eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
HFSSEC Control OptionCA SAF HFS ADD/PERMIT Generation UtilityA set of utility programs is provided to generate eTrust CA-Top Secretcommands to be used as a starter set of resource definitions and authorizationsfor new implementations. The HFS resource authorizations that are created giveaccess based upon the file permission bits defined for groups and 'other' users.In other words, the rules will give users the same default access to files as theyhave when not running CA SAF HFS security. The generated authorizationsmust be modified to allow appropriate users greater access to the directoryresources than that granted to the general user community. Because of thenumber of files that can be contained in the HFS the utility only covers thedirectories. File permissions can be added before running the REXX exec in step5.The HFS File System contains directories and files in a tree structure. In order toquickly add eTrust CA-Top Secret security a set of procedures and utilities areprovided. Following are the steps and utilities you will run to create and executethe eTrust CA-Top Secret commands to protect your current file system.Step 1—Run the OMVS "ls -lRA" command in a batch TMP. Direct the output toa standard DASD file. This file must be allocated with RECFM=VB.Issue the ls command from the OMVS shell, directing the output to a HFS file.The options -lRA must be specified (the character following the dash is a lowercase letter 'L', not the number one). The file can then be copied into a MVS dataset using the OGET command. An example of these commands follows:ls -lRA / >>directory_information_fileOGET '/directory_information_file' 'mvs.input.file'The resulting file data should look similar to this:/:total 232drwx------ 3 USER OPENMVS 0 Jun 3 1998 JavaS390drwxr-xr-x 4 USER 0 May 7 1998 bindrwx--x--x 2 USER OPENMVS 0 Oct 1 1997 devdrwxr-xr-x 8 USER OPENMVS 0 Nov 4 17:05 etcdrwxr-xr-x 2 USER 0 Jan 20 1998 libdrwxrwxrwx 2 USER 0 Jan 19 11:51 tmpdrwxr-xr-x 8 USER OPENMVS 0 Jan 15 15:47 udrwxr-xr-x 11 USER0 Jan 20 1998 usr/JavaS390:total 16drwxrwxrwx 7 USER ZEROGRP 0 Sep 25 1997 J1.1.1Step 2—Run HFSPASS1. This is a two step job. It will read the file from step 1create and intermediate data set and then sort that data creating a file for step 3.See example 1.2–22 Cookbook
HFSSEC Control OptionExample 1// JOB//STEP1 EXEC PGM=HFSUTIL1,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//HFSINPUT DD DSN=????.????.????,DISP=SHR//EXTRACT DD DSN= SORT.INPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)/*//STEP2 EXEC PGM=SORT,REGION=0M//SYSOUT DD SYSOUT=*//SORTWK01 DD UNIT=3390,SPACE=(CYL,5)//SORTWK02 DD UNIT=3390,SPACE=(CYL,5)//SORTWK03 DD UNIT=3390,SPACE=(CYL,5)//SORTWK04 DD UNIT=3390,SPACE=(CYL,5)//SORTIN DD DSN=SORT.INPUT,DISP=(OLD,DELETE,KEEP)//SORTOUT DD DSN=SORT.OUTPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000),VOL=SER=SCAC16//SYSIN DD *SORT FIELDS=(1,264,CH,A)/*Alternatively, the input file for step1 can point directly to the directoryinformation file created from the ls command. If using this format, the LRECLvalue specified in the JCL must be at least as large as the largest record in the file.The BLKSIZE value should be a value at least 8 greater than the LRECL. ThePATH name must be the full path name of the file containing the directoryinformation. A sample statement follows://HFSINPUT DD PATH='/directory_information_file',// PATHOPTS=(ORDONLY),FILEDATA=TEXT,// RECFM=VB,LRECL=nnn,BLKSIZE=nnnStep 3—Edit the file created in step 2. Following are the instructions for thatprocess. See example 1.1 for data to be edited.At the beginning of the data set are records to build a /group profilecross-reference table. The formats of those records are:AAAAAAAA - xxxxxxxx“AAAAAAAA” is the name of an OMVS group. The “xxxxxxxx” should bechanged to a profile to be used for any permissions needed by this group. In ourexample OPENMVS is the group and you must assign a profile name to“xxxxxxxx”.It should be noted that this is not a complete list of all groups, only those acidsthat needs a specific permission given.After those records are several TSS ADD or TSS ADDTO commands. These areall of the ownership's that are required for the conversion to meet with success.In these statements the xxxxxxxx (acid name) needs to be modified to whateveracid the client wants to own the specified resources.Controlling Access to the Hierarchical File System 2–23
