eTrust™CA-ACF2® Security for z/OS and OS/390 ... - SupportConnect

PrefaceEnclosed is a Product Maintenance Letter (PML) along with any high-impactAPARs relevant to the accompanying product tape. You should review thisdocument before installing eTrust CA-ACF2 Security for z/OS and OS/390.The PML provides additional product information that is not yet incorporatedinto documentation.If you have any questions concerning the enclosed material, contact yourComputer Associates Technical Support organization for eTrust CA-ACF2Security for z/OS and OS/390. Refer to Computer Associates Product SupportDirectory or the CA Support web site at Contacting CA Technical Support(http://support.ca.com/contact/netsupp.html) for the appropriate telephonenumbers for direct support.PIB List:QI43701: Release 6.5 Service Pack SP01, of eTrust CA-ACF2 Security for z/OSand OS/390 Product Maintenance LetterAugust 2003 3 eTrust CA-ACF2 Security for z/OS and OS/390

END OF SECTIONAugust 2003 4 eTrust CA-ACF2 Security for z/OS and OS/390

Computer Associates International, Inc.2400 Cabot DriveLisle, IL 60532-36521-630-505-6000FAX: 1-630-505-6097To:From:eTrust CA-ACF2 ® Security for z/OS and OS/390 ClientsThe Computer Associates eTrust CA-ACF2 Product GroupDate: August 29, 2003Subject: Release 6.5 Service Pack SP01of eTrust CA-ACF2 Security for z/OS and OS/390 ProductMaintenance Letter PML# QI43701Dear Valued Client:Computer Associates International Inc. is pleased to present you with the latest Service pack SP01 forRelease 6.5 of eTrust CA-ACF2 Security for z/OS and OS/390 (eTrust CA-ACF2), an integral componentof the family of solutions we provide for the z/OS and OS/390 operating systems.We are dedicated to ensuring that your use of eTrust CA-ACF2 is successful and we want to thank youfor your continued support of Computer Associates. If you have any questions regarding this softwaresolution, contact your local eTrust CA-ACF2 Technical Support group. Also, visit our support web site athttp://support.ca.com.Software PrerequisitesYour IBM software must meet these minimum requirements to operate thisrelease of eTrust CA-ACF2:• OS/390 Version 2 Release 9 and above (including z/OS Version 1Release 4)• JES2 OS/390 Version 2 Release 8• JES3 OS/390 Version 2 Release 9• DFSMS 1.2.0 and above• ACF/VTAM 3.4.2 and above• PSF MVS 2.1.0 and above (required for eTrust CA-ACF2 Mandatory AccessControl [MAC])

If you are running any of the following software, it must meet these requirementsto run concurrently with this release of eTrust CA-ACF2:• CICS/ESA Release 4.1 and above• IMS Version 6 Release 1 and above• CA Common Services for z/OS and OS/390 Release 1.0, Genlevel 9901 oraboveCA Common Services for z/OS and OS/390 PrerequisitesGetting Started1. Before you install the eTrust CA-ACF2 Release 6.5 product tape(65SP01AJ100), we highly recommend that you install Release 2.2 ofCA Common Services for z/OS and OS/390 at the SP03 Service pack.The Computer Associates Quality Assurance group performed finalintegration tests at this level. You must have CA Common ServicesRelease 1.0 installed at the 9901 Genlevel before applying this eTrustCA-ACF2 product tape.2. CAIRIM is mandatory for eTrust CA-ACF2. It must be installed andstarted with eTrust CA-ACF2 within 30 minutes of IPL time. See"Section B - CAIRIM and LMP Keys" for more information.1. This eTrust CA-ACF2 Release 6.5 product tape must be installed usingSMP/E. CA-Activator® install support is not available with this release.2. Review all enclosed PMLs and PTFs to determine if they pertain to yourenvironment. Pay special attention to the "General Information" and"Summary of Changes" sections. The following previously publishedeTrust CA-ACF2 Release 6.5 Product Information Bulletin (PIB) isavailable in file 28, ACF2.PMLLIB (the ACFMAINT job contains JCLto unload this file).• Release 6.5 GA Base: PIB QI336133. If you are migrating to eTrust CA-ACF2 Release 6.5 Service pack SP01from eTrust CA-ACF2 Release 6.3 or an earlier release, you must beaware of the product enhancements and changes made to eTrustCA-ACF2 Release 6.4. eTrust CA-ACF2 Release 6.5 is a functionallyrich release that offers numerous client-requested administrative andtechnical enhancements. Additionally, product changes andenhancements are made available on an ongoing basis throughdistribution of regular product updates or service packs.eTrust CA-ACF2 Release 6.5 builds upon the Release 6.4 foundation andprovides additional functionality that extends many of the eTrustCA-ACF2 Release 6.4 features. You can get further information abouteTrust CA-ACF2 Release 6.4 changes from the following sources:August 2003 2 eTrust CA-ACF2 Security for z/OS and OS/390

