) for masking.CNFUVAR—A list of application-defined variables that are defined asCRITERIA keyword data. This field can contain up to 255 uppercase characters.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–77

Certificate Name Filtering SupportCreating Certificate Name Filter ScenariosExample 1Example 2Example 3The following eTrust CA-Top Secret command examples are based on theprevious tree directory structure.Users who enter the system with a certificate subject that starts with:OU=NJ.OU=Sales.O=ABC Cowill be assigned acid NJDEPT1 if the certificate was issued by the VeriSigncertificate authority. If the subject matched but the certificate was issued byanother certificate authority then the user would be assigned acid NJDFLT.TSS ADD(NJDEPT1) CERTMAP(NJMAP1) LABLCMAP(‘NJ Dept 1 Map’) TRUSTIDNFILTR(‘OU=VeriSign Class 1 Individual Subscriber.O=VeriSign,Inc.L=Internet’) SDNFILTR(‘OU=NJ.OU=Sales.O=ABC Co’)TSS ADD(NJDFLT) CERTMAP(NJDFLT) LABLCMAP(‘NJ Default user’) TRUSTSDNFILTR(‘OU=NJ.OU=Sales.O=ABC Co’)Users who enter the system with a certificate subject that starts with:OU=Dept3.OU=NY.OU=Sales.O=ABC Cowill be assigned acid NYDEPT3.TSS ADD(NYDEPT3) CERTMAP(NYMAP3) LABLCMAP(‘NY Dept 3 Map’) TRUSTSDNFILTR(‘OU=Dept3.OU=NY.OU=Sales.O=ABC Co’)In this example we use additional criteria (in this case application id) to decidewhich acid to assign. Users in NY sales department Dept2 that handle corporateaccounts (they use application BUSINESS to access the system) is assigned acidNYDEPT2B and users that handle retail accounts (they use application RETAILto access the system) is assigned acid NYDEPT2R.The special acid name of MULTIID along with the CRITERIA parameter tellseTrust CA-Top Secret that if the subject and/or the issuer name informationmatches, then search the CRITMAP records for a match on application namebefore assigning an acid to the user.TSS ADD(MULTIID) CERTMAP(NYMAP2) LABLCMAP(‘NY Dept 2 Map’) TRUSTSDNFILTR(‘OU=Dept2.OU=NY.OU=Sales.O=ABC Co’) CRITERIA(CNFAPP=&CNFAPP)TSS ADD(NYDEPT2B) CRITMAP(NYCRIT2B) CNFAPP(BUSINESS)TSS ADD(NYDEPT2R) CRITMAP(NYCRIT2R) CNFAPP(RETAIL)1–78 Cookbook

Certificate Name Filtering SupportListing Filtering InformationYou can list all the acids and their CERTMAPS associated with them byexecuting the following command:TSS LIST(SDT) CERTMAP(ALL)You can also list all the acids and their CRITMAP by executing the followingcommand:TSS LIST(SDT) CRITMAP(ALL)You can also list the associated CERTMAP for a specific acid by executing thefollowing command. The command must contain the name of the CERTMAPalready associated with the acid.TSS LIST(USER01) CERTMAP(MAP0001)You can also list the associated SEGMENT information for a specific acid byexecuting the following command.TSS LIST(USER01) SEGMENT(CMAPDATA)TSS LIST(USER01) SEGMENT(CRITDATA)TSS LIST(USER01) SEGMENT(ALL)You can also list the associated DIGTCERT for a specific ACID by executing thefollowing command. The command must contain the name of the DIGTCERTalready associated with the ACID.TSS LIST(USER01) DIGTCERT(CERT001)TSS LIST(USER01) KEYRING(ACCTRING)Init ACEE Changes for Search SequenceInitACEE has been changed to search through the CERTMAP records if anindividual DIGICERT record doesn’t match the incoming certificate. The firstcheck is for a match on full issuer name and a full subject name. If the first testdoes not find a match, we will take off the most specific piece of the SDN and testthe entry again. We will continue to take off pieces of the SDN until we find amatch or until we hit the end of the entry. If no match is found we will try againusing the next entry with both IDNFILTR and SDNFILTR. If no more recordsexist with both fields or there are no more matches on the IDNFILTR, we willsearch through the records with only SDNFILTR. Again, we start with the fullSDN and continue to take pieces off until we have a match or until we hit the endof the SDN. If there is no match on any of the records containing onlySDNFILTR, we look through the entries containing only IDNFILTRs. If no recordmatches the search criteria, an error code is returned. If we find a match, wemust determine what acid name should be returned. If MULTIID and CRITERIAwere not specified, then the acid name in the table is returned. If CRITERIA isavailable, we must find the CRITMAP record that matches the CRITERIAspecified.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–79

Certificate Name Filtering SupportSearch Sequence ScenarioAssume the following records exist and all are trusted. They are listed in the order inwhich they are grouped in the search table.CERTMAP(MAP001) ACID(NJDEPT1)IDNFILTR(OU=Verisign Class 1 Individual Subscriber.O=Verisign,Inc.L=Internet)SDNFILTR(OU=DEPT1.OU=NJ.OU=Sales.O=ABC Co)CERTMAP(MAP002) ACID(NJDEPTX)IDNFILTR(O=Verisign,Inc.L=Internet) SDNFILTR(OU=Sales.O=ABC Co)CERTMAP(MAP003) ACID(NYDEPT2)SDNFILTR(OU=DEPT2.OU=NY,OU=Sales.O=ABC Co)CERTMAP(MAP004) ACID(NYDEPT3)SDNFILTR(OU=DEPT3.OU=NY,OU=Sales.O=ABC Co)CERTMAP(MAP005) ACID(ABCDEPT)SDNFILTR(OU=Sales.O=ABC Co)CERTMAP(MAP006) ACID(ABCTECH)SDNFILTR(OU=R&D.O=ABC Co)CERTMAP(MAP007) ACID(MULTIID)IDNFILTR(O=Verisign,Inc.L=Internet) CRITERIA(CNFAPP=&CNFAPP)CRITMAP(CRT001) ACID(ABCCUST)CNFAPP(ABCINET)CRITMAP(CRT002) ACID(ABCDFLT)CNFAPP(*)Assume a certificate is being presented by a user whose distinguished name is:CN=Bill,OU=Dept4,OU=PA,OU=Sales,O=ABC Co. The issuer’s distinguishedname contains information about That we not VeriSign. How would we processthe search for this certificate?The first two entries don’t match, so we get to the section without an IDNF. Weloop through the SDNFs checking for a match. Then, we take off the CN from thecertificate distinguished name and compare the rest of the certificatedistinguished name against the SDNF. The sections starting with OU=Dept4 andOU=PA will not match. However, the section starting with OU=Sales willprovide a match and the ABCDEPT acid is assigned.Assume a user presents a certificate issued by VeriSign but not for ABC Co. Wewould get a match on CERTMAP MAP007, based on the IDNF information. Thenwe would search the CRITMAP records for a matching CNFAPP. If the CNFAPPwas ABCINET, then acid ABCCUST would be assigned. All other applicationswould be assigned the default acid ABCDFLT.1–80 Cookbook

KerberosKerberosetrust CA-Top Secret can be configured to implement Unix Systems ServicesNetwork Authentication and Privacy Service, known as Kerberos. New recordsin the SDT are defined to provide REALM definitions to describe the local andforeign environments, which the local server is expected to recognize. LocalACIDs are equipped with an additional KERB segment, containing Kerberosinformation, and are mapped for fast access in the SDT. Foreign ACIDs arelinked to local ACIDs through additional SDT definitions.In this chapter, the resource HFSSEC is used for UNIX file security. Forgenerality, if the client does not wish to employ eTrust CA-Top Secret HFSSEC,the IBMFAC(SUPERUSER.) resource may be substituted in the examples below.Local Server ConfigurationInstructions for installing the Kerberos Server are provided in the z/OS NetworkAuthentication Service Administration Guide. In order to implement the KerberosServer SKRBKDC, you will need to define a region ACID for this procedure. Usethe following commands:TSS CREATE(SKRBKDC) NAME(‘kerb server acid’) PASS(NOPW,0)DEPT(sysdept) FACILITY(BATCH,STC,OPENMVS) SOURCE(INTRDR)The ACID will need to have a number of permissions and keywords established.Use the following commands:TSS ADD(SKRBKDC) UID(0) HOME(/etc/skrb/home/kdc) OMVSPGM(/bin/sh) GROUP(omvsgrp)DFLTGRP(omvsgrp)TSS PER(SKRBKDC) HFSSEC(/BIN.SH) ACC(READ,EXEC)TSS PER(SKRBDDC) HFSSEC(/ETC.SKRB) ACC(READ)Additional permissions will be needed, depending on the settings of variables inthe configuration file, /var/skrb/home/kdc/envar. Use the followingcommands:TSS PER(SKRBKDC) HFSSEC(nlspath) ACC(READ,EXEC)TSS PER(SKRBKDC) HFSSEC(nlslocale) ACC(READ,EXEC)The installation defaults are:nlspath: /USR.LPP.SKRB.LIB.NLS.MSG.EN_US$IBM$1047.SKRnlslocale: /USR.LIB.NLS.LOCALE.EN_USThis will differ if you apply a different language path (NLSPATH) in theconfiguration environment.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–81

KerberosYou will also want to be able to write to the STDOUT and STDERR files specifiedin your file. In the Kerberos configuration file, the variablesEUV_SVC_STDOUT_FILENAMEEUV_SVC_STDERR_FILENAMEwill contain the file names required. The following permissions will allow allaccess to the STDERR and STDOUT files suppled by default:TSS PER(SKRBKDC) HFSSEC(/VAR.SKRB.LOGS.) ACC(ALL)To allow the server to read and write credentials, use the following commands:TSS PER(SKRBKDC) HFSSEC(/VAR.SKRB.CREDS) ACC(ALL)After you have defined the ACID and provided proper access, you may add theprocedure to the STC using the following command:TSS ADD(STC) PROCNAME(SKRBKDC) ACID(SKRBKDC)Customizing your Local EnvironmentThe default_realm specification is also known as the “local” realm. The otherrealms defined in the configuration are known as “foreign” realms. Realms aredefined in the SDT.Users defined to Kerberos are not defined in the configuration file, but must bedefined entirely through the Security File. Users defined in the local realm areknown as “local” principals. Only local principals are allowed to initiateKerberos commands from the local Unix Systems Services. Users defined in aforeign realm are mapped in the SDT with a surrogate user in the local realm.We will see how the security environment must be customized to interact withKerberos.Defining Your Local RealmYou must define to the Security File the REALMs defined to your Kerberosconfiguration file./etc/skrb/krb5.confThe local realm is specified in your default_realm parameter. The local REALMis always named KERBDFLT and must be defined before the local principals aredefined.1–82 Cookbook

KerberosThe command syntax for this definition is given by:TSS ADDTO(SDT) REALM(KERBDFLT) REALMNAME(default_realm) KERBPASS(Kerberos-password)REALM—KERBDFLT (required)REALMNAME—Must be identical to configuration file default_realm.etrust CA-Top Secret has simplified the REALMNAME specification. This isinternally expanded to the following when used for run-time security checks:/…/default_realm/krbtgt/default_realmThe REALMNAME is generally specified in the form of a first orderweb-address. It can be a maximum of 117 characters, but cannot include spaces(x’40’) or the at-sign (x’7F’).Note: Because the relationship between the REALMNAME and generatingKerberos tickets for principal users is based, in part, on the local REALMNAME,care must be taken when choosing a REALMNAME. Renaming the REALMshould be avoided at all costs during Kerberos operations, since trust relations inflight will cause unpredictable effects.MINTKTLF—Specifies the maximum ticket life in seconds, and is representedby a numeric value between 1 and 2 147 483 647. Note that 0 is not a valid value.This keyword is only applicable when defining the KERBDFLT realm record. IfMAXTKTLF is specified, DEFTKTLF and MINTKTLF must also be specified.DEFTKTLF—Specifies the time intervals (in seconds) that a Kerberos generatedticket will remain active in the realm. If any of these intervals is specified, allmust be specified. If no intervals are specified, tickets are not limited. Validvalues for these parameters lie in the range 1 through 2**31-1 (2147483647). Asyou would expect, MAXTKTLF >= DEFTKTLF >= MINTKTLF is enforced.KERBPASS—Specifies a 1-8 character password (alphanumeric) for the localrealm. When the same realm name is used as a foreign realm in a foreignKerberos system, the passwords must be identical. Passwords are case-sensitiveand are maintained in the case in which they are entered. The KERBPASS bearsno relationship to the password of the SKRBKDC region ACID.Example:TSS ADDTO(SDT) REALM(KERBDFLT) REALMNAME(local.ca.com) MINTKTLF(30)MAXTKTLF(86400) DEFTKTLF(36000) KERBPASS(children)In the above example, the realm name is KERBDFLT, which identifies this recordas the default realm record. The Kerberos realm name is local.ca.com. Thiscorresponds to a the following fully qualified Kerberos security name whicheTrust CA-Top Secret will format automatically./…/local.ca.com/kerbtgt/local.ca.comImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–83

KerberosThe Kerberos password of this realm is children. The default ticket life is 10hours, a minimum ticket life of 30 seconds, and a maximum ticket life of 24hours.Defining Local PrincipalsLocal principals in Kerberos are user acids capable of activity on Unix SystemsServices, who are able to initiate Kerberos commands in the systemcorresponding to the local realm. Kerberos local principals clearly must possessat least the following with sufficient authority to allow access to the OMVS orISHELL shells.■■■■■UIDGROUPDFLTGRPHOMEOMVSPGMWhen a local principal is defined, the affected ACID receives a KERB segment tohold relevant information, some of which will not be available for display. Acorresponding KERBSEGM record will also be defined to the SDT. The label forthe KERBSEGM record is the ACID to which the new segment has been added.The administrator defines Kerberos information for the user as follows:TSS ADD(acid) KERBNAME(principal_name) acid —Specifies the security ACID to be defined with Kerberos information.principal_name—Specifies the Kerberos Principal Name associated with thisuser. This information is added to the KERB segment of the user’s securityrecord. It is also added to the SDT KERBNAME record for high-speedcross-reference indexing. The KERBNAME specified must be unique for eachuser in the local realm. KERBNAME cannot be added to a PROFILE or GROUPACID, nor can it be added to a hierarchy ACID. The fully qualified Kerberosprincipal name is formatted from the KERBDFLT REALMNAME and theKERBNAME principal_name. The combined length cannot exceed 240characters. The principal name cannot include spaces (x’40’) or the “at” sign(x’7F’)./…/local_realm/principal_nameinterval—Specifies the maximum ticket life associated with tickets for this user.The range of available values is 1 – (2**31 – 1). Sensible values for this parametershould not exceed MAXTKTLF for the REALM, and should not be exceeded bythe REALM DEFTKTLF.1–84 Cookbook

KerberosThe following command creates a KERBNAME field “boris_baddenof” within anew KERB segment on “useracid” Notice that no MAXTKTLF operand has beensupplied in this command.TSS ADD(useracid) KERBNAME(boris_baddenof)The KERB segment may be displayed by using the following LIST command:TSS LIST(useracid) SEGMENT(KERB)The corresponding KERBSEGM SDT record can be viewed with the followingcommand:TSS LIST(SDT) KERBSEGM(useracid)Password Change Server ACIDKerberos requires the creation of a Password Change Server ACID with areserved local principal name. There is no requirement on the characteristics ofthe ACID other than that the user have local principal name kadmin/changepw.During testing we defined a USS capable user as follows:TSS CREATE(KRBCHG) DEPT(sysdept) NAME(‘KERBEROS PSWD/CHG’) PASS(pswd,0)FAC(STC,BATCH)TSS ADD(KRBCHG) UID(…)TSS ADD(KRBCHG) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS ADD(KRBCHG) HOME(/u/krbchg) OMVSPGM(/bin/sh)TSS PER(KRBCHG) HFSSEC(/u.krbchg) ACC(READ,UPDATE,EXEC)TSS PER(KRBCHG) HFSSEC(/BIN.SH) ACC(READ,EXEC)TSS ADD(KRBCHNG) KERBNAME(kadmin/changepw)Preparing Local Principal ACIDs for KerberosSYSEXEC changesThe following data set needs to be added to the TSO SYSEXEC DD statement ofthe Kerberos user’s TSO procedure:EUVF.SEUVFEXC.profile changesChanges are required for Kerberos user’s .profile file in their home directory.These changes may optionally be added to the /etc/.profile file. The followingdirectory must be placed as the first directory in the PATH variable, so that itoverrides DCE./usr/lpp/skrb/binImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–85

