eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Securing HFS FunctionsBPX.CAHFS.CHANGE.FILE.MODE—Allows a user to change any file modeinformation. This includes changes to file permission settings, setting theexecution UID or GID indicators, and setting the "sticky" bit. Native OS/390UNIX permission settings are used for validation purposes only when CA SAFHFS security is inactive.BPX.CAHFS.CHANGE.FILE.MODE.STICKY—Allows a user to set the "sticky"bit in the file mode information. The "sticky" bit causes a program to be loadedfrom MVS libraries instead of the HFS.BPX.CAHFS.CHANGE.FILE.MODE.EUID—Allows a user to set theexecution-UID indicator in the file mode information. When this indicator is set,the program runs under the UNIX UID of the file owner instead of the UID of theuser running the program.BPX.CAHFS.CHANGE.FILE.MODE.EGID—Allows a user to set theexecution-GID indicator in the file mode information. When this indicator is set,the program runs under the UNIX GID of the file owner instead of the GID of theuser running the program.BPX.CAHFS. CHANGE.FILE.OWNER—Allows a user to change file owner UIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.GROUP—Allows a user to change file owner GIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.TIME—Allows a user to change the last access ormodification time to the current time or a user-specified time. If the current timeis to be set and the user has write access to the file, the function is allowed. If theuser does not have write access or a user-specified time is to be set, access mustbe allowed to this IBMFAC resource.Sample PermissionsThe following example shows TSS PERMITS that allow Thelma to change the filemode and owner for all files. Louise is allowed to change the file mode for onlythose files that reside in a certain directory, but is not allowed to change the fileowner in any file:TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(ALL)TSS PER(LOUISE) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(CONTROL)TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER) ACCESS(ALL)TSS PER(LOUISE) HFSSEC(/certain.directory.) ACCESS(ALL)2–10 Cookbook
Implementing CA SAF HFS SecurityImplementing CA SAF HFS SecurityCA SAF HFS security is an application of CAIENF/USS (UNIX System Services).This security application is activated when the appropriate DCM modules arelinked into the ENF database. The following describes the implementation steps:1. eTrust CA-Top Secret for OS/390 5.1 SP2 or higher is required to implementCA SAF HFS Security.2. Determine if exit processing is required for path name translation, user pathdefinition or to enable file ownership. See below for specifics regarding exitprocessing. If using the exit, assemble and link the exit code using thesample SMPE usermod found in OPMAT member UD00001.3. Define HFS file and function resource authorizations. It is recommended thatall the function resources described in the previous sections be defined. Autility is provided to assist in creating these resource rules. See section CASAF HFS ADD/PERMIT Generation Utility for details.4. If you utilize the user file ownership feature of CA SAF HFS security(described in Exit Processing section), also define authorizations for users.5. Verify that the proper level of CAIENF is available to support ENF/USS. CACommon Services for z/OS and OS/390 with the following APARs providesthis support: LO89578 through LO89581, LO89584, LO92642, and LO94652,and LO94657.6. The ENF started task must be a valid OMVS user. Message CARR014E isissued if this is not done. Ensure the ENF acid specifies a group. Install thefollowing DCM modules into the ENF database using the ENFDB utilityprogram: CARRDCM0 (Framework) and J163DCM0(CA-Top Secret).7. Defining a VLF class for use as a cache can enhance performance ofENF/USS. The cache size is determined by the MAXVIRT specification. Thenumber of cache entries is approximated by dividing the defined amount ofVLF storage by the average size of your path names. Add the following toyour current COFVLFxx member in SYS1.PARMLIB:CLASS NAME(CAENFU) /* ENF/USS pathname cache */EMAJ(PATHCACHE) /* Major name */MAXVIRT(256) /* 1 megabyte */8. Adding the NODSNCHK attribute to the BPXOINIT logonid during initialtesting will allow OMVS to successfully initialize without violations. Onceappropriate authorizations are in place, the NODSNCHK attribute should beremoved.9. The following message is issued by CAIENF/USS at ENF startup when CASAF HFS security is successfully initialized:CARR036I - SAFHFINT / J163 Now InitializedControlling Access to the Hierarchical File System 2–11