Release 6.4 eTrust CA-ACF2 Security for z/OS and OS/390 ReleaseGuide.The following Release 6.4 eTrust CA-ACF2 Security for z/OS andOS/390 Product Maintenance Letters:• Service pack SP04: PML QI37803• Service pack SP03: PML QI29702• Service pack SP02: PML QI12971• Service pack SP01: PML QI00734• Release 6.4 GA Base: PIB LI91544Note: All of these PMLs can be obtained through StarTCC using the“Browse/download solutions" function specifying the QIxxxxx/LIxxxxxnumber as an APAR number. You can obtain the eTrust CA-ACF2Release 6.4 documentation from the CA Systems Library for z/OS andOS/390 Documentation CD. In addition, the documentation for Release6.4 is available on the eTrust CA-ACF2 eSupport web site at thefollowing locations:http://esupport.ca.com or the eTrust CA-ACF2 Support web site athttp://support.ca.com/ca-acf2os390supp.html4. Read “Section A – Installation” or “Section B – MaintenanceInstallations.”5. Installation instructions for eTrust CA-ACF2 Security for CICS can befound in the eTrust CA-ACF2 Security for z/OS and OS/390 CICSSupport Guide. eTrust CA-ACF2 Security for IMS installationinstructions can be found in the eTrust CA-ACF2 Security for z/OS andOS/390 IMS Support Guide and IMS Batch Support Guide.6. The documentation set for eTrust CA-ACF2 Release 6.5 includes thelatest technology available for online viewing, keyword searching, bookmarking, and printing. The eTrust CA-ACF2 Release 6.5 documentationset is available in Adobe Acrobat Reader format on the CA eSupport website at http://esupport.ca.com or the CA Support web site athttp://support.ca.com/premium/ca-acf2/manuals/os390index.html . Also,the documentation set is available in IBM BookManager and AdobeAcrobat Reader format on the tape. Use one of the following two jobs inCAI.ACF2.SAMPJCL to download these files. To unload the SAMPJCLlibrary, see "Before you Begin" in the "Installing eTrust CA-ACF2"chapter of the Release 6.5 eTrust CA-ACF2 Security for OS/390 andz/OS Getting Started guide.• For IBM BookManager, the CAI.ACF2.SAMPJCL (ACFBKMGR)job unloads the files. Modify the JCL to comply with your site'sstandards. After you unload the file, modify the BKSHELF file tomatch any data set name changes made in the ACFBKMGR job.August 2003 3 eTrust CA-ACF2 Security for z/OS and OS/390

• For Adobe Acrobat Reader, the CAI.ACF2.SAMPJCL(ACFACROB) job unloads the Adobe Acrobat PDF files. Modifythe JCL to comply with your site's standards. After you unload thefile, move the archive files using a binary transfer method to aplatform that supports Adobe Acrobat Reader. See thehttp://www.adobe.com web site for a list of supported platforms andmore information. To unload the archive, use utilities native to thatplatform. This is a Gzipped-TAR archive or TGZ file. For Windowsusers, several utilities exist, for example, WinZip 6.3 or higher.UNIX platforms can use gzip and tar.Note: To process the Release 6.5 Adobe Acrobat PDF files, your AdobeAcrobat Reader software must be at the Release 5.0 or higher level. Forfurther information on supported releases, please see thehttp://www.adobe.com web site.General InformationPlease note the label information on your tape. The number 65SP01AJ100denotes the level of the tape. The volume serial number for this tape is J16501.The highest APAR for all FMIDs in this service pack is QO41452. The easiestway to obtain a list of all General Availability solutions beyond a service level isto visit our support page under Solutions and Patches and just point and click onthe desired service pack. The support page has also been enhanced to provide youwith all Hyper Solutions for a particular release. We encourage you to visit:http://support.ca.com/ca-acf2os390supp.html.This service pack supports the following IBM software releases:• OS/390 Version 2 Release 9 and above• UNIX System Services (USS)• OpenEdition Distributed Computing Environment (DCE)• Lotus Notes Domino Go Webserver (also known as HTTP Server forOS/390)• CICS Release 4.1 through CICS Transaction Server for OS/390 Version 2Release 2• IMS Version 6 Release 1 through Version 8 Release 1When IBM releases a new version of OS/390 or z/OS, Computer Associatesprovides an upgrade solution. This solution describes the maintenance required ineTrust CA-ACF2 to make it compatible with the new release of OS/390 or z/OS.Upgrade (UPGRAD) solutions exist for each GA release of OS/390 and z/OS.To receive the latest updates, download them from StarTCC athttp://esupport.ca.com or call Computer Associates Technical Support andrequest the specific OS/390 or z/OS upgrade solution.August 2003 4 eTrust CA-ACF2 Security for z/OS and OS/390