KerberosIt must be placed earlier in the path than the following to avoid DCE/Kerberosfrom overriding more recent Kerberos software./binAny /bin DCE subdirectoryAny Kerberos session variables which the user wishes to set differently than thevalues in the Kerberos environment file should be set in the user’s .profile file.Consult IBM SecureWay Security Server Network Authentication ServiceAdministration for complete details. If any file names are specified, theadministrator must provide appropriate HFSSEC permissions in order to accessthem.DCE IncompatibilityDCE commands conflict with Kerberos commands. Clients wishing to make useof these separate features should make changes to their environments as outlinedin IBM SecureWay Security Server Network Authentication ServiceAdministration.Security ConsiderationsA number of attributes must be present on an ACID in order to assure thecapability for the Kerberos kinit function. The assumption for examples here isthat HFSSEC(ON) has been set:■■■■■■The ACID must be given standard OMVS attributes:TSS ADD(local) UID(uid_number) GROUP(omvsgrp) DFLTGRP(omvsgrp)HOME(home_directory) OMVSPGM(program_directory)The ACID must be given permission to change the mode of their own files:TSS PERMIT(local) IBMFAC(BPX.CAHFS.FILE.MODE)The ACID must be able to create, alter, execute and read files in the homedirectory. Kerberos credentials will be created in this directory.TSS PERMIT(local) HFSSEC(home_directory) ACC(ALL)The ACID must be able to READ and EXECUTE files in the programdirectory.TSS PERMIT(local) HFSSEC(program_directory) ACC(READ,EXEC)To access Kerberos command files at run-time, the user will need thefollowing:TSS PER(useracid) HFSSEC(/usr.lpp.skrb.bin)To access Kerberos EXEC files enter the following commands:TSS PER(useracid) DATASET(EUVF.SEUVFEXC) ACC(READ)1–86 Cookbook

Mapping of Foreign EnvironmentsMapping of Foreign EnvironmentsCorresponding to the local (default) realm and local principal users in the localsystem are the concepts of foreign realm and foreign principal user. Theseforeign realm is mapped into a web address, which the Kerberos server willcontact for tickets. Foreign realms must be defined to the Kerberos configurationfile. The corresponding SDT definition defines a trust relationship between thelocal web-address and the foreign web-address. The foreign principal definitiondefines a mapping from a user and a web-address into a local ACID. Foreignprincipals are not defined in the Kerberos configuration file.Mapping Foreign RealmsYou must define any foreign REALMs to your Kerberos configuration file withthe following commands:/etc/skrb/krb5.confForeign realm definitions are placed after the first realm section entry (whichdefines the Kerberos local realm). While the SDT REALM for the local realm isfixed as KERBDFLT, the administrator must select an 8-character label for theREALM which identifies it to CA-Top Secret. Foreign REALMNAME is alsospecified differently than for local realms, as this operand represents a Kerberostrust relationship:/…/local_realm/krbtgt/foreign_realm/…/foreign_realm/krbtgt/local_realmNotice that the ellipsis characters (…) in this case do not represent missing data:they are part of the actual Kerberos naming syntax. Notice also that two entriesare necessary for the trust relationship, and that each entry has a differentpassword. A pair of commands is required to define each direction of theKerberos trust relationship at each local copy of eTrust CA-Top Secret. Thefollowing is the command syntax:TSS ADD(SDT) REALM(realm) REALMNAME(‘/…/local_realm/krbtgt/foreign_realm’)KERBPASS(password1)TSS ADD(SDT) REALM(realm) REALMNAME(‘/…/foreign_realm/krbtgt/local_realm’)KERBPASS(password2)REALM—a realm label (1-8 characters) to identify the SDT REALM record forCA-Top Secret.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–87

Mapping of Foreign EnvironmentsREALMNAME—a fully qualified Kerberos trust relationship of the followingform:/…/local_realm/krbtgt/foreign_realm/…/foreign_realm/krbtgt/local_realmwhere the values:local_realm—represents the web-address of the local default realm in theKerberos configuration fileforeign_realm—represents the web-address of the foreign realm in the Kerberosconfiguration file.KERBPASS—a password used to validate the trust relationship.Let us suppose that we wish to establish a trust relationship betweenTRUSTWORTHY.CA.COM with MAJESTERIAL.CLIENT.COM for which wewill employ the label MAJESTY in the SDT. Locally, we would define thefollowing:TSS ADD(SDT) REALM(majesty)REALMNAME(‘/…/trustworthy.ca.com/krbtgt/majesterial.client.com’)PASSWORD(xylofone)and,TSS ADD(SDT) REALM(trustyca)REALMNAME(‘/…/majesterial.client.com/krbtgt/trustworthy.ca.com’)PASSWORD(marimba)In the foreign system, a set of parallel definitions is required so that eachconnection in the conversation maintains identical passwords:TSS ADD(SDT) REALM(kingart)REALMNAME(‘/…/trustworthy.ca.com/krbtgt/majesterial.client.com’)PASSWORD(xylofone)and,TSS ADD(SDT) REALM(troubador)REALMNAME(‘/…/majesterial.client.com/krbtgt/trustworthy.ca.com’)PASSWORD(marimba)Notice that the REALM operands are merely labels of convenience, and do nothave to match between the two systems. However, the password for each trustrelationship must be identical for identical REALMNAME specifications.1–88 Cookbook

Mapping of Foreign EnvironmentsMapping Foreign Principal NamesForeign principal names are defined on CA-Top Secret to indicate the realm fromwhich the foreign user will be mapped into a local ACID. The following format isused for this fully qualified reference./…/foreign_realm/foreign_principal_nameThe foreign_principal_name should be defined in the foreign_realm as a localprincipal in that system. The foreign_principal_name need not be identical withits associated ACID in the foreign system.The local ACID need not be defined as a Kerberos local principal. It serves as asurrogate for security activities by the foreign principal in the local environment.The KERBLINK label provides a convenient reference in the SDT to identify therelationship. The command to link these entities is given below:TSS ADD(SDT) KERBLINK(kerblink)LINKNAME(‘/…/foreign_realm/foreign_principal_name’) KERBUSER(surrogat)KERBLINK—1-8 character label for the SDT record identifying the foreignprincipal relationshipLINKNAME—a fully qualified foreign principal name. Theforeign_principal_name must be defined as a local_principal_name in the foreignsystem.KERBUSER—a local ACID defined to CA-Top Secret. This ACID need not existat the time that the SDT record is defined. When the foreign principal attempts toinitiate a session with the local realm, however, the ACID must be defined or anerror will result.Suppose that two foreign realms have been defined,MAJESTERIAL.CLIENT.COM and COLLOSSAL.SUCCESS.COM and we wish toestablish trust relationships locally for Kerberos principals king5 in the firstrealm, using the following command:TSS ADD(lscess1) KERBNAME(king5)major_major_majorIn the second realm, using the following command:TSS ADD(lclint1) KERBNAME(major_major_major).On the second realm, where king5 is foreign defines a foreign principal “king5”from the originating foreign realm MAJESTERIAL.CLIENT.COM and associatesthat principal locally with ACID “client1” in the local TSS.TSS ADD(SDT) KERBLINK(kclint1) LINKNAME(‘/…/majesterial.client.com/king5’)KERBUSER(client1)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–89

DCE SupportSimilarly, on the first realm where major_major_major is foreign, defines aforeign principal “major_major_major” originating fromCOLLOSSAL.SUCCESS.COM, and associates that principal locally with ACID“succes1” in the local TSS.TSS ADD(SDT) KERBLINK(kscess1)LINKNAME(‘/…/collossal.success.com/major_major_major’)KERBUSER(succes1)DCE SupportSee the eTrust CA-Top Secret User Guide for information concerning DCEsupport.Distributed File Service (DFS)The Distributed File Service (DFS) allows users to access and share files stored ona file server anywhere on the network without knowing the physical location ofthe file. Files are part of a single namespace. Therefore, no matter where in thenetwork a user is, the file can be found using the same name. eTrust CA-TopSecret definitions are required for the DFS Server (DFS) and the DFS Client(DFSCM). Execute the following eTrust CA-Top Secret commands.TSS CREATE(DFSGRP) TYPE(GROUP) NAME('DFS GROUP') DEPT(dept)TSS CREATE(DFS) TYPE(USER) PASS(PASSWORD,0) NAME('DFS region acid') DEPT(dept)TSS ADD(DFSGRP) GID(2)TSS ADD(DFS) UID(0) HOME(/opt/dfslocal/home/dfscntl) DFLTGRP(DFSGRP)GROUP(DFSGRP)TSS ADD(STC) PROCN(DFS) ACID(DFS)TSS ADD(STC) PROCN(DFSCM) ACID(DFS1–90 Cookbook

Distributed File Server SMB SUPPORTDistributed File Server SMB SUPPORTDistributed File Server (DFS) SMB support provides a server that makes the HFSfile available to SMB clients. Server Message Block (SMB) is a protocol for remotefile/print access used by Windows and OS/2 clients. The following steps mustbe taken to use this support:1. Define a facility for DFS in the TSS control file. Add the definition byrenaming a USERxx facility entry:FAC(USERXX=NAME=DFS)FAC(DFS=PGM=DFSCNTL)FAC(DFS=NOTSOC,RES,NOIJU,AUTHINIT)2. Create the region acid for DFS:TSS CRE(DFS) NAME(‘DFS REGION ACID’) FAC(BATCH,STC) PASS(XXXXXXXX)DEPT(XXXX) MASTFAC(DFS) NORESCHK NODSNCHK3. Define the DFS procedure to eTrust CA-Top Secret:TSS ADD(STC) PROCN(DFS procname) ACID(DFS)4. Define the DFSKERN procedure to eTrust CA-Top Secret:TSS ADD(STC) PROCN(DFS kern procname) ACID(DFS)SMB ENCRYPTED PASSWORD SUPPORTWith z/OS and OS/390, to have the SMB server use the encrypted passwordprocessing, you must add the entry DCE.PASSWORD.KEY to the SDTKEYSMSTR record. The syntax of the command is as follows:TSS ADD(SDT) KEYSMSTR(DCE.PASSWORD.KEY) DCENCRY(KKKKKKKK)KEYMASK | KEYNCRYKEYSMSTR—this attribute has only one value, which is DCE.PASSWORD.KEY,which must be entered in uppercase characters.DCENCRY—this value is a 16-character hexadecimal encryption keyKEYMASK—this value indicates that the DCENCRY key is used to mask theuser’s DCE password when it is stored in the DCEKEY field of the user’s acidrecord. KEYMASK is the defaultKEYENCRY—this value indicates that the DCENCRY key is used to encrypt theuser’s DCE password when it is stored in the user’s acid recordNote: Only the MSCA can specify the KEYSMSTR keyword.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–91

NFS (Network File System)Define the string c1c2c3c4c5c6c7cc8 as the encryption key value for SMBpassword support:TSS ADD(SDT) KEYSMSTR(DCE.PASSWORD.KEY) DCENCRY(C1C2C3C4C5C6C7C8)To delete the KEYSMSTR record for the SDT:TSS DEL(SDT) KEYSMSTR(DCE.PASSWORD.KEY)To replace the encryption key and use the DES encryption to mask:TSS REP(SDT) KEYSMSTR(DCE.PASSWORD.KEY) DCENCRY(0123456701234567)To list the current encryption value:TSS LIST(SDT) KEYSMSTR(DCE.PASSWORD.KEY)Important: To use the DFS SMB support and the SMB Encrypted Password Supportyou must be running eTrust CA-Top Secret 5.1, genlevel SP04 or eTrust CA-Top Secret5.2, genlevel SP01 with maintenance as required.NFS (Network File System)z/OS and OS/390 NFS enables remote access to z/OS and OS/390 data sets andUNIX System Services HFS files and directories. NFS provides the ability toprotect file systems on MVS through four protection schemes. This setting isdefined within the NFS 'Site Attributes' attribute 'Security'.Four possible SECURITY settings include:NONE Do restrict access No MVS userID requiredEXPORTS Restrict access by client IP address No SAF checkSAFSAFEXPUse SAF to control access to datasetsUse SAF and EXPORTS to controlaccessSAF check executedSAF check (most secure)Both SAF and SAFEXP require the user to use the 'mvslogin' process to validateaccess through a SAF call. For this reason we recommend a minimum of security(SAF). Users who attempt to access HFS data must have a valid OMVS segmentassigned to their MVS acid. Access to HFS files will then be done by validatingthe client's UID and group against the file UNIX permission bits. Under normalcircumstances access to MVS data sets requires both the z/OS or OS/390 NFSserver and client user to pass a security check for the resource. The exception tothis is when 'DataCaching' is enabled. DataCaching causes data to be stored onthe z/OS or OS/390 NFS client system.1–92 Cookbook

NFS (Network File System)The first user attempting to access an MVS data set must pass a SAF securitycheck. This SAF call is issued by the z/OS or OS/390 NFS Server. Once passed,the data set is stored in the z/OS or OS/390 NFS Client server. Subsequentrequests will allow all users access to the cached data without furtherrestrictions. Data caching by default is enabled. eTrust CA-Top Secretrecommends 'DataCaching' be disabled. With DataCaching(N) no client datacaching takes place, therefore each user must pass the z/OS or OS/390 NFSSecurity server check prior to being granted access to data. z/OS or OS/390 NFSServer 'Site Attribute' 'checklist' lists the files and or directories for which SAFsecurity is bypassed even when SAF or SAFEXP is specified. For this reasonproper care must be taken to secure this data set. The checklist data set is definedby the CHKLIST DD in the MVSNFS procedure.eTrust CA-Top Secret Support for z/OS and OS/390 NFSTo define a facility enter the following syntax:FAC(USERxx=NAME=NFS)To create acids for started task, create an acid for each of the four proceduresused by:NFS (MVSNFS, MVSNFSC, MVSSTATD, MVSLOCKD).These acids require an OMVS segment having UID(0). The NFS Server andClient acids require access to data sets to which the remote user accesses. Thiscan be accomplished by explicitly permitting the desired data sets or by addingthe NODSNCHK bypass attribute.z/OS and OS/390 NFS ServerTSS CREATE(MVSNFS) NAME('NFS SERVER') DEPT(dept)TYPE(USER) PASS(password,0) FAC(STC)TSS ADD(MVSNFS) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS ADD(MVSNFS) NODSNCHK **or per all required data sets**TSS ADD(MVSNFS) MASTFAC(NFS)TSS ADD(MVSNFS) SOURCE(INTRDR)z/OS and OS/390 NFS ClientTSS CREATE(MVSNFSC) NAME('NFS CLIENT') DEPT(dept)TYPE(USER) PASS(password,0) FAC(STC)TSS ADD(MVSNFSC) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS ADD(MVSNFSC) NODSNCHK **or per all required data sets**TSS ADD(MVSNFSC) MASTFAC(NFS)TSS ADD(MVSNFSC) SOURCE(INTRDR)z/OS and OS/390 NFS NLM (Network Lock Manager)TSS CREATE(MVSNLM) NAME('NFS NLM') DEPT(dept)TYPE(USER) PASS(password,0) FAC(STC)TSS ADD(MVSNLM) NODSNCHK **or per all required data sets**TSS ADD(MVSNLM) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS PER(MVSNLM) DSN( per all required data sets )TSS ADD(MVSNLM) SOURCE(INTRDR)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–93

