eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

12.07.2015 Views
Superuser Granularity ................................................................... 1–16CHOWN UNRESTRICTED (Control Option) ........................................... 1–18z/OS and OS/390 UNIX System Services: User Limits ...................................... 1–18z/OS and OS/390 ServerPac upgrade ..................................................... 1–19Logging UNIX System Services Security Calls .............................................. 1–19Tracing UNIX System Services (OMVS) ....................................................... 1–20UNIX System Services Reporting.......................................................... 1–21TSSOERPT Output Description ....................................................... 1–23Using TCP/IP............................................................................... 1–29Establishing Security for TCP/IP and OE/TCPIP (Communications Server IP for z/OS and OS/390)........................................................................................ 1–29TCP/IP SERVAUTH Class ............................................................... 1–30VMCF and TNF subsystems (eTrust CA-Top Secret started before JES) ....................... 1–31IP Address Protection .................................................................... 1–32Using FTP .................................................................................. 1–32How to Secure FTP ...................................................................... 1–33How to Secure FTP for UNIX System Services .............................................. 1–33Using TELNET.............................................................................. 1–35How to Secure TELNET for UNIX System Services ......................................... 1–35InfoPrint Server for z/OS and OS/390 (z/OS and OS/390 Print Server) .......................... 1–36WebSphere Application Server for z/OS AND OS/390 ......................................... 1–36Authorization Checking.................................................................. 1–38Server Authorization Checking........................................................ 1–39Level of Trust and Authority for Regions............................................... 1–39User Identification, Authentication and Network Security ................................... 1–40Identification and Authentication ..................................................... 1–43WASADM .............................................................................. 1–43Security Auditing........................................................................ 1–47Lotus Domino Go Webserver ................................................................. 1–47Installing Domino Go Webserver on a eTrust CA-Top Secret-secured System.................. 1–48Lotus Notes Server .......................................................................... 1–50Lotus Notes and Novell Directory Services for z/OS and OS/390 ................................ 1–51Digital Certificate Support ................................................................... 1–51Associating a Unique Digital Certificate with a User ........................................ 1–52General Rules ........................................................................... 1–53Third Party Vendors ..................................................................... 1–53Adding a Digital Certificate to an ACID Record ............................................ 1–54Generating a Digital Certificate and Adding It to a User ..................................... 1–56Listing Digital Certificate Information ..................................................... 1–60Generating a Certificate Request .......................................................... 1–61Changing a User's Certificate ............................................................. 1–62ivSecurity Cookbook

Certificate Replacement (Renewal)......................................................... 1–62Changing a Certificate's Status ............................................................ 1–63Changing a Certificate's Label ............................................................. 1–63Removing a Certificate from a User ........................................................ 1–64Determining if a Certificate has been Added to eTrust CA-Top Secret ......................... 1–64Exporting Certificates to Data Sets ......................................................... 1–65Sharing Certificates on Key Rings.......................................................... 1–66Creating a Key Ring .................................................................. 1–66Adding a Certificate to a Key Ring ..................................................... 1–67Removing a Key ring from an acid ..................................................... 1–67Extracting Certificates from Key Rings ..................................................... 1–68Extracting Private Keys ................................................................... 1–68Reconnecting Private Keys ................................................................ 1–69Listing Key Ring Information ............................................................. 1–69Managing Certificate Serial Numbers ...................................................... 1–69CERTADM .............................................................................. 1–70Certificate Name Filtering Support ............................................................ 1–73Managing Certificate Name Filters......................................................... 1–75Managing Criteria Maps .................................................................. 1–77Creating Certificate Name Filter Scenarios.................................................. 1–78Listing Filtering Information .............................................................. 1–79Init ACEE Changes for Search Sequence.................................................... 1–79Search Sequence Scenario ............................................................. 1–80Kerberos .................................................................................... 1–81Local Server Configuration................................................................ 1–81Customizing your Local Environment...................................................... 1–82Defining Your Local Realm ............................................................... 1–82Defining Local Principals ................................................................. 1–84Password Change Server ACID ........................................................... 1–85Preparing Local Principal ACIDs for Kerberos .............................................. 1–85DCE Incompatibility.................................................................. 1–86Security Considerations ............................................................... 1–86Mapping of Foreign Environments ............................................................ 1–87Mapping Foreign Realms ................................................................. 1–87Mapping Foreign Principal Names......................................................... 1–89DCE Support ................................................................................ 1–90Distributed File Service (DFS) ................................................................. 1–90Distributed File Server SMB SUPPORT ........................................................ 1–91SMB ENCRYPTED PASSWORD SUPPORT................................................. 1–91NFS (Network File System) ................................................................... 1–92eTrust CA-Top Secret Support for z/OS and OS/390 NFS.................................... 1–93Contentsv

Page 1 and 2: eTrust CA-Top Secret ® Securityfo

Page 3: Technical UpdatesMay 2003The follow

Page 8 and 9: WLM (Workload Management)..........

