eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Share Embed Flag
Download ePaper

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

supportconnectw.ca.com
from supportconnectw.ca.com More from this publisher
12.07.2015 Views

HFSSEC Control OptionCA SAF HFS ADD/PERMIT Generation UtilityA set of utility programs is provided to generate eTrust CA-Top Secretcommands to be used as a starter set of resource definitions and authorizationsfor new implementations. The HFS resource authorizations that are created giveaccess based upon the file permission bits defined for groups and 'other' users.In other words, the rules will give users the same default access to files as theyhave when not running CA SAF HFS security. The generated authorizationsmust be modified to allow appropriate users greater access to the directoryresources than that granted to the general user community. Because of thenumber of files that can be contained in the HFS the utility only covers thedirectories. File permissions can be added before running the REXX exec in step5.The HFS File System contains directories and files in a tree structure. In order toquickly add eTrust CA-Top Secret security a set of procedures and utilities areprovided. Following are the steps and utilities you will run to create and executethe eTrust CA-Top Secret commands to protect your current file system.Step 1—Run the OMVS "ls -lRA" command in a batch TMP. Direct the output toa standard DASD file. This file must be allocated with RECFM=VB.Issue the ls command from the OMVS shell, directing the output to a HFS file.The options -lRA must be specified (the character following the dash is a lowercase letter 'L', not the number one). The file can then be copied into a MVS dataset using the OGET command. An example of these commands follows:ls -lRA / >>directory_information_fileOGET '/directory_information_file' 'mvs.input.file'The resulting file data should look similar to this:/:total 232drwx------ 3 USER OPENMVS 0 Jun 3 1998 JavaS390drwxr-xr-x 4 USER 0 May 7 1998 bindrwx--x--x 2 USER OPENMVS 0 Oct 1 1997 devdrwxr-xr-x 8 USER OPENMVS 0 Nov 4 17:05 etcdrwxr-xr-x 2 USER 0 Jan 20 1998 libdrwxrwxrwx 2 USER 0 Jan 19 11:51 tmpdrwxr-xr-x 8 USER OPENMVS 0 Jan 15 15:47 udrwxr-xr-x 11 USER0 Jan 20 1998 usr/JavaS390:total 16drwxrwxrwx 7 USER ZEROGRP 0 Sep 25 1997 J1.1.1Step 2—Run HFSPASS1. This is a two step job. It will read the file from step 1create and intermediate data set and then sort that data creating a file for step 3.See example 1.2–22 Cookbook

HFSSEC Control OptionExample 1// JOB//STEP1 EXEC PGM=HFSUTIL1,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//HFSINPUT DD DSN=????.????.????,DISP=SHR//EXTRACT DD DSN= SORT.INPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)/*//STEP2 EXEC PGM=SORT,REGION=0M//SYSOUT DD SYSOUT=*//SORTWK01 DD UNIT=3390,SPACE=(CYL,5)//SORTWK02 DD UNIT=3390,SPACE=(CYL,5)//SORTWK03 DD UNIT=3390,SPACE=(CYL,5)//SORTWK04 DD UNIT=3390,SPACE=(CYL,5)//SORTIN DD DSN=SORT.INPUT,DISP=(OLD,DELETE,KEEP)//SORTOUT DD DSN=SORT.OUTPUT,UNIT=3390,// DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000),VOL=SER=SCAC16//SYSIN DD *SORT FIELDS=(1,264,CH,A)/*Alternatively, the input file for step1 can point directly to the directoryinformation file created from the ls command. If using this format, the LRECLvalue specified in the JCL must be at least as large as the largest record in the file.The BLKSIZE value should be a value at least 8 greater than the LRECL. ThePATH name must be the full path name of the file containing the directoryinformation. A sample statement follows://HFSINPUT DD PATH='/directory_information_file',// PATHOPTS=(ORDONLY),FILEDATA=TEXT,// RECFM=VB,LRECL=nnn,BLKSIZE=nnnStep 3—Edit the file created in step 2. Following are the instructions for thatprocess. See example 1.1 for data to be edited.At the beginning of the data set are records to build a /group profilecross-reference table. The formats of those records are:AAAAAAAA - xxxxxxxx“AAAAAAAA” is the name of an OMVS group. The “xxxxxxxx” should bechanged to a profile to be used for any permissions needed by this group. In ourexample OPENMVS is the group and you must assign a profile name to“xxxxxxxx”.It should be noted that this is not a complete list of all groups, only those acidsthat needs a specific permission given.After those records are several TSS ADD or TSS ADDTO commands. These areall of the ownership's that are required for the conversion to meet with success.In these statements the xxxxxxxx (acid name) needs to be modified to whateveracid the client wants to own the specified resources.Controlling Access to the Hierarchical File System 2–23