WLM (Workload Management)OS/390 NFS NSM (Network Status Monitor)TSS CREATE(MVSNSM) NAME('NFS NSM') DEPT(dept)TYPE(USER) PASS(password,0) FAC(STC)TSS ADD(MVSNSM) NODSNCHK **or per all required data sets**TSS ADD(MVSNSM) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS PER(MVSNSM) DSN( per all required data sets )TSS ADD(MVSNSM) SOURCE(INTRDR)Add Procedures to STC acidTSS ADD(STC) PROCN(MVSNFS) ACID(MVSNFS)TSS ADD(STC) PROCN(MVSLOCKD) ACID(MVSNLM)TSS ADD(STC) PROCN(MVSSTATD) ACID(MVSNSM)TSS ADD(STC) PROCN(MVSNFSC) ACID(MVSNFSC)WLM (Workload Management)The WLM ISPF application is protected by a SAF call. Access to the WLM ISPFapplication is controlled through the definition of a facility class in eTrustCA-Top Secret. READ or UPDATE access to the entire WLM service definition isthe only option available through the eTrust CA-Top Secret facility accessauthorization. READ access allows users access to all functions except installingand activating a service definition or policy.Specify an access of NONE for the facility resource. Also, limit the number ofusers authorized to read and update the WLM application to those who maintainthe WLM policy, to performance personnel, or to both. Review the requirementfor operations to have access to install a service definition versus activating anexisting policy.To authorize the facility for WLM, execute the following eTrust CA-Top Secretcommands:TSS ADD(deptacid) IBMFAC(MVSADMIN)—Skip this command if already ownedTSS PER(aicd) IBMFAC(MVSADMIN.WLM.POLICY) ACC(READ)orTSS PER(acid) IBMFAC(MVSADMIN.WLM.POLICY) ACC(UPDATE)z/OS and OS/390 Security Server SupportIBM markets the Security Server as a separate offering, along with z/OS andOS/390. This offering is a bundling of RACF with a number of other products.All of these products perform some security (SAF) function. Those that interfacewith RACF, do so through standard security calls, supported by eTrust CA-TopSecret. None are truly dependent on RACF to function. The followingcomponents make up the Security Server.1–94 Cookbook

z/OS and OS/390 Security Server SupportRACFAlthough delivered as part of the Security Server, RACF must be independentlyactivated, and is not required to run the other Security Server components. RACFis IBM’s SAF compliant security system. It is mainly concerned with system entryvalidation and resource permission. It provides no subsystem specific extensionsto secure such things as partitioned data sets, CICS and IMS. Typically, in RACFphilosophy, these sorts of extensions are available as user maintained exit points.Its reporting and administration capabilities are limited, typically these functionsmust be supplemented by buying additional third party products.To disable RACF, update the appropriate IFAPRDxx member and change the STATEfield to:STATE(DISABLED)Then re-IPL the system to make the change take effect.For example, if you ordered RACF as part of the security server for z/OS and OS/390,and you want to disable the security server, update the IFAPRDxx entry to look like this:PRODUCT OWNER('IBM CORP')NAME('z/OS and OS/390')FEATURENAME('Security Server')ID(5647-A01)VERSION(*)RELEASE(*)MOD(*)STATE(DISABLED)If you ordered RACF as part of the security server for z/OS and OS/390, and want todisable the RACF component of the security server but continue to use the DCEcomponent of the security server, update the IFAPRDxx entries to look like this:PRODUCT OWNER('IBM CORP')NAME('z/OS and OS/390')FEATURENAME('Security Server')ID(5647-A01)VERSION(*)RELEASE(*)MOD(*)STATE(ENABLED)PRODUCT OWNER('IBM CORP')NAME('z/OS and OS/390')FEATURENAME('RACF')ID(5647-A01)VERSION(*)RELEASE(*)MOD(*)STATE(DISABLED)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–95

z/OS and OS/390 Security Server SupportDCE Security ServerThe DCE Security Server is a separate security product that providesauthentication services for users and servers running DCE applications.In a DCE environment, one DCE Security Server must exist. A DCE securityserver provides a central hub for system entry validation and single-sign onauthentication for all DCE platforms within a connected DCE environment. Akey concept of a DCE security server is that it provides an independent orso-called third-party platform in which to validate and authenticate securityrequests. This concept provides obvious security advantages.For example, when a user passes from one DCE platform to another, the targetplatform passes information about the user (so-called user credentials) alongwith other information to the DCE security server for authentication andauthorization. The DCE security server authenticates such requests by checkingthe supplied user credentials against those stored in the DCE security server'ssecurity repository and/or security registry. In performing this authentication,the DCE security server follows an authentication algorithm, which involves notonly the user credentials but also involves encryption keys known for eachplatform. The algorithm is standards-based and is platform independent. As aresult, multiple vendors and platforms offer a DCE security server.IBM's z/OS and OS/390 OE/DCE Security Server product allows an IBMmainframe to perform these functions.With z/OS and OS/390 O/E DCE security server, eTrust CA-Top Secret isutilized mainly to act as a repository for information needed to support the DCEauthentication process. In particular, the eTrust CA-Top Secret is used to holdDCE-specific userid information and encryption keys. Most notably, a 'DCEsegment' can now be defined for any userid. The DCE userid segment allows sixDCE-specific fields to be maintained for any userid. For example, one fieldnamed DCEKEY identifies each user's DCE password. During authentication, theDCE security server retrieves this and other information from eTrust CA-TopSecret following formal SAF interfaces. This information is then used separatelyto authenticate and authorize the DCE security server request. As stated, eTrustCA-Top Secret acts mainly as a repository for DCE information.eTrust CA-Top Secret provides for the following functions:■■■■support for the DCE segment for any userid;support for the KEYSMSTR resource class used to hold keys for DCEpassword encryption;support for the DCEUUIDS resclass used to track the correspondencebetween z/OS or OS/390 userids and DCE UIDs;support for four new callable services used to exchange information betweenthe ESM and the DCE security server.1–96 Cookbook

z/OS and OS/390 Security Server SupportThe following steps must be taken into consideration when protecting the DCEsecurity server under eTrust CA-Top Secret:1. A DCE segment, allowing specification of six DCE-related fields, can beadded to any eTrust CA-Top Secret defined user. An example of the use ofthese new fields follows:TSS ADD(acid) DCENAME(jordanm) DCEFLAGS(AUTOLOGIN)UUID(00000075-71db-21cf-b500-08005a470ba1)HOMEUUID(abbc323c-5ce2-11cf-a61e-08005a470ba1)HOMECELL(/.../cis_test1.cis.dog.com)2. eTrust CA-Top Secret further extends this support by installing anISPFEDIT-macro named TSSDCE which can be used to reformat the outputof the IBM DCE export utility, MVSEXPT, to TSS format. To perform thisreformat, edit the MVSEXPT output data set using ISPF edit and enter theTSO command %TSSDCE. This will immediately reformat the MVSEXPToutput data set being edited into TSS command format.3. Consult IBM DCE documentation for the OS390 OE/DCE security server formore information about the use and settings of these fields.Firewall Technologiesz/OS and OS/390 provides the ability to run a firewall under UNIX SystemServices. Support is distributed in part with the Communication Server and inpart with the Security Server. The z/OS and OS/390 Firewall Technologies canonly reduce, but does not necessarily eliminate the need for a non-z/OS andOS/390 platform firewall. The firewall itself is not configured using eTrustCA-Top Secret. Administration is performed through configuration files.Setting up the z/OS and OS/390 Firewall Technologies with eTrust CA-TopSecret involves the following steps:1. Create a group definition for use with the firewall:TSS CREATE (FWGRP) TYPE(GROUP) NAME(‘Firewall Group’) DEPT(OMVSDEPT)TSS ADD(FWGRP) GID(nn)Any unused GID number is allowed.2. Define the Firewall startup address space ID:TSS CREATE(FWKERN) TYPE(USER) NAME(‘Firewall Startup ID’)DEPT(OMVSDEPT) FACILITY(STC,BATCH) PASS(password,0)TSS ADD(FWKERN) GROUP(FWGRP) DFLTGRP(FWGRP)HOME(/usr/lpp/fw/home/fwkern/) OMVSPGM(/bin/sh) UID(0)TSS ADD(STC) PROCNAME(FWKERN) ACID(FWKERN)TSS MODIFY(OMVSTABS)3. Allow FWKERN to issue start commands:TSS ADD(anydept) IBMFAC(FWKERN.)TSS PERMIT(FWKERN) IBMFAC(FWKERN.START.REQUEST) ACCESS(UPDATE)Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–97

z/OS and OS/390 Security Server Support4. Define additional started tasks used by the firewall daemons:TSS ADD(STC) PROCNAME(ICAPSLOG) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPSOCK) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPPFTP) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPFLOG) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPTNAT) ACID(FWKERN)5. Permit FWKERN access to READ the TCP/IP data sets:TSS PERMIT(FWKERN) DSN(TCPIP.*) ACCESS(READ)The high level qualifier of these data sets might have been renamed from“TCPIP” when installed on your system.6. Permit the FWKERN acid to the SMF logging facility:TSS PERMIT(FWKERN) IBMFAC(BPX.SMF) ACCESS(READ)7. Permit the PFTP server to the BPX.DAEMON facility:TSS PERMIT(FWKERN) IBMFAC(BPX.DAEMON) ACCESS(READ)8. Adding Firewall Administrators to FWGRP:Firewall administrators must be members of the group FWGRP or havesuperuser authority. The following command gives an administrator thefirewall group:TSS ADD(administrator) GROUP(FWGRP)9. Firewall Technologies has the ability to invoke z/OS and OS/390 IntegratedCryptographic facilities to perform internal security functions. These servicesare protected using the resource class CSFSERV. Users must be permitted tothe individual services necessary. This is accomplished using the followingcommands:TSS ADD(dept) CSFSERV(service-name)TSS PERMIT(acid) CSFSERV(service-name) ACCESS(READ)The individual service-names are documented in the appropriate IBMFirewall manuals and the ICSF/MVS Administrators Guide.LDAP ServerIBM provides a Lightweight Directory Access Protocol (LDAP) Server with z/OSand OS/390 releases 2.5 and above. This server can be used to store directoryinformation, such as email accounts. The LDAP server uses a DB2-based file tostore directory information.1–98 Cookbook

z/OS and OS/390 Security Server SupportSetting up the z/OS or OS/390 LDAP Server with eTrust CA-Top Secret involvesthe following steps:1. Create a group definition for use with the LDAP Server:TSS CREATE (LDAPGRP) TYPE(GROUP) NAME(‘LDAP Group’) DEPT(OMVSDEPT)TSS ADD(LDAPGRP) GID(nn)Any unused GID number is allowed.2. Define the LDAP Server startup address space identifier:TSS CREATE(LDAPSRV) TYPE(USER) NAME(‘LDAP Startup ID’)DEPT(OMVSDEPT) FACILITY(STC,BATCH) PASS(password,0)TSS ADD(LDAPSRV) GROUP(LDAPGRP) DFLTGRP(LDAPGRP)HOME(/) OMVSPGM(/bin/sh) UID(0)TSS ADD(STC) PROCNAME(LDAPSRV) ACID(LDAPSRV)TSS MODIFY(OMVSTABS)3. The acid for the LDAP server started task requires access to the followingIBMFAC resources:TSS ADD(anydept) IBMFAC(BPX.)TSS PERMIT(LDAPSRV) IBMFAC(BPX.DAEMON)TSS PERMIT(LDAPSRV) IBMFAC(BPX.SERVER)ACCESS(READ)ACCESS(UPDATE)DB2 Security ExitIn response to the fact that native DB2 only provides internal security, thesecurity server now provides sample code for a DB2 security exit. eTrust CA-TopSecret has offered for a number of years the ability to secure DB2 using eTrustCA-Top Secret for DB2. See the eTrust CA-Top Secret for DB2 ImplementationGuide for additional information.Integrated Cryptographic ServicesIBM has delivered as a hardware offering, a high powered cryptographiccoprocessor which allows z/OS or OS/390 applications to exploit cryptography.The z/OS or OS/390 Security Server provides API’s to invoke thesecryptographic services (ICSF) rather than use software algorithms to perform thesame functions. In addition, various functions involved with the management ofkeys are provided in this service. These services combine to provide a site withthe ability to manage public keys.eTrust CA-Top Secret provides the following resource classes to allow ICSF to besecured and audited.CSFKEYS—This class is used to secure encryption keys. The value, which isowned and permitted, is the key label. The key label is in the CKDS or PKDSwhen a key is defined.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–99

z/OS and OS/390 Security Server SupportIf CFSKEYS is defined to support masking and you want to allow ALL access,CFSKEYS(**) must be used. This allows the correct entity to be picked up. If thisis not done and an audit record is cut the resource name will be blank.CSFSERV—This class is used to secure the various cryptographic services,needed to encrypt data and manage keys. The services are listed in the OS/390Integrated Cryptographic Service Facility: Administrator’s Guide.Note: If the certificate’s private key resides in an ICSF storage facility and theformat of PKCS12DER or PKCS12B64 is specified in the TSS EXPORT command,the command is rejected. A TSS0533E message is issued.Also, in order to use ICSF, you must have cyptrographic hardware installed andenabled on your system. ICSF is the interface to the Cryptographic hardware onz/OS and OS/390.1–100 Cookbook

Chapter2Controlling Access to theHierarchical File SystemThere are two methods a site can use to secure the Hierarchical File System(HFS).■■The first process is internal to UNIX System Services and is based on theUNIX model of security.The second process is external security and uses standard eTrust CA-TopSecret security authorizations to secure HFS.Note: These methods are mutually exclusive, you must select one.Controlling HFS Using the Native UNIX Security ModelThe Hierarchical File System (HFS) is a tree-structured file system consisting ofdirectories and files. It resembles the DOS file system, although the slash (/) isused instead of the backslash (\).Each file and directory is assigned an owning UID and an owning GID. Theassignment is defined and saved in the file system, not in the external securityproduct.Three categories of users can access each directory and file in the HFS:■■■File ownerGroup that owns the fileAll other users defined to UNIX System ServicesDifferent access levels can be set for any of these three categories. For example,permissions can be defined so that the file owner gets READ and WRITE access,a member of the file's group gets only READ access, and all other users haveneither READ nor WRITE access to the file.Controlling Access to the Hierarchical File System 2–1

Controlling HFS Using the Native UNIX Security ModelWhen group access checks are performed, eTrust CA-Top Secret compares theGID of the file to the GID of the default group defined in DFLTGRP. If thesedon’t match, eTrust CA-Top Secret then compares the file's GID to the GIDs of allof the groups defined to the acid in the GROUP field. GIDs are added to theGROUP by issuing the following eTrust CA-Top Secret command:TSS ADD('acidname') GROUP('group name')If a match is found, eTrust CA-Top Secret uses group permissions to determinethe user's access to the file.Obtaining security information for a File within OpenEdition can be achieved byone of the following:■■■Use the OpenMVS ISPF ShellEnter the ls -l or ls -E shell commandRun a stat( ) or fstat( ) function in a programIn response, the system will display the TSO/E user ID and the eTrust CA-TopSecret group name that correspond to the file’s UID and GID permission bits.The system displays the UID and GID only if it cannot find the correspondingTSO/E user ID and eTrust CA-Top Secret group name. The informationreturned will include:■■■■Type of file or directoryOwner permission bitsGroup permission bitsOther permission bitsShell commands exist that change file/directory authorizations within the openedition arena. These shell commands include:CHMOD—Change permission bits for a file/directory.CHOWN—Change the owner or group for a file or directory.CHGRP—Change the group of a file.For more information about the Hierarchical File System and setting filepermissions, see these IBM documents: OS/390 OpenEdition User's Guide andOS/390 OpenEdition Planning.2–2 Cookbook

Controlling HFS Using the Native UNIX Security ModelProcesses that Affect HFS SecurityWhen using the UNIX security model, various options can affect the filevalidation process. The processes and their effect on file security or validationare described in this section.HFS FASTPATH CheckingAs of OS/390 V2R7, OMVS issues a SAF call at initialization. This SAF callchecks to see if access is authorized for OMVS to the FACILITY class resourceBPX.SAFFASTPATH. If access is allowed, OMVS performs permission bitchecking internally instead of calling the external security manager bypassingany audit trail of violations. This is referred to as FASTAUTH processing.Issue the following eTrust CA-Top Secret commands to eliminate this bypass:TSS ADDTO(anydept) IBMFAC(BPX.SAFF)TSS PERMIT(ALL) IBMFAC(BPX.SAFF) ACCESS(NONE)Also, do not give the STC acid associated with the OMVS started task theNORESCHK attribute.MOUNT NOSECURITYWith OS/390 V2R7, you now have the option to MOUNT a file system or part ofa file system with or without SECURITY. The use of the MOUNT commandrequires superuser authority. If the file system is mounted with theNOSECURITY option, USS makes access checks against system credentials (i.e.,superuser) rather that against user credentials. Access is allowed.Program Control in the UNIX EnvironmentWhen the BPX.DAEMON and BPX.SERVER facilities are active, processingauthorized functions, such as SETUID, requires that programs or executables beloaded from an authorized library. In a eTrust CA-Top Secret environment,these authorized data sets are any library in the LPA list, the APF list, orLINKLIST. If a program is loaded from the HFS or an MVS data set not on theapproved lists, the TCBNCTL flag, referred to as the “dirty bit,” is set. Thisresults in authorized functions failing if attempted in the “dirty” environment.When an executable or program is requested in an OMVS environment, OMVSfinds the executable in the HFS and loads from there unless the programcontrolled extended attribute, or “sticky bit,” is set. If this sticky bit is set on theexecutable file, OMVS uses normal MVS load processing. To avoid the dirty bitbeing set requires that the executables in the HFS have the sticky bit turned onusing the chmod command.Controlling Access to the Hierarchical File System 2–3