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75 and 76: Digital Certificate SupportImportan
- Page 77 and 78: Digital Certificate SupportAdding a
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119: Securing HFS FunctionsFile Function
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE
- Page 133 and 134: HFSSEC Control OptionExample 1// JO
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
- Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE
- Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE
- Page 141: MessagesCAS2319ITRACEID=aaaaaaaa US
- Page 144 and 145: The SYSPLEX XES FunctionThere are t
- Page 146 and 147: eTrust CA-Top Secret and the SYSPLE
- Page 148 and 149: Defining the Sysplex to eTrust CA-T
- Page 150 and 151: Managing the Coupling FacilityWhen
- Page 152 and 153: Defining SYSTEM LOGGER to eTrust CA
- Page 154 and 155: IMVSECUR/*=========================
- Page 156 and 157: IMVSECUR/*=========================
- Page 158 and 159: IMVSECURFeature RACF eTrust CA-Top
- Page 160 and 161: PERMITIn eTrust CA-Top Secret, all
- Page 163 and 164: Indexcomponent names for z/OS and O
- Page 165 and 166: OpenEdition MVS supportACIDs needed
Securing HFS FunctionsBPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE—Allows a user to change any file modein<strong>for</strong>mation. This includes changes to file permission settings, setting theexecution UID or GID indicators, <strong>and</strong> setting the "sticky" bit. Native <strong>OS</strong>/390UNIX permission settings are used <strong>for</strong> validation purposes only when <strong>CA</strong> SAFHFS security is inactive.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.STICKY—Allows a user to set the "sticky"bit in the file mode in<strong>for</strong>mation. The "sticky" bit causes a program to be loadedfrom MVS libraries instead of the HFS.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.EUID—Allows a user to set theexecution-UID indicator in the file mode in<strong>for</strong>mation. When this indicator is set,the program runs under the UNIX UID of the file owner instead of the UID of theuser running the program.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.EGID—Allows a user to set theexecution-GID indicator in the file mode in<strong>for</strong>mation. When this indicator is set,the program runs under the UNIX GID of the file owner instead of the GID of theuser running the program.BPX.<strong>CA</strong>HFS. CHANGE.FILE.OWNER—Allows a user to change file owner UIDsetting. Native <strong>OS</strong>/390 UNIX ownership settings are used <strong>for</strong> validationpurposes only when <strong>CA</strong> SAF HFS security is inactive.BPX.<strong>CA</strong>HFS. CHANGE.FILE.GROUP—Allows a user to change file owner GIDsetting. Native <strong>OS</strong>/390 UNIX ownership settings are used <strong>for</strong> validationpurposes only when <strong>CA</strong> SAF HFS security is inactive.BPX.<strong>CA</strong>HFS. CHANGE.FILE.TIME—Allows a user to change the last access ormodification time to the current time or a user-specified time. If the current timeis to be set <strong>and</strong> the user has write access to the file, the function is allowed. If theuser does not have write access or a user-specified time is to be set, access mustbe allowed to this IBMFAC resource.Sample PermissionsThe following example shows TSS PERMITS that allow Thelma to change the filemode <strong>and</strong> owner <strong>for</strong> all files. Louise is allowed to change the file mode <strong>for</strong> onlythose files that reside in a certain directory, but is not allowed to change the fileowner in any file:TSS PER(THELMA) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE) ACCESS(ALL)TSS PER(LOUISE) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE) ACCESS(CONTROL)TSS PER(THELMA) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.OWNER) ACCESS(ALL)TSS PER(LOUISE) HFSSEC(/certain.directory.) ACCESS(ALL)2–10 Cookbook