HFSSEC Control OptionExample 1// JOB//STEP1 EXEC PGM=HFSUTIL1,REGION=0M//SYSABEND DD SYSOUT=*//SYSUDUMP DD SYSOUT=*//HFSINPUT DD DSN=????.????.????,DISP=SHR//EXTRACT DD DSN= SORT.INPUT,UNIT=3390,// DISP=(NEW,<strong>CA</strong>TLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000)/*//STEP2 EXEC PGM=SORT,REGION=0M//SYSOUT DD SYSOUT=*//SORTWK01 DD UNIT=3390,SPACE=(CYL,5)//SORTWK02 DD UNIT=3390,SPACE=(CYL,5)//SORTWK03 DD UNIT=3390,SPACE=(CYL,5)//SORTWK04 DD UNIT=3390,SPACE=(CYL,5)//SORTIN DD DSN=SORT.INPUT,DISP=(OLD,DELETE,KEEP)//SORTOUT DD DSN=SORT.OUTPUT,UNIT=3390,// DISP=(NEW,<strong>CA</strong>TLG,DELETE),SPACE=(TRK,(15,1),RLSE),// DCB=(RECFM=FB,LRECL=300,BLKSIZE=6000),VOL=SER=S<strong>CA</strong>C16//SYSIN DD *SORT FIELDS=(1,264,CH,A)/*Alternatively, the input file <strong>for</strong> step1 can point directly to the directoryin<strong>for</strong>mation file created from the ls comm<strong>and</strong>. If using this <strong>for</strong>mat, the LRECLvalue specified in the JCL must be at least as large as the largest record in the file.The BLKSIZE value should be a value at least 8 greater than the LRECL. ThePATH name must be the full path name of the file containing the directoryin<strong>for</strong>mation. A sample statement follows://HFSINPUT DD PATH='/directory_in<strong>for</strong>mation_file',// PATHOPTS=(ORDONLY),FILEDATA=TEXT,// RECFM=VB,LRECL=nnn,BLKSIZE=nnnStep 3—Edit the file created in step 2. Following are the instructions <strong>for</strong> thatprocess. See example 1.1 <strong>for</strong> data to be edited.At the beginning of the data set are records to build a /group profilecross-reference table. The <strong>for</strong>mats of those records are:AAAAAAAA - xxxxxxxx“AAAAAAAA” is the name of an OMVS group. The “xxxxxxxx” should bechanged to a profile to be used <strong>for</strong> any permissions needed by this group. In ourexample OPENMVS is the group <strong>and</strong> you must assign a profile name to“xxxxxxxx”.It should be noted that this is not a complete list of all groups, only those acidsthat needs a specific permission given.After those records are several TSS ADD or TSS ADDTO comm<strong>and</strong>s. These areall of the ownership's that are required <strong>for</strong> the conversion to meet with success.In these statements the xxxxxxxx (acid name) needs to be modified to whateveracid the client wants to own the specified resources.Controlling Access to the Hierarchical File System 2–23

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!