Controlling HFS Using CA SAF HFS SecurityControlling HFS Using CA SAF HFS SecurityOS/390 brings the MVS and UNIX operating systems together onto onehardware platform. Although some interoperability between MVS and UNIXexist, each environment retains its own distinct data structures and methods ofaccess control.UNIX data is kept in a Hierarchical File System (HFS). From the UNIXperspective, the HFS contains many discrete data files. From the MVSperspective, the HFS is one data set and can only be controlled as one data set. Inother words, MVS can control access to the entire file system, but not to theindividual files within the HFS.HFS files are protected by file permission bit settings. These are set when the fileowner creates the file. A superuser, a user privilege that grants much moreauthority than just security administration, can only perform centralizedadministration. MVS resources are protected by resource access that can be setup in advance by scoped security administrators.CA SAF HFS security overcomes the shortcomings of native UNIX security byproviding single-point security access control, administration, and reporting forboth MVS and UNIX resources. CAIENF services present access events to eTrustCA-Top Secret for validation. Administrators use familiar commands and rulesto protect UNIX files and functions, restricting access based on the eTrustCA-Top Secret acid permissions instead of the UNIX UID or GID numbers. HFSaccess loggings and violations are reported in the standard eTrust CA-Top Secretreports.The following sections explain:■■■HFS file access security using resource authorizationsSecuring HFS system and file functionsImplementing CA SAF HFS securityCA SAF File Access SecurityWhen using CA SAF HFS security, native file permission bit security is bypassed.File access is validated by eTrust CA-Top Secret security through use of resourcepermissions. All the benefits of resource permissions can be utilized, includingmasking, profiles, scoping, and reporting.2–4 Cookbook

Controlling HFS Using CA SAF HFS SecurityPath Name TranslationA path name can be up to 1023 characters in length, except when used in the JCLPATH= keyword where the limit is 255 characters. The path name is also casesensitive and can contain special characters. In order to allow external securityto validate HFS files, eTrust CA-Top Secret validation of HFS files requires pathname manipulation.Before validation, all path names are converted to upper case and, if necessary,truncated at 255 characters. An exit point is provided for cases when file namesreside in paths that are greater than 255 characters. The installation can use theexit to provide a meaningful name.eTrust CA-Top Secret resource authorization processing considers the periodcharacter as a delimiter. This delimiter is used when permitting maskedresources, such as, when providing security for data sets. Path names, however,use the slash character as a delimiter. Before a file is validated, the path namewill have all slash characters, with the exception of the first, translated into aperiod delimiter. Other special characters is translated into the dollar sign ($).These include characters that are used as masking characters in resourcepermissions. If not translated, these characters could create undesired results.The special characters include the period, asterisk, dash, plus, blank, and quote.An exit point is provided which can further modify any character to meet specialneeds, with the exception of the slash character which will always be translatedto a period delimiter.Some examples of path name translation follow:Original pathnameTranslated path nameSample resourceauthorizationsSecurityaction/bin/su /BIN.SU TSS PER(USER01) HFSSEC(/BIN.SU)ACCESS(NONE)/u/user01/proj1/file1.txt/U.USER01.PROJ1.FILE1$TXTTSS PERMIT(USER01)HFSSEC(/U.%.PROJ1.FILE1$TXT)ACCESS(ALL)/usr/sbin/mknod /USR.SBIN.MKNOD TSS PER(SYSPROG)HFSSEC(/USR.SBIN.MKNOD)ACCESS(ALL)No access toswitch usercommandAll accessallowedAllow systemprogrammersto createspecialcharacters.Controlling Access to the Hierarchical File System 2–5

Controlling HFS Using CA SAF HFS SecurityHFSSEC Resource ClassCA SAF HFS security introduces a new pre-defined resource class calledHFSSEC. This new RESCLASS is used when defining file and directory levelaccess in eTrust CA-Top Secret.Permission ConsiderationsThis section describes special considerations to be taken into account whenadministering permits for HFS resources.In addition to access to HFS files, users can also need access to directories. Auser requires READ access to a directory in order to list the contents of thatdirectory. When writing a permission, you distinguish a directory permit from afile permit by not using a trailing period in the HFSSEC authorization. Forexample, the permits used to allow users to read the /BIN directory, but onlyallow EXECUTE access to the files contained within the directory is:TSS PER(ALL) HFSSEC(/BIN) ACCESS(READ)TSS PER(ALL) HFSSEC(/BIN.) ACCESS(EXEC)The root directory is defined by the single character (/). With eTrust CA-TopSecret the root directory must be owned using the special name ROOT. Filescontained in the root directory (/) must be specified as the slash (/) followed bythe file name. Therefore, the only valid permit for the ROOT directory (/) is thatwhich allows read access to the directory itself. The following shows the permitrequired for the root directory and a permit that allows read and write access tofile rootfile:TSS PER(ALL) HFSSEC(ROOT) ACCESS(READ)TSS PER(ALL) HFSSEC(/ROOTFILE) ACCESS(UPDATE)Permits administered to secure HFS file resources should specify the ACCESSkeyword to identify the type of access to the file. If the access keyword is notused, READ access is implied. The access keywords and their meanings follow:KeywordEXECUTEREADUPDATEALTERDescriptionAllows execute access to a file, usually a program file.Allows read access to a file.Allows write access to a file.Allows create and delete access to a file.2–6 Cookbook

Securing HFS FunctionsKeywordALLCONTROLDescriptionAllows all of the above.A special access not used for normal file accessvalidation. This is used with HFS function security toallow a user to change file attributes. Moreinformation can be found in the following section.ReportingAudit records created by HFS file access checks, (i.e., violations, and auditevents) are written to the Audit Tracking File and accessed by the TSSUTILreport utility. TSSUTIL integrates these events among other events according tothe report generation criteria.Securing HFS FunctionsIn addition to file access security, HFS functions can also be secured. Thesefunctions can be a system action, such as setting a ptrace or a job’s priority, orthey can be file-related, such as changing the file mode or audit settings.A system function is secured by a rule in the IBMFAC class, while a file-relatedfunction is secured by a combination of an IBMFAC class rule and a HFS fileresource rule. By following this approach, changes to file attributes can bepermitted at a global basis, or restricted to a particular file.The resource name format for HFS IBMFAC rules is: BPX.CAHFS.function. Anexample of a permission would be:TSS PER(USER01) IBMFAC(BPX.CAHFS.function) ACCESS(READ)System FunctionsIn order to perform a system function, the user requires READ access to thecorresponding IBMFAC.Controlling Access to the Hierarchical File System 2–7

Securing HFS FunctionsSystem Functions (IBMFAC ATTRIBUTE)BPX.CAHFS.CHANGE.PRIORITY—Allows a user to change the schedulingpriority of a process, process group, or user.BPX.CAHFS.SET.PRIORITY—Allows a user to set the scheduling priority of aprocess, process group, or user.BPX.CAHFS.SET.RLIMIT—Allows a user to set the resource limit for the callingprocess.BPX.CAHFS.MOUNT—Allows a user to mount file systems.BPX.CAHFS.UNMOUNT—Allows a user to remove a virtual file system.BPX.CAHFS.PTRACE—Allows a user to control and debug another process.Although the user need not be defined as a superuser to use this function, accessto this resource does not give the user any more authority than a superuserwould have. Access to the function is denied if the user attempts to debug aprogram running with SETUID or SETGID, that is, a program that switches useridentification.BPX.CAHFS.CREATE.LINK—Allows a user to create a hard link to an existingfile. A hard link is essentially another name for the same file data. If the originalfile is removed, the hard link still points to the file data. The data is not deleteduntil the last link is removed. The user requires a permission withACCESS(ALTER) to the HFS file resource for both the original file and the linkfile. It is important to note that when data associated with a hard link isaccessed, the CA-ENF/USS service requests the file name from OS/390 UNIXServices. The file name returned might be the hard link name or the original filename regardless of the actual path accessed. It is unpredictable which name isreturned. Therefore, when a hard link exists, you must maintain permissions forboth the link name and the original name.BPX.CAHFS.CREATE.EXTERNAL.LINK—Allows a user to create an externallink to an object outside of the file system, such as an MVS data set. An externallink is a file that contains the name of an external object. If the external object isremoved, the external link still contains the name of the non-existent object.BPX.CAHFS.CREATE.SYMBOLIC.LINK—Allows a user to create a symboliclink to an existing file. A symbolic link is a file that contains the name of anotherfile. If the original file is removed, the file data is deleted but the symbolic linkstill contains a pointer to the non-existent file. Symbolic link names are validatedwhen the link is created and deleted. All other accesses are validated with theoriginal file name. In addition to this resource, the user also requires a PERMITwith ACCESS(ALTER) to the HFS file resource for both the original file and thelink file.2–8 Cookbook

Securing HFS FunctionsFile FunctionsFile-related functions can be secured to various levels of granularity. This isaccomplished by determining a user’s highest level of access to an IBMFACresource. The ACCESS keyword of the IBMFAC resource authorization is usedfor this purpose. The following actions are taken based upon the ACCESS value:ALL—The user is allowed to perform the function against all files.CONTROL—The user is allowed to perform the function if the user also hasACCESS(CONTROL) access to the HFS file resource. The access level ofCONTROL is not used in normal file access. It is utilized here to provideadditional controls for file functions.UPDATE—Processing is the same as for CONTROL.READ—The user is allowed to perform the function if the user also hasACCESS(CONTROL) access to the HFS file resource, or if the user is consideredthe owner of the file. This is ownership as defined by CA SAF HFS security, notUNIX file UID.NONE—If the user has no access to the IBM FACILITY resource, the function isdenied.Because the absence of the ACCESS keyword in a permission implies READaccess, be sure to specify ACCESS in all of the file function IBMFAC permissionsso that you do not inadvertently allow greater access to functions than youintended.HFS file permission settings and UID/GID ownership are not used for validationpurposes when CA SAF HFS security is active. However, the followingresources restrict changes to these settings for those cases in which they must bemaintained.File Functions (IBMFAC)The following are the file functions authorized via the IBMFAC ATTRIBUTE:BPX.CAHFS.CHANGE.FILE.ATTRIBUTES—Allows a user to change extendedfile attributes, such as APF authorization and program control. Native OS/390UNIX services will issue an IBMFAC resource call to determine authorization toset the specific attribute, but not to specific files. Use of this file function resourceprovides additional control down to the file level.BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS—HFS files contain two sets ofaudit flags, one that can be set by a normal user and the other that can only be setby an auditor. This resource allows a user to change user-audit flags in a file.BPX.CAHFS.CHANGE.FILE.FORMAT—Allows a user to change the format ofa file. Changes include defining text data delimiters or binary file format.Controlling Access to the Hierarchical File System 2–9

Securing HFS FunctionsBPX.CAHFS.CHANGE.FILE.MODE—Allows a user to change any file modeinformation. This includes changes to file permission settings, setting theexecution UID or GID indicators, and setting the "sticky" bit. Native OS/390UNIX permission settings are used for validation purposes only when CA SAFHFS security is inactive.BPX.CAHFS.CHANGE.FILE.MODE.STICKY—Allows a user to set the "sticky"bit in the file mode information. The "sticky" bit causes a program to be loadedfrom MVS libraries instead of the HFS.BPX.CAHFS.CHANGE.FILE.MODE.EUID—Allows a user to set theexecution-UID indicator in the file mode information. When this indicator is set,the program runs under the UNIX UID of the file owner instead of the UID of theuser running the program.BPX.CAHFS.CHANGE.FILE.MODE.EGID—Allows a user to set theexecution-GID indicator in the file mode information. When this indicator is set,the program runs under the UNIX GID of the file owner instead of the GID of theuser running the program.BPX.CAHFS. CHANGE.FILE.OWNER—Allows a user to change file owner UIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.GROUP—Allows a user to change file owner GIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.TIME—Allows a user to change the last access ormodification time to the current time or a user-specified time. If the current timeis to be set and the user has write access to the file, the function is allowed. If theuser does not have write access or a user-specified time is to be set, access mustbe allowed to this IBMFAC resource.Sample PermissionsThe following example shows TSS PERMITS that allow Thelma to change the filemode and owner for all files. Louise is allowed to change the file mode for onlythose files that reside in a certain directory, but is not allowed to change the fileowner in any file:TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(ALL)TSS PER(LOUISE) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(CONTROL)TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER) ACCESS(ALL)TSS PER(LOUISE) HFSSEC(/certain.directory.) ACCESS(ALL)2–10 Cookbook

Implementing CA SAF HFS SecurityImplementing CA SAF HFS SecurityCA SAF HFS security is an application of CAIENF/USS (UNIX System Services).This security application is activated when the appropriate DCM modules arelinked into the ENF database. The following describes the implementation steps:1. eTrust CA-Top Secret for OS/390 5.1 SP2 or higher is required to implementCA SAF HFS Security.2. Determine if exit processing is required for path name translation, user pathdefinition or to enable file ownership. See below for specifics regarding exitprocessing. If using the exit, assemble and link the exit code using thesample SMPE usermod found in OPMAT member UD00001.3. Define HFS file and function resource authorizations. It is recommended thatall the function resources described in the previous sections be defined. Autility is provided to assist in creating these resource rules. See section CASAF HFS ADD/PERMIT Generation Utility for details.4. If you utilize the user file ownership feature of CA SAF HFS security(described in Exit Processing section), also define authorizations for users.5. Verify that the proper level of CAIENF is available to support ENF/USS. CACommon Services for z/OS and OS/390 with the following APARs providesthis support: LO89578 through LO89581, LO89584, LO92642, and LO94652,and LO94657.6. The ENF started task must be a valid OMVS user. Message CARR014E isissued if this is not done. Ensure the ENF acid specifies a group. Install thefollowing DCM modules into the ENF database using the ENFDB utilityprogram: CARRDCM0 (Framework) and J163DCM0(CA-Top Secret).7. Defining a VLF class for use as a cache can enhance performance ofENF/USS. The cache size is determined by the MAXVIRT specification. Thenumber of cache entries is approximated by dividing the defined amount ofVLF storage by the average size of your path names. Add the following toyour current COFVLFxx member in SYS1.PARMLIB:CLASS NAME(CAENFU) /* ENF/USS pathname cache */EMAJ(PATHCACHE) /* Major name */MAXVIRT(256) /* 1 megabyte */8. Adding the NODSNCHK attribute to the BPXOINIT logonid during initialtesting will allow OMVS to successfully initialize without violations. Onceappropriate authorizations are in place, the NODSNCHK attribute should beremoved.9. The following message is issued by CAIENF/USS at ENF startup when CASAF HFS security is successfully initialized:CARR036I - SAFHFINT / J163 Now InitializedControlling Access to the Hierarchical File System 2–11

HFSSEC Control Option10. Set the eTrust CA-Top Secret Control Option HFSSEC to ON: HFSSEC(ON)11. Run TSSUTIL during the implementation phase. Review violations andloggings for HFSSEC and IBMFAC resource types and create appropriateauthorizations.HFSSEC Control OptionA new eTrust CA-Top Secret Control Option exists to turn HFS security ON andOFF. This control option is set in the TSS PARMS startup member or can bedynamically set via a TSS MODIFY command. To determine the current activesetting of HFSSEC, issue: TSS MODIFY STATUS(BASE)HFSSEC(ON)—Enables CA SAF HFS security. When enabled, normal OS/390UNIX security access validation is bypassed. This includes checking of filepermission bits, superuser status and normal OS/390 UNIX security services.HFSSEC(OFF)—Disables CA SAF HFS security. When disabled, normal OS/390UNIX security access validation is enabled. This includes checking of filepermission bits, superuser status and normal OS/390 UNIX security services.Exit ProcessingAn exit point is provided for installation-specific processing. This exit is calledfor both an initialization function, where options involving pathname translationand user path processing can be selected, and a pathname translation function,where final modification to the pathname can be made before validation isperformed.The exit must be reentrant and capable of running AMODE(31) andRMODE(ANY). The exit name is SAFHFUSR and must be linked together withload module SAFHFSEC. A sample SMPE usermod to perform this can be foundin OPMAT member UD00001.Upon entry to the exit, register R1 points to a list of addresses. The end of the listis indicated by the high order bit in the last full word.For an initialization function, the exit is passed the following parameteraddresses:+0—The address of a single byte containing the character ‘I’ indicating that this isan initialization function.+4—The address of a 512-byte work area for the use of the exit program.+8—The address of a 255-byte field in which the user can return the path locationwhere user directories are located. Upon input, this field contains hex zeros.2–12 Cookbook