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119 and 120: Securing HFS FunctionsFile Function
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131: HFSSEC Control OptionUNIX CMDS ACCE
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
- Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE
- Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE
- Page 141: MessagesCAS2319ITRACEID=aaaaaaaa US
- Page 144 and 145: The SYSPLEX XES FunctionThere are t
- Page 146 and 147: eTrust CA-Top Secret and the SYSPLE
- Page 148 and 149: Defining the Sysplex to eTrust CA-T
- Page 150 and 151: Managing the Coupling FacilityWhen
- Page 152 and 153: Defining SYSTEM LOGGER to eTrust CA
- Page 154 and 155: IMVSECUR/*=========================
- Page 156 and 157: IMVSECUR/*=========================
- Page 158 and 159: IMVSECURFeature RACF eTrust CA-Top
- Page 160 and 161: PERMITIn eTrust CA-Top Secret, all
- Page 163 and 164: Indexcomponent names for z/OS and O
- Page 165 and 166: OpenEdition MVS supportACIDs needed
HFSSEC Control OptionExample 1// JOB//STEP1 EXEC PGM=HFSUTIL1,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//HFSINPUT DD DSN=????.????.????,DISP=SHR//EXTRACT DD DSN= SORT.INPUT,UNIT=3390,// DISP=(NEW,<strong>CA</strong>TLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)/*//STEP2 EXEC PGM=SORT,REGION=0M//SYSOUT DD SYSOUT=*//SORTWK01 DD UNIT=3390,SPACE=(CYL,5)//SORTWK02 DD UNIT=3390,SPACE=(CYL,5)//SORTWK03 DD UNIT=3390,SPACE=(CYL,5)//SORTWK04 DD UNIT=3390,SPACE=(CYL,5)//SORTIN DD DSN=SORT.INPUT,DISP=(OLD,DELETE,KEEP)//SORTOUT DD DSN=SORT.OUTPUT,UNIT=3390,// DISP=(NEW,<strong>CA</strong>TLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000),VOL=SER=S<strong>CA</strong>C16//SYSIN DD *SORT FIELDS=(1,264,CH,A)/*Alternatively, the input file <strong>for</strong> step1 can point directly to the directoryin<strong>for</strong>mation file created from the ls comm<strong>and</strong>. If using this <strong>for</strong>mat, the LRECLvalue specified in the JCL must be at least as large as the largest record in the file.The BLKSIZE value should be a value at least 8 greater than the LRECL. ThePATH name must be the full path name of the file containing the directoryin<strong>for</strong>mation. A sample statement follows://HFSINPUT DD PATH='/directory_in<strong>for</strong>mation_file',// PATHOPTS=(ORDONLY),FILEDATA=TEXT,// RECFM=VB,LRECL=nnn,BLKSIZE=nnnStep 3—Edit the file created in step 2. Following are the instructions <strong>for</strong> thatprocess. See example 1.1 <strong>for</strong> data to be edited.At the beginning of the data set are records to build a /group profilecross-reference table. The <strong>for</strong>mats of those records are:AAAAAAAA - xxxxxxxx“AAAAAAAA” is the name of an OMVS group. The “xxxxxxxx” should bechanged to a profile to be used <strong>for</strong> any permissions needed by this group. In ourexample OPENMVS is the group <strong>and</strong> you must assign a profile name to“xxxxxxxx”.It should be noted that this is not a complete list of all groups, only those acidsthat needs a specific permission given.After those records are several TSS ADD or TSS ADDTO comm<strong>and</strong>s. These areall of the ownership's that are required <strong>for</strong> the conversion to meet with success.In these statements the xxxxxxxx (acid name) needs to be modified to whateveracid the client wants to own the specified resources.Controlling Access to the Hierarchical File System 2–23