eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Share Embed Flag
Download ePaper

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

supportconnectw.ca.com
from supportconnectw.ca.com More from this publisher
12.07.2015 Views

Lotus Domino Go WebserverInstalling Domino Go Webserver on a eTrust CA-Top Secret-secured SystemNote: Previously defined UNIX System Services and TCP/IP requirements musthave been completed before you attempt to install the Domino Go Webserver.The examples in the following steps reflect default procnames, typical groupnames, and typical GID value. Overall, these commands simply ensure that avalid OMVS UID and GID exist for each of the started tasks that access OMVS.1. A TSS FACILITY should be created for the web server. Once created, thisfacility can be added to each user acid that is allowed to log on to the webserver. Tailor the following command and then add it to the existing eTrustCA-Top Secret startup control options:TSS MODIFY FAC(USERx=NAME=IMWEB)2. The Domino Go Webserver requires an acid for the web server started taskand for a web administrator. Both of these acids must be connected to anOMVS Group ID for the web server. The following commands accomplishthis using the IBM default values.The web server started task, whose procname is IMWEBSRV, is also referredto by IBM as the web server daemon. Also, changing the ID of the webadministrator is recommended; however, this change must be coordinatedwith updates to the web server configuration file.TSS CRE(IMWEB) TYPE(GROUP) NAME('WEBSERVER GROUP') DEPT(anydept)TSS ADD(IMWEB) GID(205)TSS CRE(WEBADM) TYPE(USER) NAME('WEB ADMINISTRATOR')DEPT(anydept) FAC(IMWEB) PASSWORD(password,0)TSS ADD(WEBADM) UID(206) GROUP(IMWEB) DFLTGRP(IMWEB)HOME(/usr/lpp/internet) OMVSPGM(/bin/sh)TSS CRE(WEBSRV) TYPE(USER) NAME('WEBSERVER DAEMON/STC')DEPT(dept) FAC(STC,IMWEB)PASSWORD(password,0)TSS ADD(WEBSRV) UID(0) GROUP(IMWEB) DFLTGRP(IMWEB)HOME(/usr/lpp/internet) OMVSPGM(/bin/sh)MASTFAC(IMWEB)TSS ADD(STC) PROCNAME(IMWEBSRV) ACID(WEBSRV)3. Three other user acids, each having their own connected group, are requiredunless "surrogate user" support is disabled. This feature permits users toaccess the web server without requiring a signon. CA recommends that thisfeature be disabled for security reasons.1–48 Cookbook

Lotus Domino Go WebserverTo disable this feature, change the "Userid" option to "%%CLIENT%%"within the web server configuration file. See IBM documentation. If notdisabled, the following commands will create acids and groups for surrogatesupport following IBM examples:TSS CRE(EXTERNAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EXTERNAL) GID(999)TSS CRE(EMPLOYEE) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EMPLOYEE) GID(500)TSS CRE(SPECIAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(SPECIAL) GID(255)TSS CRE(PUBLIC) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PUBLIC) UID(998) GROUP(EXTERNAL) DFLTGRP(EXTERNAL)HOME(/) OMVSPGM(/bin/sh)TSS CRE(INTERNAL) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(INTERNAL) UID(537) GROUP(EMPLOYEE) DFLTGRP(EMPLOYEE)HOME(/) OMVSPGM(/bin/sh)TSS CRE(PRIVATE) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PRIVATE) UID(416) GROUP(SPECIAL) DFLTGRP(SPECIAL)HOME(/) OMVSPGM(/bin/sh)4. The acid for the web server started task (that is, Daemon) requires access tothe following IBMFAC and SURROGAT resources. Note that the final threepermits are not needed if surrogate support is disabled:TSS ADD(dept) IBMFAC(BPX.)TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)TSS ADD(dept) SURROGAT(BPX.)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL) ACCESS(READ)5. IBM documentation includes one install step where "RACF program control"is discussed. In the first part of this step, all users are given read access tothree load libraries related to the web server. This part is easily translated asfollows:TSS ADD(dept) DSNAME(CEE.)TSS ADD(dept) DSNAME(IMW.)TSS ADD(dept) DSNAME(SYS1.)TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN)TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1)TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB)ACCESS(READ)ACCESS(READ)ACCESS(READ)This step also describes several (RDEFINE and SETROPTS) commandsneeded to exempt the above libraries from RACF "PADS" checking. Thesecommands are not applicable to eTrust CA-Top Secret and can be skipped.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–49

Lotus Domino Go WebserverTo disable this feature, change the "Userid" option to "%%CLIENT%%"within the web server configuration file. See IBM documentation. If notdisabled, the following comm<strong>and</strong>s will create acids <strong>and</strong> groups <strong>for</strong> surrogatesupport following IBM examples:TSS CRE(EXTERNAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EXTERNAL) GID(999)TSS CRE(EMPLOYEE) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(EMPLOYEE) GID(500)TSS CRE(SPECIAL) TYPE(GROUP) NAME('WEB GROUP') DEPT(dept)TSS ADD(SPECIAL) GID(255)TSS CRE(PUBLIC) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PUBLIC) UID(998) GROUP(EXTERNAL) DFLTGRP(EXTERNAL)HOME(/) OMVSPGM(/bin/sh)TSS CRE(INTERNAL) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(INTERNAL) UID(537) GROUP(EMPLOYEE) DFLTGRP(EMPLOYEE)HOME(/) OMVSPGM(/bin/sh)TSS CRE(PRIVATE) TYPE(USER) NAME('WEB SURROGATE ID')DEPT(dept) FAC(IMWEB) PASSWORD(NOPW,0)TSS ADD(PRIVATE) UID(416) GROUP(SPECIAL) DFLTGRP(SPECIAL)HOME(/) OMVSPGM(/bin/sh)4. The acid <strong>for</strong> the web server started task (that is, Daemon) requires access tothe following IBMFAC <strong>and</strong> SURROGAT resources. Note that the final threepermits are not needed if surrogate support is disabled:TSS ADD(dept) IBMFAC(BPX.)TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON) ACCESS(READ)TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)TSS ADD(dept) SURROGAT(BPX.)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE) ACCESS(READ)TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL) ACCESS(READ)5. IBM documentation includes one install step where "RACF program control"is discussed. In the first part of this step, all users are given read access tothree load libraries related to the web server. This part is easily translated asfollows:TSS ADD(dept) DSNAME(CEE.)TSS ADD(dept) DSNAME(IMW.)TSS ADD(dept) DSNAME(SYS1.)TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN)TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1)TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB)ACCESS(READ)ACCESS(READ)ACCESS(READ)This step also describes several (RDEFINE <strong>and</strong> SETROPTS) comm<strong>and</strong>sneeded to exempt the above libraries from RACF "PADS" checking. Thesecomm<strong>and</strong>s are not applicable to <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> <strong>and</strong> can be skipped.Implementing <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> in a z/<strong>OS</strong> or <strong>OS</strong>/390 Environment 1–49

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!