HFSSEC Control Option+12—The address of a single byte which, when set to ‘Y’ by the exit, indicatesthat user ownership of files is in effect.+16—The address of a 256-byte translation table, which is used to translatecertain special characters in a path name.When the exit returns a user directory path location, CA SAF HFS processinguses that path name to determine if the path name to be validated should betranslated to a form such that the user ID of the owner of the path becomes thehigh-level qualifier of the path name. This will allow HFS file rules to be writtenat the user level. The default is that no translation takes place for userdirectories.An example: if the exit returns the value /u/ as the user directory path namelocation, and the file accessed is /u/user01/xfile, then the resource namevalidated is $$USER01.XFILE. A rule to allow access to this file could be:TSS PER(USER01) HFSSEC($$%) ACCESS(UPDATE)When the exit returns the character ‘Y’ indicating that user ownership of fileswithin one’s own directory is in effect, no validation is performed when thecurrent user’s logonid matches that in the user directory. In the above example,validation would be bypassed when USER01 accesses file /u/user01/xfile. Thisoption is meaningless if a user directory path location is not also returned.The supplied translate table is in a format acceptable as input to the assemblerTR instruction. The default translate table will translate all slash characters in apath name, with the exception of the leading slash, to a period character. Otherspecial characters is translated into the dollar sign ($). These include charactersthat are used as masking characters in resource rules. If not translated, thesecharacters could create undesired results. The special characters include theperiod, asterisk, dash, plus, blank, and quote. An exit point is provided whichcan further modify any character in the table to meet special needs, with theexception of the slash character which will always be translated to a perioddelimiter.For a path name translation function, the exit is passed the following parameteraddresses:+0—The address of a single byte containing the character ‘P’ indicating that thisis a path name translation function.+4—The address of a 512-byte work area for the use of the exit program.+8—The address of a 255-byte field containing the resource name as modified byCA SAF HFS processing. This is the name that is used for validation. The exitcan return a modified path name in this same field.+12—The address of a 1023-byte field containing the original unmodified pathname.Controlling Access to the Hierarchical File System 2–13

HFSSEC Control OptionThe exit can use this exit function to make any specific modifications to the pathname beyond that already performed by CA SAF HFS security processing.TroubleshootingThe following section discusses troubleshooting solutions.ReportingReporting is done through the existing eTrust CA-Top Secret resource report,TSSUTIL. When the AUDIT attribute is on the user’s acid or specificpermissions, audit records can also appear on the report if they are requested inthe report criteria. The report will show the translated name of the HFS file usedfor validation. TSSUTIL should be reviewed when researching validationproblems.In addition, the online real-time monitor TSSTRACK can also be used to monitorHFS file security related events.OPTIONS(32)Control option, OPTIONS(32), provides support for USS event logging to the AuditTracking File.To take advantage of this feature, the LONG option must be specified inTSSUTIL. This will ensure that the full 256-character resource name can bedisplayed. Logging will only take place for the acids that have the AUDIT orTRACE attributes assigned.A new RDT class called USSLOG is introduced with this new USSLOG feature.This will allow TSSUTIL to select USSLOG records with the RESCLASS(USSLOG) option and to report the access level for the USS event. All of therecords are displayed as a resource type of USSLOG.The resource name field will display the USS function, i.e., INIT_USP and forsome types of USS events, i.e., CHECK_ACCESS, the path name and file namebeing assessed. (In the example of the TSSUTIL report below, you can see howthe records are displayed)The TSSOERPT can still be used to get additional detailed information about theUSS event, such as UID, GID or group name. Otherwise TSSUTIL will nowcontain the event information such as: User ID’s, Modes, Function, Path Names,File Names, Return Code, Facility, etc. (See the example below to see how thetypical record are displayed). As part of CASAF, USS events are being logged toSMF as well.2–14 Cookbook

HFSSEC Control OptionDiagnosticsThe CA SAF HFS security interface can be traced by using the SECTRACEcommand. A trace of internal functions of CA SAF HFS security is enabledthrough use of the SECTRACE TYPE=HFS keyword. The trace output can berequested by technical support. The syntax is:SecTrace SET,TYPE=HFSThe following keywords are meaningful when TYPE=HFS is specified:ID=JOBname=USERid=ENable|DISableACTION=MATCHLIM=DEST=CONSOLE|JOBLOG|SYSLOGCONSid=MSGid|NOMSGidOther keywords are ignored. If DEST is not specified, the default isDEST=SYSLOG.The SAF validation calls invoked by CA SAF HFS security can also be traced.These SAF calls are the file and function validations that are passed to eTrustCA-Top Secret. Enable this tracing by first issuing the SECTRACE SETcommand detailed below, followed by a reply to the prompt:ST SET,ID=id,TYPE=SAFP,DEST=dest,ENDR nn,REQSTOR=SAFHFSEC,ENDTSSUTIL/SAF Reference TablesAt OS/390 Release 2.8 and above, results from running a TSSUTIL and a SAFSECTRACE are different when the HFSSEC control option is set to ON or OFF.The tables should be used as a reference when you are evaluating the results ofthese utilities.Controlling Access to the Hierarchical File System 2–15

HFSSEC Control OptionTSSSUTIL EQUIVILENCY TABLEUNIX CMDCHAUDITHFSSEC(ON)CHAUDITHFSSEC(OFF)CHAUDITHFSSEC(OFF)CHATTRHFSSEC(ON)CHATTRHFSSEC(OFF)CHMOD (UID)HFSSEC(ON)CHMOD (UID)HFSSEC(OFF)TSSUTIL Sample OutputDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/17/00 13:03:49 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=R_CHECK_AUDIT /u/omvspt1/_DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:12:08 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 10:12:08 XE14 OMVSPT1 OMVSPT1 TSO WARN SEARRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestbDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:12:08 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 10:12:08 XE14 OMVSPT1 OMVSPT1 TSO WARN SEARRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestbDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/17/00 13:51:05 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_FILE_OWNER /u/omvspt1/altertestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG2/01/00 10:15:32 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIVSUPERUSER.FILESYS.FILE02/01/00 10:15:32 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestbDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/17/00 13:54:27 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=R_CHECK_MODE /u/omvspt1/altertestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:18:47 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 10:18:47 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestb2–16 Cookbook

HFSSEC Control OptionUNIX CMDCHMOD(STICKY BIT)HFSSEC(ON)CHMOD(STICKY BIT)HFSSEC(OFF)CHMOD (GID)HFSSEC(ON)CHMOD (GID)HFSSEC(OFF)CHOWNHFSSEC(ON)CHOWNHFSSEC(OFF)EDITHFSSEC(ON)EDITHFSSEC(OFF)TSSUTIL Sample OutputDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/17/00 13:54:27 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=R_CHECK_MODE /u/omvspt1/altertestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:20:35 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 10:20:35 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestbDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/17/00 13:54:27 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=R_CHECK_MODE /u/omvspt1/altertestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:22:15 XE14 OMVSPT1 OMVSPT1 TSO WARN EXECRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 10:22:15 XE14 OMVSPT1 OMVSPT1 TSO WARN SEARRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/altertestbDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/18/00 08:33:03 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=R_CHECK_OWN /u/omvspt1/altertest2DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 10:37:50 XE14 OMVSPT1 OMVSPT1 TSO WARN 30 EXEC READRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.CHOWN02/01/00 10:37:50 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROGDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 11:04:03 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 11:04:03 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/tssrulesControlling Access to the Hierarchical File System 2–17

HFSSEC Control OptionUNIX CMDEXTERNALLINKHFSSEC(ON)EXTERNALLINKHFSSEC(OFF)SYMBOLICLINKHFSSEC(ON)SYMBOLICLINKHFSSEC(OFF)SWITCH USER(SU)HFSSEC(ON)SWITCH USER(SU)HFSSEC(OFF)TSSUTIL Sample OutputDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/18/00 10:11:32 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : IBMFAC BPX.CAHFS.CREATE. EXTERNAL.LINK01/18/00 10:11:32 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : HFSSEC /U.OMVSPT1.ALTERTEST3DATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 11:31:28 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 11:31:28 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/linktestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG01/18/00 12:12:20 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : IBMFAC BPX.CAHFS.CREATE.SYMBOLIC.LINKDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/01/00 11:47:36 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : UNIXPRIV SUPERUSER.FILESYS.FILE02/01/00 11:47:36 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE:USSLOGRES=CHECK_ACCESS /u/omvspt1/linktestDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/03/00 11:06:05 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : IBMFAC BPX.SUPERUSER02/03/00 11:06:05 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : USSLOG R_SET_EUIDDATE TIME SYSID ACCESSOR JOBNAME FACILITY MODE VCPROG02/03/00 11:06:05 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : IBMFAC BPX.SUPERUSER02/03/00 11:06:05 XE14 OMVSPT1 OMVSPT1 TSO WARNRESOURCE TYPE & NAME : USSLOG R_SET_EUID2–18 Cookbook

HFSSEC Control OptionTSSSUTIL EQUIVILENCY TABLEUNIX CMDKILLHFSSEC(ON)KILLHFSSEC(OFF)EXTATTR(CHG. ATTR.)HFSSEC(ON)EXTATTR(CHG. ATTR.)HFSSEC(OFF)EXTATTR(PROG. CNTL.ATTR.)HFSSEC(ON)EXTATTR(PROG. CNTL.ATTR.)HFSSEC(OFF)TSSOERPT Sample OutputOMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPUFunction: Purge Attribute flags: 00000000 Userid: Applid:Password: NO Certificate: NO ACEE Addr: NOINIT_USP OMVSPT1 OMVSGRP1 777 777 0 0 002/02/00 00.033 09:59:16 OMVSPT1 XE14 XE14OMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPUDELETE_USP OMVSPT1 OMVSGRP1 0 0 0 0 002/02/00 00.033 10:53:15 OMVSPT1 XE14 XE14INIT_ACEE OMVSPT1 OMVSGRP1 0 0 0 0 002/02/00 00.033 10:53:15 OMVSPT1 XE14 XE14Function: Purge Attribute flags: 00000000Userid:Applid:Password: NO Certificate: NO ACEE Addr: NOOMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPU GET_GMAP OMVSPT1 OMVSGRP1 777777 0 0 002/02/00 00.033 09:41:41 OMVSPT1 XE14 XE14OMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPURequested Access: WriteFunction: chattrUser Type: Security Defined Local UserPathname: u/omvspt1/altertest1Filename: altertest1Volume : SMS001 Owner: rwx Group: r-- Other: ---File Identifier: 00010B00000FA40000Owning UID: 777 Owning GID: 777User Audit Options : Read Success Write Success Exec/Search FailureAuditor Audit Options: Read None Write None Exec/Search NoneOMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPUGET_GMAP OMVSPT1 OMVSGRP1 777 777 0 0 002/02/00 00.033 09:46:11 OMVSPT1 XE14 XE14OMVS LOGGING REPORTSERVICE USERID GROUP UID GID SAF RC RSN DATETIME JOBNAME SOURCE SYSID CPURequested Access: WriteFunction: chattrUser Type: Security Defined Local UserPathname: u/omvspt1/altertest1Filename: altertest1Volume : SMS001 Owner: rwx Group: r-- Other: ---File Identifier: 00010B00000FA40000Owning UID: 777 Owning GID: 777User Audit Options : Read Success Write Success Exec/Search FailureAuditor Audit Options: Read None Write None Exec/Search NoneControlling Access to the Hierarchical File System 2–19

HFSSEC Control OptionCA SAF HFS EQUIVILENCY TABLEHFSSEC(OFF) vs. HFSSEC(ON)OS/390 2.8 and aboveUNIX CMDS ACCESS GIVEN HPFSEC(ON) HPFSEC(OFF)CHAUDITAllow a user tochange user auditflagsBPX.CAHFS.CHANGE.FILE.AUDITFLAGSCHANGE_AUDIT_OPTAllow a user tochange a formatof a fileBPX.CAHFS.CHANGE.FILE.FORMATCHECK_FILE_OWNERCHMOD(UID)Allows a user tochange UID filepermission bitBPX.CAHFS.CHANGE.FI.LE.MODEBPX.CAHFS.CHANGE.FILE.MODE.EUIDCHANGE_FILE_MODECHMOD(STICKYBIT)Allows a user tochange Sticky bitfile permissionBPX.CAHFS.CHANGE.FILE.MODEBPX.CAHFS.CHANGE.FILE.MODE.EUIDCHANGE_FILE_MODEBPX.CAHFS.CHANGE.FILE.MODE.STICKYCHMOD(GID)Allows a user tochange GID bitBPX.CAHFS.CHANGE.FILE.MODECHANGE_FILE_MODEBPX.CAHFS.CHANGE.FILE.MODE.EUIDBPX.CAHFS.CHANGE.FILE.MODE.EGIDEXTATTR(ChangeAttributes)Allow a user toturn on APFattribute for anyHFS fileBPX.CAHFS.CHANGE.FILE.ATTRIBUTESSUPERUSER.FILESYS.FILEEXTATTR(ProgramControlled Attribute)Allow users toturn on theprogramcontrolledattributeBPX.CAHFS.CHANGE.FILE.OWNERSUPERUSER.FILESYS.FILECHOWNAllows a user tochangeownership offilesBPX.CAHFS.CHANGE.FILE.OWNERCHANGE_OWNER_GROUP2–20 Cookbook

HFSSEC Control OptionUNIX CMDS ACCESS GIVEN HPFSEC(ON) HPFSEC(OFF)MOUNTAllows a user tomount filesystemsBPX.CAHFS.MOUNTSUPERUSER.FILE.MOUNTUNMOUNTAllows a user toUnmount filesystemsBPX.CAHFS.UNMOUNTSUPERUSER.FILE.MOUNTLINKAllows a user tocreate a link toany HFSdirectoryBPX.CAHFS.CREATE.LINKSUPERUSER.FILESYS.FILERENAMEAllows a user torename an HFSdirectoryNO BPX CALL. HFS TRACESHOWS ONE EVENT.RENAMESUPERUSER.FILESYS.FILEEDIT(OPEN)Allows a user towrite to any HFSfileNO BPX CALL. HFS TRACESHOWS TWO EVENTS:OPEN AND RENAMESUPERUSER.FILESYS.FILEEXTERNAL(LINK)Allows a user tocreate an externallink to any HFSdirectoryBPX.CAHFS.CREATE.EXTERNAL.LINKSUPERUSER.FILESYS.FILESYMBOLIC(LINK)Allows a user tocreate a symboliclink to any HFSdirectoryBPX.CAHFS.CREATE.SYMBOLIC.LINKSUPERUSER.FILESYS.FILECHGRPAllows a user tochange groupsetting for a fileBPX.CAHFS.CHANGE.FILE.GROUPCHANGE_OWNER_GROUPKILLAllows a user tosend signals to aprocessSUPERUSER.PROCESS.GETPSENTSUPERUSER.PROCESS.KILLSU(SWITCH USER)Allows a user toswitch to superuser statusBPX.SUPERUSERSET_EFFECTIVE_UIDControlling Access to the Hierarchical File System 2–21

HFSSEC Control OptionCA SAF HFS ADD/PERMIT Generation UtilityA set of utility programs is provided to generate eTrust CA-Top Secretcommands to be used as a starter set of resource definitions and authorizationsfor new implementations. The HFS resource authorizations that are created giveaccess based upon the file permission bits defined for groups and 'other' users.In other words, the rules will give users the same default access to files as theyhave when not running CA SAF HFS security. The generated authorizationsmust be modified to allow appropriate users greater access to the directoryresources than that granted to the general user community. Because of thenumber of files that can be contained in the HFS the utility only covers thedirectories. File permissions can be added before running the REXX exec in step5.The HFS File System contains directories and files in a tree structure. In order toquickly add eTrust CA-Top Secret security a set of procedures and utilities areprovided. Following are the steps and utilities you will run to create and executethe eTrust CA-Top Secret commands to protect your current file system.Step 1—Run the OMVS "ls -lRA" command in a batch TMP. Direct the output toa standard DASD file. This file must be allocated with RECFM=VB.Issue the ls command from the OMVS shell, directing the output to a HFS file.The options -lRA must be specified (the character following the dash is a lowercase letter 'L', not the number one). The file can then be copied into a MVS dataset using the OGET command. An example of these commands follows:ls -lRA / >>directory_information_fileOGET '/directory_information_file' 'mvs.input.file'The resulting file data should look similar to this:/:total 232drwx------ 3 USER OPENMVS 0 Jun 3 1998 JavaS390drwxr-xr-x 4 USER 0 May 7 1998 bindrwx--x--x 2 USER OPENMVS 0 Oct 1 1997 devdrwxr-xr-x 8 USER OPENMVS 0 Nov 4 17:05 etcdrwxr-xr-x 2 USER 0 Jan 20 1998 libdrwxrwxrwx 2 USER 0 Jan 19 11:51 tmpdrwxr-xr-x 8 USER OPENMVS 0 Jan 15 15:47 udrwxr-xr-x 11 USER0 Jan 20 1998 usr/JavaS390:total 16drwxrwxrwx 7 USER ZEROGRP 0 Sep 25 1997 J1.1.1Step 2—Run HFSPASS1. This is a two step job. It will read the file from step 1create and intermediate data set and then sort that data creating a file for step 3.See example 1.2–22 Cookbook