Page 11 and 12: Chapter1Implementing eTrust CA-TopS

Page 13 and 14: z/OS and OS/390 CompatibilityThe li

Page 15 and 16: z/OS and OS/390 Release-Specific Se

Page 17 and 18: OpenEdition MVS / UNIX System Servi







Page 31 and 32: Tracing UNIX System Services (OMVS)




Page 39 and 40: Using TCP/IPFILE AUDIT OPTIONS—Th

Page 41 and 42: Using TCP/IPwheresysname is the nam

Page 43 and 44: Using FTPHow to Secure FTPFTP runs

Page 45 and 46: Using TELNETTerminal Source Restric

Page 47 and 48: WebSphere Application Server for z/





Page 57 and 58: Lotus Domino Go Webserver/* PERMITT

Page 59 and 60: Lotus Domino Go WebserverTo disable

Page 61 and 62: Lotus Notes and Novell Directory Se

Page 63 and 64: Digital Certificate SupportGeneral

Page 65 and 66: Digital Certificate SupportFOR|UNTI

Page 67 and 68: Digital Certificate SupportDCDSN(re

Page 69 and 70: Digital Certificate SupportNote: In

Page 71 and 72: Digital Certificate SupportYou can

Page 73 and 74: Digital Certificate SupportCase #2.

Page 75 and 76: Digital Certificate SupportImportan

Page 77 and 78: Digital Certificate SupportAdding a

Page 79 and 80: Digital Certificate SupportReconnec

Page 81 and 82: Digital Certificate SupportTSS LIST

Page 83 and 84: Certificate Name Filtering SupportT

Page 85 and 86: Certificate Name Filtering SupportI

Page 87 and 88: Certificate Name Filtering SupportD

Page 89 and 90: Certificate Name Filtering SupportL

Page 91 and 92: KerberosKerberosetrust CA-Top Secre

Page 93 and 94: KerberosThe command syntax for this

Page 95 and 96: KerberosThe following command creat

Page 97 and 98: Mapping of Foreign EnvironmentsMapp

Page 99 and 100: Mapping of Foreign EnvironmentsMapp

Page 101 and 102: Distributed File Server SMB SUPPORT

Page 103 and 104: NFS (Network File System)The first

Page 105 and 106: z/OS and OS/390 Security Server Sup



Page 111 and 112: Chapter2Controlling Access to theHi

Page 113 and 114: Controlling HFS Using the Native UN

Page 115 and 116: Controlling HFS Using CA SAF HFS Se

Page 117 and 118: Securing HFS FunctionsKeywordALLCON

Page 119 and 120: Securing HFS FunctionsFile Function

Page 121 and 122: Implementing CA SAF HFS SecurityImp

Page 123 and 124: HFSSEC Control Option+12—The addr

Page 125 and 126: HFSSEC Control OptionDiagnosticsThe

Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(

Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV

Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE

Page 133 and 134: HFSSEC Control OptionExample 1// JO

Page 135 and 136: HFSSEC Control OptionExample 2// JO

Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE

Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE

Page 141: MessagesCAS2319ITRACEID=aaaaaaaa US

Page 144 and 145: The SYSPLEX XES FunctionThere are t

Page 146 and 147: eTrust CA-Top Secret and the SYSPLE

Page 148 and 149: Defining the Sysplex to eTrust CA-T

Page 150 and 151: Managing the Coupling FacilityWhen

Page 152 and 153: Defining SYSTEM LOGGER to eTrust CA

Page 154 and 155: IMVSECUR/*=========================

Page 156 and 157: IMVSECUR/*=========================

Page 158 and 159: IMVSECURFeature RACF eTrust CA-Top

Page 160 and 161: PERMITIn eTrust CA-Top Secret, all

Page 163 and 164: Indexcomponent names for z/OS and O

Page 165 and 166: OpenEdition MVS supportACIDs needed

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect ... View more eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

Delete template?

Save as template ?

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect