eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Share Embed Flag
Download ePaper

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

supportconnectw.ca.com
from supportconnectw.ca.com More from this publisher
12.07.2015 Views

Tracing UNIX System Services (OMVS)Security Credentials and File Security PacketsMany log entries show additional information about the request. Theinformation is contained internally as Security Credentials (CRED) and FileSecurity Packets (FSP). This information is common to many calls and can appearin the following fields on the TSSOERPT report if it is available:FUNCTION—The function attempted for a file or directory. (I.e., OPEN,SEARCH, etc.)PATHNAME—The full pathname of a file or directory, including the file ordirectory name itself. There could be two pathnames specified if the call involvedmore than one file or directory.FILENAME—The name of a file or directory. In the case of a CHECK_ACCESS,this field names the part of the path currently being validated for access (i.e., ifthe path is aa/bb/cc then three separate CHECK_ACCESS calls would be seen: thefirst with a filename of aa, the second with a filename of bb, and a third with thefilename of cc). There can also be two filenames specified if the call involvedmore than one file or directory.FILE PERMISSIONS—Access permissions for the file's owning UID (owner),the file's owning GID (group) and all others attempting access (other).OWNING UID—UID of the owner of the file or directory. If the real UID of auser/process attempting access to this file matches the owning UID, then accessis granted according to the owner file permissions.OWNING GID—GID of the owner of the file or directory. If the real GID of auser/process attempting access to this file matches the owning GID, then accessis granted according to the group file permissions. If the process/user does nothave the owning GID as its primary GID, but has a supplemental group thatmatches the owning GID, then access will also be determined by the group filepermissions.If neither the GID nor UID match the owner's GID or UID, then the other filepermissions are used to determine access.VOLUME—Volume on which the file system that contains the file resides.FILE IDENTIFIER—In some cases there can be no Pathname or Filenameindicated in a call. In this case, using the File Identifier validates access. Todetermine what the Path and Filename are for this call, find the last previous callwith the same File Identifier. The Pathname and Filename for that call are thesame as for the call in question.1–28 Cookbook

Using TCP/IPFILE AUDIT OPTIONS—There are two types of file audit options:■■User—Indicates the type of file access that should be logged for a user. Forexample, if the report shows 'Read Failure, Write All, Exec/Search None,' itmeans that all failed READ attempts, all WRITEs, but no EXECs orSEARCHes are to be logged to SMF for the user.Auditor—Indicates the type of file access that should be logged for anauditor. For example, if the report shows 'Read Failure, Write All,Exec/Search None,' it means that all failed READ attempts, all WRITEs, butno EXECs or SEARCHes are to be logged to SMF for the auditor.Using TCP/IPTCP/IP (Transmission Control Protocol/Internet Protocol) is a file transferprotocol used to store and forward jobs between nodes. TCP/IP is the protocolused on the Internet, which allows computers to talk to each other, and is wellestablished in the midrange and PC platforms.Prior to OS/390 V2R5, TCP/IP ran as a native MVS application, or as an UNIXSystem Services application. Starting with OS/390 V2R5, TCP/IP relies on UNIXSystem Services and must be configured as an UNIX System Services application.Security configuration depends on the environment in which it runs.Establishing Security for TCP/IP and OE/TCPIP (Communications Server IP for z/OSand OS/390)To establish a proper security connection, you must follow these steps.Step 1—Define TCP/IP to eTrust CA-Top Secret.To define TCP/IP to eTrust CA-Top Secret, you must add a facility definition forTCP/IP to the Facility Matrix Table. Add the definition by renaming a USERxxentry as shown in the following.FAC(USER11=NAME=TCP)FAC(TCP=PGM=xxx)FAC(TCP=NOTSOC,RES,NOIJU,AUTHINIT)Depending on the release of TCP/IP being used, the program name (xxx) are asfollows:■■■TCP/IP 3.1 PGM=MVPTCP/IP 3.2 PGM=EZATCP/IP 3.4 PGM=EZBImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–29

Using TCP/IPFILE AUDIT OPTIONS—There are two types of file audit options:■■User—Indicates the type of file access that should be logged <strong>for</strong> a user. Forexample, if the report shows 'Read Failure, Write All, Exec/Search None,' itmeans that all failed READ attempts, all WRITEs, but no EXECs orSEARCHes are to be logged to SMF <strong>for</strong> the user.Auditor—Indicates the type of file access that should be logged <strong>for</strong> anauditor. For example, if the report shows 'Read Failure, Write All,Exec/Search None,' it means that all failed READ attempts, all WRITEs, butno EXECs or SEARCHes are to be logged to SMF <strong>for</strong> the auditor.Using TCP/IPTCP/IP (Transmission Control Protocol/Internet Protocol) is a file transferprotocol used to store <strong>and</strong> <strong>for</strong>ward jobs between nodes. TCP/IP is the protocolused on the Internet, which allows computers to talk to each other, <strong>and</strong> is wellestablished in the midrange <strong>and</strong> PC plat<strong>for</strong>ms.Prior to <strong>OS</strong>/390 V2R5, TCP/IP ran as a native MVS application, or as an UNIXSystem Services application. Starting with <strong>OS</strong>/390 V2R5, TCP/IP relies on UNIXSystem Services <strong>and</strong> must be configured as an UNIX System Services application.<strong>Security</strong> configuration depends on the environment in which it runs.Establishing <strong>Security</strong> <strong>for</strong> TCP/IP <strong>and</strong> OE/TCPIP (Communications Server IP <strong>for</strong> z/<strong>OS</strong><strong>and</strong> <strong>OS</strong>/390)To establish a proper security connection, you must follow these steps.Step 1—Define TCP/IP to <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong>.To define TCP/IP to <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong>, you must add a facility definition <strong>for</strong>TCP/IP to the Facility Matrix Table. Add the definition by renaming a USERxxentry as shown in the following.FAC(USER11=NAME=TCP)FAC(TCP=PGM=xxx)FAC(TCP=NOTSOC,RES,NOIJU,AUTHINIT)Depending on the release of TCP/IP being used, the program name (xxx) are asfollows:■■■TCP/IP 3.1 PGM=MVPTCP/IP 3.2 PGM=EZATCP/IP 3.4 PGM=EZBImplementing <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> in a z/<strong>OS</strong> or <strong>OS</strong>/390 Environment 1–29

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!