HFSSEC Control OptionExample 1// JOB//STEP1 EXEC PGM=HFSUTIL1,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//HFSINPUT DD DSN=????.????.????,DISP=SHR//EXTRACT DD DSN= SORT.INPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)/*//STEP2 EXEC PGM=SORT,REGION=0M//SYSOUT DD SYSOUT=*//SORTWK01 DD UNIT=3390,SPACE=(CYL,5)//SORTWK02 DD UNIT=3390,SPACE=(CYL,5)//SORTWK03 DD UNIT=3390,SPACE=(CYL,5)//SORTWK04 DD UNIT=3390,SPACE=(CYL,5)//SORTIN DD DSN=SORT.INPUT,DISP=(OLD,DELETE,KEEP)//SORTOUT DD DSN=SORT.OUTPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000),VOL=SER=SCAC16//SYSIN DD *SORT FIELDS=(1,264,CH,A)/*Alternatively, the input file for step1 can point directly to the directoryinformation file created from the ls command. If using this format, the LRECLvalue specified in the JCL must be at least as large as the largest record in the file.The BLKSIZE value should be a value at least 8 greater than the LRECL. ThePATH name must be the full path name of the file containing the directoryinformation. A sample statement follows://HFSINPUT DD PATH='/directory_information_file',// PATHOPTS=(ORDONLY),FILEDATA=TEXT,// RECFM=VB,LRECL=nnn,BLKSIZE=nnnStep 3—Edit the file created in step 2. Following are the instructions for thatprocess. See example 1.1 for data to be edited.At the beginning of the data set are records to build a /group profilecross-reference table. The formats of those records are:AAAAAAAA - xxxxxxxx“AAAAAAAA” is the name of an OMVS group. The “xxxxxxxx” should bechanged to a profile to be used for any permissions needed by this group. In ourexample OPENMVS is the group and you must assign a profile name to“xxxxxxxx”.It should be noted that this is not a complete list of all groups, only those acidsthat needs a specific permission given.After those records are several TSS ADD or TSS ADDTO commands. These areall of the ownership's that are required for the conversion to meet with success.In these statements the xxxxxxxx (acid name) needs to be modified to whateveracid the client wants to own the specified resources.Controlling Access to the Hierarchical File System 2–23

HFSSEC Control OptionExample 1.1OPENMVS - xxxxxxxxTSS ADD(xxxxxxxx) HFSSEC(ROOT)TSS ADD(xxxxxxxx) IBMFAC(BPX.CAHF)TSS ADDTO(xxxxxxxx) HFSSEC(/bin)TSS ADDTO(xxxxxxxx) HFSSEC(/dev)TSS ADDTO(xxxxxxxx) HFSSEC(/etc)TSS ADDTO(xxxxxxxx) HFSSEC(/lib)TSS ADDTO(xxxxxxxx) HFSSEC(/opt)TSS ADDTO(xxxxxxxx) HFSSEC(/samples)TSS ADDTO(xxxxxxxx) HFSSEC(/tmp)TSS ADDTO(xxxxxxxx) HFSSEC(/u)TSS ADDTO(xxxxxxxx) HFSSEC(/usr)TSS ADDTO(xxxxxxxx) HFSSEC(/JavaS390)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.ATTRIBUTES)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.FORMAT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.GROUP)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.EGID)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.EUID)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.STICKY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.TIME)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.PRIORITY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.EXTERNAL.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.SYMBOLIC.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.MOUNT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.PTRACE)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.SET.PRIORITRY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.SET.RLIMIT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.UNMOUNT)TSS PERM(ALL) HFSSEC(ROOT) ACCESS(READ)ALL //binALL //devALL //etcALL //libALL //optStep 4—Run HFSPASS2. It will read the edited data set and produce a data setcontaining all the TSS commands to be executed. See example 2.2–24 Cookbook

HFSSEC Control OptionExample 2// JOB//STEP3 EXEC PGM=HFSUTIL2,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//EXTRACT DD DSN=SORT.OUTPUT,DISP=SHR//PRMOUT DD DSN=TSS.CMDS,UNIT=3390,VOL=SER=SCAC16,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)Example 2.1 Output from the HFSUTIL2TSS ADD(xxxxxxxx) HFSSEC(ROOT)TSS ADD(xxxxxxxx) IBMFAC(BPX.CAHF)TSS ADDTO(xxxxxxxx) HFSSEC(/bin)TSS ADDTO(xxxxxxxx) HFSSEC(/dev)TSS ADDTO(xxxxxxxx) HFSSEC(/etc)TSS ADDTO(xxxxxxxx) HFSSEC(/lib)TSS ADDTO(xxxxxxxx) HFSSEC(/opt)TSS ADDTO(xxxxxxxx) HFSSEC(/samples)TSS ADDTO(xxxxxxxx) HFSSEC(/tmp)TSS ADDTO(xxxxxxxx) HFSSEC(/u)TSS ADDTO(xxxxxxxx) HFSSEC(/usr)TSS ADDTO(xxxxxxxx) HFSSEC(/JavaS390)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.ATTRIBUTES)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.FORMAT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.GROUP)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.EGID)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.EUID)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.STICKY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.FILE.TIME)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CHANGE.PRIORITY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.EXTERNAL.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.CREATE.SYMBOLIC.LINK)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.MOUNT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.PTRACE)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.SET.PRIORITRY)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.SET.RLIMIT)TSS PERM(ALL) FOR(14) IBMFAC(BPX.CAHFS.UNMOUNT)TSS PERM(ALL) HFSSEC(ROOT) ACCESS(READ)TSS PERMIT(ALL) HFSSEC(/bin) ACCESS(READ,EXEC)TSS PERMIT(ALL) HFSSEC(/dev) ACCESS(EXEC)TSS PERMIT(ALL) HFSSEC(/etc) ACCESS(READ,EXEC)TSS PERMIT(ALL) HFSSEC(/lib) ACCESS(READ,EXEC)TSS PERMIT(ALL) HFSSEC(/opt) ACCESS(READ,EXEC)TSS PERMIT(ALL) HFSSEC(/samples) ACCESS(READ,EXEC)Controlling Access to the Hierarchical File System 2–25

HFSSEC Control OptionStep 5—Run REXX exec to execute the commands in the data set.Example 3/* REXX *//*This EXEC will have as input a dataset name and will readthat dataset and issue the TSS commands in it.*/arg dsn . /* get data set name */if dsn = '' then dsn = '????.?????.????''ALLOC FI(PERMIN) DS('''dsn''') SHR REUSE VOL(??????)'eof = 'no'do while eof = 'no''execio 1 diskr PERMIN'if rc = 2then doeof = 'yes'endelse dopull recordsay 'Record is: ' recordrecordendend'execio 1 diskr permin ( finis''FREE FI(PERMIN)'exit 02–26 Cookbook

MessagesMessagesCAS2301EEVENT PROCESSING ROUTINE COULD NOT BE LOADEDReason:The initialization process could not locate the event processing routine,SAFHFSEC.Action:Ensure that module SAFHFSEC is available in a link list library and that moduleSAFRTRLD contains the proper maintenance for CA SAF HFS security support.Module:SAFHFINTCAS2302EENF/USS GLOBAL WORKAREA NOT PRESENTReason:The ENF/USS initialization driver did not provide a required global workarea tothe security initialization routine.Action:Contact technical support.Module:SAFHFINTControlling Access to the Hierarchical File System 2–27

MessagesCAS2303EENF/USS EVENT STRUCTURE ARRAY NOT PRESENTReason:The ENF/USS initialization driver did not provide a required list of events to thesecurity initialization routine.Action:Contact technical support.Module:SAFHFINTCAS2304ECA SAF IVT CONTROL BLOCK COULD NOT BE FOUNDReason:A critical CA SAF control block could not be located. An improper installation ofthe security product or corruption of common storage can cause this.Action:Contact technical support.Modules:SAFHFINT, SAFHFMODCAS2305EEVENT PROCESSING TABLE COULD NOT BE FOUNDReason:The table containing a list of security-related events could not be located or wascorrupted.Action:Ensure that the module SAFHFSEC is properly link edited and has not beencorrupted.Module:SAFHFINT2–28 Cookbook

MessagesCAS2306Wxxxxxxxxxxxxxxx EVENT COULD NOT BE FOUNDReason:An expected security event was not found in the list of events presented tosecurity initialization by ENF/USS. The event can be obsolete or OS/390release-dependent. Processing continues without security processing for theevent.Action:Ensure that ENF/USS and the security product are at compatible maintenancelevels. Contact technical support providing the event name causing the error.Module:SAFHFINTCAS2310EPARAMETER ERROR DETECTEDReason:The ENF/USS event driver did not pass a required parameter to the securityevent processing routine.Action:Contact technical support.Module:SAFHFSECControlling Access to the Hierarchical File System 2–29

MessagesCAS2311WERROR DETECTED IN USER EXIT SAFHFUSR; EXIT PROCESSING BYPASSEDReason:The installation has provided user exit code to modify the HFS path and filename information. The exit has provided an invalid path name or writtenbeyond the path name field provided. Changes made by the user exit areignored. The user exit is contained in CSECT SAFHFUSR in load moduleSAFHFSEC. This message is issued only when HFS tracing is enabled.Action:Ensure that the exit logic is correct. One way to do this is to set aninstruction-fetch SLIP trap at the point where the user exit routine returns to thecaller. The modified path name information should appear in the dump output.Contact technical support for further assistance.Module:SAFHFSECCAS2312Euserid - access ACCESS DENIEDReason:Security processing has denied access to the HFS file or function. The messageidentifies the ID of the user attempting the access and the type of access. Thetype of access is reported in SAF terminology and can be EXECUTE, READ,UPDATE, CONTROL and ALTER. These accesses correspond to resource ruleSERVICE of EXECUTE, READ, UPDATE, DELETE and ADD. EXECUTE accessindicates that a program file is being accessed, READ that a file is opened forinput, and UPDATE that a file is opened for output. CONTROL access indicatesthat some type of file function is being performed, such as changing fileattributes. ALTER access indicates that a file is being created or deleted.Action:For more information, run the resource violation report. The report will detailthe violation with the original HFS path name, the modified name, and thereason for access being denied.Module:SAFHFSEC2–30 Cookbook

MessagesCAS2319ITRACEID=aaaaaaaa USER=bbbbbbbb JOBNAME=ccccccccReason:Output in response to a SECTRACE TYPE=HFS command. The first line of thetrace output contains the trace ID, the current user ID, and the current job name.Subsequent lines contain other information specific to the request beingprocessed. This information can include the event being processed, the HFS filename being accessed, return code values, and specific reasons for access beingallowed or denied.Action:This information can be requested by technical support to assist in problemresolution.Module:SAFHFTRCControlling Access to the Hierarchical File System 2–31

Chapter3Using the Sysplex Coupling FacilityeTrust CA-Top Secret takes advantage of two functions that the Coupling Facilityoffers:■■XES Data Sharing FunctioneTrust CA-Top Secret uses this feature to provide the ability to share SecurityFile records for all eTrust CA-Top Secret systems throughout the sysplex.XCF FunctioneTrust CA-Top Secret uses this feature as a message router that allows thecommunication of eTrust CA-Top Secret security information betweensystems in the sysplex environment. It allows the propagation of commandsissued on one system to all the other connected systems. XCF can be activewhen XES is not.The SYSPLEX XES FunctionThe XES data sharing feature lets you define structures in the sysplex thatmultiple systems can use. These structures contain data (a Security File for eTrustCA-Top Secret) to be shared among the systems in the sysplex. Once the data hasbeen placed in a structure it is valid to be read, updated, or deleted by anysystem connected to that structure. It is the responsibility of the systemsprogrammer to define the structure-name to the Coupling Facility. Thisstructure-name is then defined to eTrust CA-Top Secret as the repository of theshared Security File.Note: A second structure can be defined for recovery purposes. This alternatestructure is used in case the primary structure has faltered for any reason. Thisalternate structure is not mandatory, but can be used if desired and is alsodefined to eTrust CA-Top Secret.Using the Sysplex Coupling Facility 3–1

The SYSPLEX XES FunctionThere are three types of structures that can be defined to the Coupling Facility,these include the List, Cache, and Lock structures. eTrust CA-Top Secret uses theList structure to "hold" the Security File. With a List structure, numerousfunctions can be performed against the Security File. For example, reads, writes,deletes, or multiple deletes can be performed. A connection between eachsystem in the sysplex and the structure in the Coupling Facility must be createdto establish communication. This connection must be established prior to anyother function and indicates to the Coupling Facility which structure is to containthe data for future processing. When eTrust CA-Top Secret is donecommunicating with the structure in the Coupling Facility, a disconnect must beperformed. A List structure can be redefined while systems are connected to it.A redefining of the structure can take place if, for example, it becomes full and itis necessary to increase its size.A List structure is made up of headers and data elements. Each header can beused to break up different types of information in the structure. There is amaximum of sixteen headers that any one structure can have. With each header,data elements contain the data that is stored in the structure. The number ofheaders and the size of each data element are defined to the Coupling Facilitywhen eTrust CA-Top Secret "connects" to the structure. eTrust CA-Top Secretonly requires the use of one header. Multiple data elements can exist under thatone header.The total size of the structure is dependent on how the structure is defined to theCoupling Facility. The required size of the Coupling Facility structure can bedetermined using the TSSFAR utility. This is done when the systemsprogrammer defines the name of the structure. Next, the amount of data isdependent on how the structure is defined at connection time. The first systemto connect to a structure supplies information on how the structure is set up. Forexample, the number of headers and the maximum data element size, are two ofmany factors determining the amount of data that can be placed in a structure.These factors are supplied at connection time and are used in a calculation that isdone during the connection.Once a List structure is full, no more data can be added to it. However, thesystem programmer can increase the size of the Coupling Facility structure withno disruption to the system, or rebuilt the structure characteristics with minimaldisruption to the system.The Coupling Facility design handles any failure in it or its connections bydisconnecting and reverting to normal I/O processing. After the problem isresolved, the user must reactivate the Coupling Facility by reactivating thesysplex connection.3–2 Cookbook

The SYSPLEX XCF FunctionThe SYSPLEX XCF FunctionThe XCF function within a sysplex environment allows communication betweenall systems in the sysplex. The main function is the message routing capability.Any system within the sysplex can "join" a group and send and receive messagesfrom each of the other members within the same group. For example, if systemA wanted to send a message to all other systems in the group it can do so byissuing a send message to the Coupling Facility. The Coupling Facility is thenresponsible for posting or notifying all other "joined" systems within the groupthat a message is waiting for them. Each notified system is then responsible forreceiving the message that was sent. The actions performed by the receivingsystem depend on the content of the message.eTrust CA-Top Secret and the SYSPLEX XES FunctionThe XES data-sharing feature lets you define a primary and an alternate Liststructure in the Coupling Facility.If this feature is enabled, eTrust CA-Top Secret attempts to obtain the requesteddata from the Coupling Facility before any physical I/O is performed. If therequested data is obtained from the Coupling Facility no I/O is performed. Thussaving the time from having to do the actual I/O to the database. If you areusing the CACHE facility with eTrust CA-Top Secret, the cache call is performedprior to any call to the Coupling Facility. If the data is found in the CACHE, nocalls to the Coupling Facility or the I/O to the database are performed.Whenever direct physical I/O is requested to the eTrust CA-Top Secret database,a number of decisions must be made. It is important that any updating of anyrecord is reflected on the database prior to the Coupling Facility. Most importantis the need to obtain the data from the Coupling Facility when a direct READ of arecord is requested. If any record is being updated, a lock to the CouplingFacility is issued to prevent the same record from being updated in the CouplingFacility by another eTrust CA-Top Secret system. The Security File ENQ recordshows which system is currently holding the lock and a time stamp indicates thetime the lock was placed.A List structure allows eTrust CA-Top Secret to optimally control what is placedin the Coupling Facility and the maintenance of the data once it is there. Theprimary List structure, defined by the systems programmer, is used to hold allthe data for the eTrust CA-Top Secret database. The optional alternate Liststructure is used in the case that something happens to the primary list structure.If no alternate is defined, and the primary is unavailable, eTrust CA-Top Secretdefaults to its current I/O processing.Using the Sysplex Coupling Facility 3–3

eTrust CA-Top Secret and the SYSPLEX XES FunctionHow does this all work? You must first define the list structure to the CouplingFacility. Then for each system enter a TSS MODIFY (SYSPLEX) command todefine the connect-name, structure-names, and group-name, and toautomatically connect each system to the Coupling Facility.The Security File ENQ record, the first physical record in the Security File, isused to keep control information about the Security file, including file lockingstatus. The ENQ record includes the Coupling Facility structure name, and theCoupling Facility validity record includes the volume serial number (VOLSER)of the Security File. This information is stored by the first system that connects tothe Coupling Facility structure, and is used by systems that connect subsequentlyto ensure that a unique Security File data set and structure name combination isused among all connected systems. When a local system attempts to lock theSecurity File, the structure name in the Security File ENQ record is compared tothe local system's currently defined structure.Whenever the Security File is locked by a non-Coupling Facility connectedsystem, the structure name found within the ENQ record is validated to beactive, and the local system connects to the same structure, before proceedingwith any update activity against the file.While the current system is active in the Coupling Facility, if the Security FileENQ record is altered by another system and it no longer contains the structurename, all systems are forced to disconnect from the Coupling Facility.When a Coupling Facility connected system manually disconnects from thestructure, all other connected systems are forced to disconnect as well, to ensurethat no residual data is left in the Coupling Facility while one of the systems isrunning without an XES connection. An XES sysplex connection without an XCFconnection is allowed.After a system is forced to disconnect from a structure, as a result of a manualdisconnect command, all other connected systems are forced to disconnect. Nore-connect is attempted until a new structure is allocated in the Coupling Facilityby a manual connect command, or by a new system starting up. To determine ifa structure was reallocated, use the TSS MODIFY(STATUS(SYSPLEX))command, or the D XCF,STR OS/390 operator command. Compare the currentversion number to the version number of the previous connection.3–4 Cookbook

eTrust CA-Top Secret and the SYSPLEX XCF FunctioneTrust CA-Top Secret and the SYSPLEX XCF FunctionXCF message routing allows eTrust CA-Top Secret operator commands to besent to all other eTrust CA-Top Secret systems in the sysplex that are defined tothe same group. This allows one eTrust CA-Top Secret system to update securitycontrol information and automatically send the information to the other eTrustCA-Top Secret systems in the sysplex. This provides critical datasynchronization on all systems without operator intervention.The group-name, defined by the SYSPLEX control option, defines the group thata eTrust CA-Top Secret system "joins" when the sysplex is started. If there areany other eTrust CA-Top Secret systems that have joined the same group and the"send" command has been specified, the TSS command is sent to those systems.The TSS command is then processed on the remote eTrust CA-Top Secretsystems as if it was entered locally.Note: In addition to being defined to the same group, the user must haveCONSOLE authority on all other systems in the sysplex so that the TSScommands can be properly processed.XCF(*) Control OptionXCF(*) is the eTrust CA-Top Secret "send" command for routing information toremote systems in the sysplex. The syntax is XCF(*) and must be entered as thelast parameter on the TSS MODIFY command:TSS MODIFY (VTHRESH(10,NOT),XCF(*))This command illustrates how XCF(*) is used on a TSS MODIFY command toupdate the violation threshold on all systems in a group on a sysplex with theVTHRESH control option. If the command is successful, the following message isdisplayed at the sending system.TSS9718I MODIFY COMMAND SENT VIA XCF TO ALL CONNECTEDSYSTEMS IN THIS SYSPLEXFor more details, see the Control Options Guide.Controlling Access to XCF PoliciesIBM provides an administrative utility, IXCMIAPU, to modify, add or deletepolicy data from the ARM, CFRM, LOGR or SFM data sets. Use of this utility iscontrolled by the FACILITY class resource MVSADMIN. eTrust CA-Top Secretimplementation of the FACILITY class is done using the IBMFAC resource class.Using the Sysplex Coupling Facility 3–5

Defining the Sysplex to eTrust CA-Top SecretTo secure access to the IXCMIAPU utility using eTrust CA-Top Secret you mustestablish ownership of the resource and permit the required access to a policy asshown next.Establish ownership of the resource:TSS ADDTO(dept) IBMFAC(MVSADMIN)Permit required access to a policy:TSS PERMIT(user) IBMFAC(MVSADMIN.XCF.ARM) ACCESS(READ | UPDATE)TSS PERMIT(user) IBMFAC(MVSADMIN.XCF.CFRM) ACCESS(READ | UPDATE)TSS PERMIT(user) IBMFAC(MVSADMIN.XCF.LOGR) ACCESS(READ | UPDATE)TSS PERMIT(user) IBMFAC(MVSADMIN.XCF.SFM) ACCESS(READ | UPDATE)Two access levels are available for these resources:READ—Report only on a policyUPDATE—Alter and maintain a policyDefining the Sysplex to eTrust CA-Top SecretDefining the sysplex environment to eTrust CA-Top Secret is easy to do. To usethe XCF or XES feature, the SYSPLEX control option must be entered. Thiscontrol option contains the information necessary for eTrust CA-Top Secret tocommunicate with the sysplex using the proper structure and group names.For more details, see the Control Options Guide.Managing the Coupling FacilityOS/390 and eTrust CA-Top Secret use the definitions in the Coupling FacilityResource Management (CFRM) policy when managing the Coupling Facilitystorage. The CFRM policy resides in a CFRM couple data set which the systemprogrammer creates using the IBM IXCL1DSU format utility program. To createthe administrative CFRM policies, the systems programmer uses the IBM utilityprogram IXCMIAPU. You can activate, change or rebuild the CFRM policy usingthe OS/390 operator command SETXCF.3–6 Cookbook

Managing the Coupling FacilityCFRM PolicyTo set up the CFRM policy, the systems programmer must know whichsubsystems and applications in the installation will use the Coupling Facility andthe structure requirements of each.Using the IBM utility program IXCMIAPU, define the CFRM policy to:■■■■Identify each Coupling Facility and each structure.Specify the size of each structure. The structure size will initially be allocatedat the INITSIZE you specify. The maximum size of the structure is definedby SIZE. Use the TSSFAR utility to run a TSSFAR ACIDCHAN report, whichwill recommend the XES structure size. You can use this to help determinethe structure size you want to specify in the CFRM policy. Otherconsiderations are discussed in the IBM guide MVS Setting Up a Sysplex.Specify the preference list (PRELIST), which is an ordered list of CouplingFacility names in which the structure can be allocated.Specify an exclusion list of structures that are not to be allocated in the sameCoupling Facility as the structure.Every application specifies the required structure types, as well as the name andsize of the structure or structures it uses. eTrust CA-Top Secret uses the SYSPLEXcontrol option to provide this information. For details on the SYSPLEX controloption, see the Control Options Guide.For further information regarding the CFRM policy, see the IBM guide MVSSetting Up a Sysplex.Altering the Coupling Facility Structure SizeeTrust CA-Top Secret supports dynamic system-managed resizing or rebuildingof the Coupling Facility structure. You can use the SECXCF OS/390 operatorcommand to increase the Coupling Facility structure size with no disruption tothe connected systems.Use the following command to increase the structure size up to the SIZE value,which is the maximum size defined in the active Coupling Facility resourcemanagement (CFRM) policy:SETXCF START,ALTER,STRNAME=strname,SIZE=nnnHowever, if the optional initial size (INITSIZE) value was not specified in theCFRM policy, the structure size cannot be increased. In this case, the structurewould have been initially allocated based on the maximum SIZE value, ratherthan the INITSIZE. If the structure is already at the maximum size specified inthe CFRM policy, the CFRM must be modified to allow a larger structure sizeusing the SETXCF START, REBUILD command.Using the Sysplex Coupling Facility 3–7

Managing the Coupling FacilityWhen a structure ALTER processing completes, each connected system is postedby the Computer Associates security Coupling Facility service (CASECCFS) toallow those systems to update the size and utilization counts for the connectedstructure.Note: To display information about the current Coupling Facility XES structure,use the TSS MODIFY(STATUS(SYSPLEX)) command. The following sysplexrelated data will appear in message TSS9661I:CURRENT STRUCTURE SIZE—Current allocated sizeMAX STRUCTURE SIZE—Maximum structure sizeNUMBER OF STRUCTURE ENTRIES—Current entry countMAX NUMBER OF STRUCTURE EXTRIES—Maximum possible entry countAn example of message TSS9661I follows:TSS9661I CA-Top Secret SYSPLEX StatusCF CONNECT NAME(XE11 ) XCF GROUP(TSSXCF )STRUCTURE NAME(SECURITY3 ) ACTIVATEDCURRENT STRUCTURE SIZE( 10240K)MAX STRUCTURE SIZE( 16128K)NUMBER OF STRUCTURE ENTRIES( 132)MAX NUMBER OF STRUCTURE ENTRIES( 1223)Rebuilding the Coupling Facility StructureAfter you have updated the CFRM policy with new structure attributes such asSIZE or INITSIZE, you can use the SETXCF OS/390 operator command torebuild the Coupling Facility structure characteristics based on the new CFRMpolicy changes. The rebuild is performed with minimum disruption to theconnected systems.Use the following command to initiate the rebuild process based on the newCFRM policy structure attributes, while connected systems remain connected tothe structure.SETXCF START,REBUILD,STRNAME=strnameDuring the rebuild process, the system defers any requests that are issued whilethe structure is unavailable. These requests are processed after the rebuildprocess has completed.3–8 Cookbook

Defining SYSTEM LOGGER to eTrust CA-Top SecretThe following requirements apply to the system-managed rebuild:■■■■Coupling facility has to be at CFLEVEL=8 or higher.The structure has at least two entries in the CFRM PREFLIST.All systems using the CFRM couple data set must be at OS/390 version 8 orhigher.The CFRM couple data set must be formatted with the ITEMNAME(SMREBLD) NUMBER(1) statement.Connecting to the StructureAt startup, or through a start command, eTrust CA-Top Secret attempts toconnect to the defined structures in the Coupling Facility. If successful, eTrustCA-Top Secret attempts to use the Coupling Facility for all I/O direct requestsbeing made for the defined file.Defining SYSTEM LOGGER to eTrust CA-Top SecretSystem logger is an OS/390 component that allows an application to log datafrom different systems across a sysplex. A system logger application can besupplied by:■■■IBM, for example the CICS log manager and the operations log stream(OPERLOG)Independent software vendorsYour installationA system logger application can merge the log data from systems across thesysplex into a log stream. A log stream is simply a collection of data in log blocksresiding in a coupling facility list structure, on DASD, or on both.Using the Sysplex Coupling Facility 3–9

Defining SYSTEM LOGGER to eTrust CA-Top SecretSetting up the OS/390 CICS log manager with eTrust CA-Top Secret involves thefollowing steps:Step 1—Follow substep A or B to define the IXGLOGE address space and therequired SAF authorizations.■Define IXGLOGR in the Started Task table to bypass SAF calls:or■TSS ADD(STC) PROCNAME(IXGLOGR) ACID(BYPASS)This bypasses all SAF calls and, therefore, does not require additionalresource permits.Define IXGLOGR in the Started Task table:TSS ADD(STC) PROCNAME(IXGLOGR) ACID(ixglogr)Permit access to the log stream coupling facility structures.TSS ADD(dept) IBMFAC(IXLSTR.structure_name)TSS PER(ixglogr) IBMFAC(IXLSTR.structure_name) ACCESS(ALL)Permit access to the DASD log stream and staging data sets.TSS ADD(dept) DSNAME(hlq.data_set_name)TSS PER(ixglogr) DSNAME(hlq.data_set_name) ACCESS(ALL)The default hlq is IXGLOGR if none is specified on the HLQ parm of theDEFINE LOGSTREAM statement.Permit access to the systems SYSx.PARMLIBTSS ADD(dept) DSNAME(SYS1.PARMLIB)TSS PER(ixglogr) DSNAME(SYS1.PARMLIB) ACCESS(READ)Step 2—Control which applications can access the system logger resources.For logrec log stream, CICS log manager, and OPERLOG system loggerapplication, define access to the log stream.TSS ADD(dept) LOGSTRM(log_stream_name)TSS PER(acid) LOGSTRM(log_stream_name) ACCESS(UPDATE)Step 3—Authorize who can use the IXCMIAPU utility.Define authorizations to use IXCMIAPU.TSS ADD(dept) IBMFAC(MVSADMIN.)TSS PER(acid) IBMFAC(MVSADMIN.) ACCESS(ALL)

AppendixA IMVSECURIMVSECUR//JOBNAME JOB//******************************************************************//* TOP SECRET SECURITY(TSS) VIA THE BATCH TMP (IKJEFT01) *//* This member contains the TSS COMMANDS that are used to define *//* the Top Secret authorizations needed to implement an OS/390 *//* environment. *//* These commands reflect default procnames as well as typical *//* GID and UID values , and typical group names. *//* The areas defined include: *//* *//* OpenEdition (Unix System Services for OS/390) *//* TCP/IP (Communications Server IP for OS/390) *//* FTP (Packaged with TCP/IP) *//* Lotus Domino Go Webserver (WebSphere Appl Server for os/390 *//* Firewall Technologies *//* LDAP Security *//* *//* INSTRUCTIONS: *//* 1. INSERT A VALID JOBCARD(ABOVE). *//* 2. TAILOR THE PROC STATEMENT AND TSSIN-DD TO MEET *//* YOUR SITE STANDARDS. *//* 3. SUBMIT THIS JOB. *//* *//******************************************************************//TSSTMP PROC PRINT=A /* SYSOUT O/P DESTINATION *///TSSTMP EXEC PGM=IKJEFT01,REGION=300K//SYSPRINT DD SYSOUT=&PRINT//SYSTSPRT DD SYSOUT=&PRINT,// DCB=(LRECL=133,BLKSIZE=133,RECFM=FA)//SYSTSIN DD DDNAME=TSSIN// PEND//*//BACKTMP EXEC TSSTMP//TSSIN DD *IMVSECUR A–1

IMVSECUR/*======================================================================*//* OpenEdition setup. *//*======================================================================*/TSS CRE(OMVSGRP) TYPE(GROUP) NAME('DEFAULT OMVS GROUP') DEPT(anydept)TSS ADD(OMVSGRP) GID(1)TSS CRE(TTY) TYPE(GROUP) NAME('REQ''D OMVS TTY GROUP') DEPT(anydept)TSS ADD(TTY) GID(2)TSS CRE(OMVSKERN) TYPE(USER) NAME('OPENMVS STC ID') -DEPT(anydept) FAC(STC,APPC) PASSWORD(password,0)TSS ADD(OMVSKERN) UID(0) GROUP(OMVSGRP,TTY) -DFLTGRP(OMVSGRP)TSS CRE(INETD) TYPE(USER) NAME('OMVS INETD STC') DEPT(anydept) -FAC(STC) PASSWORD(password,0)TSS CREATE(BPXROOT) TYPE(USER) NAME('BPXROOT ACID') DEPT(anydept) -FAC(APPC) PASSWORD(password,0)TSS ADD(BPXROOT) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) UID(0)TSS ADD(INETD) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) -HOME(/) OMVSPGM(/bin/sh)TSS ADD(STC) PROC(OMVS) ACID(OMVSKERN)TSS ADD(STC) PROC(BPXOINIT) ACID(OMVSKERN)TSS ADD(STC) PROC(BPXAS) ACID(OMVSKERN)TSS ADD(STC) PROC(INETD) ACID(INETD)/*======================================================================*//* TCP/IP setup. *//*======================================================================*/TSS CRE(TCPIP) TYPE(USER) NAME('TCP/IP STC ID') DEPT(anydept) -FAC(STC,BATCH) PASSWORD(password,0) -NOVOLCHK NODSNCHK NORESCHK NOLCFCHK NOSUBCHKTSS ADD(TCPIP) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) -HOME(/) OMVSPGM(/bin/sh)TSS ADD(STC) PROC(TCPIP) ACID(TCPIP)/* *//*======================================================================*//* FTP setup. *//*======================================================================*/TSS CRE(FTP) TYPE(USER) NAME('FTP STC ID') DEPT(anydept) -FAC(STC,BATCH) PASSWORD(password,0) MASTFAC(TCP) -NOVOLCHK NODSNCHK NORESCHK NOLCFCHK NOSUBCHKTSS ADD(FTP) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) -HOME(/) OMVSPGM(/bin/sh)TSS ADD(STC) PROC(FTPSERVE) ACID(FTP)A–2 Cookbook

IMVSECUR/*======================================================================*//* Domino Go WebServer setup. *//*======================================================================*//* *//* Facility setup. *//* */TSS MODIFY FAC(USERx=NAME=IMWEB)/* *//* Acid for Web Server started-task *//* */TSS CRE(IMWEB) TYPE(GROUP) NAME('WEBSERVER GROUP') DEPT(anydept)TSS ADD(IMWEB) GID(205)TSS CRE(WEBADM) TYPE(USER) NAME('WEB ADMINISTRATOR') -DEPT(anydept) FAC(IMWEB) PASSWORD(password)TSS ADD(WEBADM) UID(206) GROUP(IMWEB) DFLTGRP(IMWEB) -HOME(/usr/lpp/internet) OMVSPGM(/bin/sh)TSS CRE(WEBSRV) TYPE(USER) NAME('WEBSERVER DAEMON/STC') -DEPT(anydept) FAC(STC,IMWEB) PASSWORD(password,0)TSS ADD(WEBSRV) UID(0) GROUP(IMWEB) DFLTGRP(IMWEB) -HOME(/usr/lpp/internet) OMVSPGM(/bin/sh) -MASTFAC(IMWEB)TSS ADD(STC) PROC(IMWEBSRV) ACID(WEBSRV)/* *//* Acids to allow access to Web Server without signon *//* */TSS CRE(EXTERNAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(anydept)TSS ADD(EXTERNAL) GID(999)TSS CRE(EMPLOYEE) TYPE(GROUP) NAME('WEB GROUP') DEPT(anydept)TSS ADD(EMPLOYEE) GID(500)TSS CRE(SPECIAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(anydept)TSS ADD(SPECIAL) GID(255)TSS CRE(PUBLIC) TYPE(USER) NAME('WEB SURROGATE ID') -DEPT(anydept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PUBLIC) UID(998) GROUP(EXTERNAL) DFLTGRP(EXTERNAL) -HOME(/) OMVSPGM(/bin/sh)TSS CRE(INTERNAL) TYPE(USER) NAME('WEB SURROGATE ID') -DEPT(anydept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(INTERNAL) UID(537) GROUP(EMPLOYEE) DFLTGRP(EMPLOYEE) -HOME(/) OMVSPGM(/bin/sh)TSS CRE(PRIVATE) TYPE(USER) NAME('WEB SURROGATE ID') -DEPT(anydept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PRIVATE) UID(416) GROUP(SPECIAL) DFLTGRP(SPECIAL) -HOME(/) OMVSPGM(/bin/sh)/* *//* Allow Web Server started-task acid to access *//* resources IBMFAC and SURROGAT *//* */TSS ADD(anydept) IBMFAC(BPX.)TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)TSS ADD(anydept) SURROGAT(BPX.)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL) ACCESS(READ)/* *//* Give all users access to the three load libraries *//* related to the Web Server. *//* */TSS ADD(anydept) DSNAME(CEE.)TSS ADD(anydept) DSNAME(IMW.)TSS ADD(anydept) DSNAME(SYS1.)TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN) ACCESS(READ)TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1) ACCESS(READ)TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB) ACCESS(READ)IMVSECUR A–3

IMVSECUR/*=====================================================================*//* OS/390 Firewall setup. *//*=====================================================================*/TSS CRE(FWGRP) TYPE(GROUP) NAME('FIREWALL GROUP') DEPT(anydept)TSS ADD(FWGRP) GID(nn) any unused GID number is allowed/* */TSS CRE(FWKERN) TYPE(USER) NAME('FIREWALL STARTUP ID') -DEPT(anydept) FAC(STC,BATCH) PASS(password,0)TSS ADD(FWKERN) GROUP(FWGRP) DFLTGRP(FWGRP) -HOME(/usr/lpp/fw/home/fwkern/) OMVSPGM(/bin/sh) UID(0)TSS ADD(STC) PROCNAME(FWKERN) ACID(FWKERN)SS MODIFY(OMVSTABS)/* */TSS ADD(STC) PROCNAME(ICAPSLOG) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPSOCK) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPPFTP) ACID(FWKERN)TSS ADD(STC) PROCNAME(ICAPTNAT) ACID(FWKERN)/*TSS ADDTO(anydept) DSN(TCPIP.)TSS PERMIT(FWKERN) DSN(TCPIP.) ACCESS(READ)/* */TSS PERMIT(FWKERN) IBMFAC(BPX.SMF) ACCESS(READ)/* *//* To give administrators access to FWGRP *//* */TSS ADDTO(acid) GROUP(FWGRP)/* *//* *//* Define and give ICFS services */TSS ADDTO(anydept) CSFSERV(service-name)TSS PERMIT(acid) CSFSERV(service-name) ACCESS(READ)/* *//*======================================================================*//* LDAP setup. *//*=====================================================================*/TSS CRE(LDAPGRP) TYPE(GROUP) NAME('LDAP GROUP') DEPT(anydept)TSS ADD(LDAPGRP) GID(nn) any unused GID number is allowed/* */TSS CRE(LDAPSRV) TYPE(USER) NAME('LDAP STARTUP ID') -DEPT(anydept) FAC(STC,BATCH) PASS(password,0)TSS ADD(LDAPSRV) GROUP(LDAPGRP) DFLTGRP(LDAPGRP) -HOME(/) OMVSPGM(/bin/sh) UID(0)TSS ADD(STC) PROCNAME(LDAPSRV) ACID(LDAPSRV)TSS MODIFY(OMVSTABS)/* */TSS PERMIT(LDAPSRV) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS PERMIT(LDAPSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)/* *//* To give administrators access to LDAPGRP */TSS ADDTO(acid) GROUP(LDAPGRP)/*A–4 Cookbook

AppendixBRACF to eTrust CA-Top SecretTranslationMany applications and products describe the setup for external security in RACFterms. The purpose of this Appendix is to describe what the RACF terminologymeans so a eTrust CA-Top Secret administrator can take the information andcreate the necessary eTrust CA-Top Secret records to implement it.Use the following chart to check the corresponding eTrust CA-Top Secret feature.Feature RACF eTrust CA-Top SecretUsers/GroupsResourceProtectionSPECIAL GroupconceptData SetsDASD volumesTape volumesTerminalsLoad modules(programs)IMS applicationgroup names(AIMS)IMS transactions(TIMS and GIMS)IMS applicationsCICS PSBsCICS transactionsCICS filesCICS journalsCICS programsMSCA, LSCAs, Zones, Divisions,Departments, Profiles, ACIDsData Sets (DSN)DASD volumes (VOL)Tape volumes (VOL)Terminals (TERM, SOURCE)Programs (PROG)IMS applications (APPL)Transactions via Limited Command Facility(LCF) or protected resources (OTRAN)Facility checkingCICS PSBsTransactions via Limited Command Facility(LCF) or protected resources (OTRAN)CICS files (FCT)CICS journals (JCT)CICS programs (PPT)RACF to eTrust CA-Top Secret Translation B–1

IMVSECURFeature RACF eTrust CA-Top SecretResourceprotection(cont’d)AccessauthorizationsCICS transientdata destinationsCICS temporarystorage definitionsInstallation-defined resources (CDT)PERMIT commandCICS destinations (DCT)CICS temporary storage (TST)Installation-defined resources (RDT)TSS PERMIT commandUACCTSS PERMITs in the ALL RecordUser Privileges SPECIAL MSCA and SCA with administrativeauthoritiesAUDITOROPERATIONSCLAUTHGRPACCNODSNCHK, NOVLCHK, and NORESCHKattributesSCA with MISC1, RES(REPORT) andDATA(ALL) authoritiesAdministrator with specifically namedresource XAUTH authorityPROFILEsAdministration RACF commands TSS commandsReports andListingsISPF panelsRACF ReportWriterDSMON UtilitySETROPS ListOutputLISTUSER OutputPanels for different facilities (TSO,CA-Roscoe, CICS and IMS)TSSUTIL, TSSTRACKTSSAUDIT, TSS LIST, TSS WHOHAS andTSS WHOOWNSTSS LISTTSS LISTCustomization Exits Exists and interfacesOther featuresUserididentificationLoggingStarted TasksACID identificationLoggingSTC facilityB–2 Security Cookbook

ADDGRPADDGRPThe ADDGRP command is used to add a group definition. For example:ADDGRP OMVSGRP OMVS(GID(1))In eTrust CA-Top Secret, this would be a profile record as follows:TSS ADD(OMVSGRP) GID(1)ADDUSERRACF uses the ADDUSER command to define a new user to its database and todefine the profile information necessary to allow that user to use the desiredcomponents of the system. eTrust CA-Top Secret does the same using ACID andPROFILE records. The ADDUSER command is the same as the ADD commandin eTrust CA-Top Secret. For example:ADDUSER USER01 DFLTGRP(OMVSGRP) OMVS(UID(200) HOME(/) PROGRAM(/bin/sh))PASSWORD(password)In eTrust CA-Top Secret, this would be rendered as follows:TSS CREATE(USER01) TYPE(USER) DEPARTMENT(dept1) PASSWORD(password,0)TSS ADDTO(USER01) GROUP(OMVSGRP) UID(0) HOME(/) PROGRAM(/bin/sh)ALTUSERRACF uses the ALTUSER command to change an existing user’s profile. Forexample:ALTUSER USER01 CICS(OPCLASS(10) OPIDENT(U01) TIMEOUT(30))In eTrust CA-Top Secret, this would be a change to the Acid record as follows:TSS ADD(USER01) OPCLASS(10) OPID(U01) OPTIME(30)CLASSIn RACF, with the exception of DATASET, USER, and GROUP classes, theentries in the class descriptor table (CDT) represent all resource classes both forMVS and VM. The CDT consists of two modules: one is for IBM-supplied entries,the other is for installation-defined entries.RACF to eTrust CA-Top Secret Translation B–3

PERMITIn eTrust CA-Top Secret, all resources for both VM and MVS are defined in theResource Descriptor Table (RDT). Resources are predefined by eTrust CA-TopSecret or dynamically defined by the particular installation.PERMITThe RACF PERMIT command allows access to resources. The PERMIT commandalso exists in eTrust CA-Top Secret. Use the TSS PERMIT command function toallow designated users to access the indicated data sets in an unlimited or arestricted manner. Restrictions are indicated by incorporating the appropriatePERMIT parameter. For example, the following RACF PERMIT allows USER01to read data set SYS1.PARMLIB:PERMIT SYS1.PARMLIB CLASS(DATASET) ID(user01) ACCESS(READ)In eTrust CA-Top Secret, this would be a permit:TSS PERMIT(user01) DSNAME(SYS1.PARMLIB) ACCESS(READ)RDEFINERDEFINE is used to define resources to RACF.In eTrust CA-Top Secret, the Resource Descriptor Table is a special ACID that isused to define resource classes and their properties. The RDT containspredefined TSS resource classes, including resources used by other ComputerAssociates product interfaces. It also contains dynamically defined resourceclasses. To administer the contents of the RDT Record, the TSS administrator canspecify attributes, access levels, and default access levels using the TSS ADDcommand. The following is an example of creating a User defined resource ineTrust CA-Top Secret using the TSS ADD command:TSS ADD(RDT) RESCLASS(xx)RESCODE(nn)ACLST(ALL=FFFF,UPDATE=6000,READ=4000,CREATE=1000,NONE=0000) ATTR(LONG)B–4 Security Cookbook

RACF Attribute TranslationRACF Attribute TranslationThe following table shows how eTrust CA-Top Secret translates a RACFattribute. eTrust CA-Top Secret does provide additional access levels for moregranular control.RACF AttributeREADUPDATEALTERCONTROLeTrust CA-Top Secret Access LevelREADUPDATEALLCONTROLRACF to eTrust CA-Top Secret Translation B–5

Indexcomponent names for z/OS and OS/390, 1-4CRITMAP, 1-77Aaccessing USS, 1-8Authorized data setswith program control, 2-3authorizing servers for WebSphere, 1-36authoriztion checking for WebSphere, 1-38BBPX facility resources, 1-12BPX.DAEMON, 2-3BPX.SAFFASTPATH, 2-3BPX.SERVER, 2-3CCertificate name filtering, 1-73CERTMAP, 1-75CHKCERT, 1-64CLIST for WebSphere, 1-43, 1-70, 1-43, 1-70CNF. See certificate name filtering. See certificatename filteringCryptographic Services support, 1-99DDB2 Security Exit support, 1-99DCDSN, 1-62DCE Security Server support, 1-96DFS SMB support, 1-91DIGICERT, 1-53Digital certificate support, 1-51associating a certificate with a user, 1-52changing a user, 1-61changing certificate, 1-62, 1-63, 1-62, 1-63determining who has a certificate, 1-64exporting a certificate to a data set, 1-64generating a certificate, 1-55key rings, 1-66listing certificates, 1-60removing a certificate, 1-63sharing certificates, 1-66verifying a certificate, 1-61Dirty bit, 2-3EEJBROLE, 1-5Enterprise Java Bean (EJB) support, 1-5eTrust CA-Top Secret implementation, 1-1Index–1

FIFAC rule, 2-3FACILITY resourcesBPX.DAEMON, 2-3BPX.SAFFASTAUTH, 2-3BPX.SERVER, 2-3FASTAUTH processing, 2-3File securitybypassing, 2-3Firewall Technologies support, 1-97fixes, installing, 1-2FTPhow to secure, 1-33how to secure for OpenEdition, 1-33using, 1-32FUNCUNIX System Services, 1-20GGEJBROLE, 1-5GID, 1-14GID table refresh, 1-12GROUP ACIDcreating, 1-13implementingeTrust CA-Top Secret in z/OS and OS/390, 1-1ISCF support, 1-99KKEYRINGS, 1-66LLABLCERT, 1-60, 1-63, 1-60, 1-63LDAP Security Server support, 1-98LDAP server support, 1-6Lotus Domino Go Webserver, how to secure, 1-36,1-47, 1-50, 1-51, 1-36, 1-47, 1-50, 1-51MMOUNT NOSECURITY, 2-3NHHierarchical File System (HFS), 2-1FASTAUTH checking, 2-3processes that affect security, 2-3program control, 2-3HOME keyword, 1-8hyper fixes, installing, 1-3NFS support, 1-92NOSECURITY MOUNT option, 2-3OOMVSPGM keyword, 1-8OpenEdition MVS, 1-6Index–2Cookbook

OpenEdition MVS supportACIDs needed for installation, 1-13creating superuser ACID, 1-15, 1-16, 1-18, 1-15,1-16, 1-18defining OMVS started task ACID, 1-13defining OMVS started task ACIDs, 1-15TSO ISHELL support, 1-15PProgram control in the UNIX environment, 2-3RR_cacheserv, 1-5R_proxyserv, 1-5RACF, 1-95attribute translation, 5terminology translation, 1release-specific security requirements, 1-4SSAF callable services, 1-5SAFDEFfor HFS FASTAUTH, 2-3security requirements by z/OS and OS/390component, 1-4Security server support, 1-51Server Message Block support, 1-91STC ACID, 1-14Stopping SECTRACEUNIX System Services, 1-21Superuser ACID, 1-15, 1-16, 1-18, 1-19, 1-15, 1-16, 1-18,1-19SYSPLEXcontrolling access to XCF policies, 3-5coupling facility, 3-2list structure, 3-2XCF security, 3-3, 3-5, 3-3, 3-5XES security, 3-1, 3-3, 3-1, 3-3TTCBNCTL flag, 2-3TCP/IPestablishing eTrust CA-Top Secret, 1-29SERVAUTH Class, 1-30using, 1-29TELNET, 1-35how to secure for OpenEdition, 1-35TSO ISHELL support, 1-15TTY, 1-13UUID, 1-8UID table refresh, 1-12UNIX System Services (USS), 1-6UNIX System Services supportcontrolling access, 1-8GROUP profile records, 2-2UNIX System Services, SAF SECTRACE OMVSFUNC, 1-20upgrade solutions, 1-2USS supportassigning users to groups, 1-10changing default group, 1-10, 1-12, 1-10, 1-12creating superuser ACID, 1-19defining groups, 1-9defining users, 1-8WWASADM CLIST, 1-43, 1-70, 1-43, 1-70WebSphere support, 1-36WebSphere user indentification, 1-40WLM (Workload Management, 1-94Index–3

XZXCF(*) control option, 3-5z/OS and OS/390eTrust CA--Top Secret implementation, 1-1z/OS and OS/390 component names, 1-4z/OS and OS/390 Firewall Technolgies, 1-97z/OS and OS/390 Security ServerRACF, 1-95z/OS and OS/390 Security Server support, 1-94Index–4Cookbook