Summary of ChangesThe eTrust CA-ACF2 Security Cookbook for z/OS and OS/390 discussesimplementing UNIX for OS/390 or z/OS in an eTrust CA-ACF2 environment. Italso discusses the changes to z/OS and OS/390 that affect security in UNIXSystem Services. The latest version of the eTrust CA-ACF2 Security Cookbookfor z/OS and OS/390, May 2003, is available on the eSupport and www.ca.comweb sites in Adobe Acrobat PDF format.If you are migrating from a prior release, genlevel, or service pack of eTrustCA-ACF2, we recommend that you read the Release 6.5 eTrust CA-ACF2Security for z/OS and OS/390 Release Guide for all of the enhancements andchanges in Release 6.5. The following changes for eTrust CA-ACF2 Release 6.5Service pack SP01 are detailed in this section.• Changes for JES3 Users with Program PathingJES3 sites using program pathing will notice additional validationsoriginating from the JES3 address space. The validations specifyPGM=IATINTKE and a LIB= value corresponding to your JES3 LINKLIB.If GSO LINKLIST records are inserted or changed to accommodate thesevalidations an F ACF2,REFRESH(LINKLST) command must be issued torefresh the LINKLST, and the JES3 address space must be recycled toactivate the LINKLST change in JES3.• Changes to R_datalib Callable Service ProcessingR_datalib callable service processing has been modified to conform with thepublished documentation (in usage note 1) which dictates the conditionsunder which a certificate's private key can be returned. Prior to this change,R_datalib would erroneously return a certificate's private key if the certificatewas connected to a keyring with usage SITE. This behavior was not inconformance with the documented specifications for the R_datalib callableservice. Sites that have already connected certificates to keyrings with usageSITE need to review their keyring setup and consider connecting thecertificate with usage PERSONAL rather than SITE if a private key needs tobe returned on the R_datalib call. Failure to do so may result inGSK_ERROR_NO_PRIVATE_KEY (-27) conditions starting servers.• Certificate Administration Resource CheckAPAR QO40132 improves administration of CERTDATA and KEYRINGuser profile records. Authorization to delete CERTDATA and KEYRINGuser profile records can now be administered using the following FACILITYclass resource entities:IRR.DIGTCERT.DELETE for CERTDATA recordsIRR.DIGTCERT.DELRING for KEYRING recordsIf the delete command is issued for a CERTDATA or KEYRING record thatbelongs to the user attempting the delete, at least READ access isrequired. To delete CERTDATA or KEYRING records that belong toAugust 2003 5 eTrust CA-ACF2 Security for z/OS and OS/390

another user, at least UPDATE access is required. Deletion of CERTAUTHand SITECERT records requires CONTROL access.• Error Message Text ChangeACF2 FAILS W/ABEND S806 CAILPAM NOT FOUNDThe text of error message CAS4012E has been changed by APAR QO40774,the old text reads:CAS4012E - Invalid operating system level: MVS/ESA4.3 or above is required.The new text reads:CAS4012E - Unable to locate module CAILPAM.Initialization terminated.Note: The message ID was reused because it is no longer possible to run anoperating system release older than MVS/ESA 4.3.• $OWNER Now Allowed in 4K Resource RulesThe $OWNER resource rule control card was previously allowed only ifeTrust CA-ACF2 was operating in RULELONG mode. Any attempt to usethis control card if not operating in RULELONG mode resulted in errormessage:ACF70025 WARNING - $OWNER IS INVALID - FIELD ISIGNOREDThis control card is now accepted in all modes.• SHOW CACHESRV CommandThe ACF command has been enhanced to allow the command SHOWCACHESRV. When this command is issued, you will receive one of thefollowing output:Scenario #1: CACHESRV-hardening feature is not activatedACFSHOW CACHESRV-- GSO CACHESRV DEFINITIONS for R_cachesrv --R_cachesrv hardening is NOT ACTIVEAugust 2003 6 eTrust CA-ACF2 Security for z/OS and OS/390

Scenario #2: CACHESRV-hardening feature is not activatedACFSHOW CACHESRV-- GSO CACHESRV DEFINITIONS for R_cachesrv --R_cachesrv hardening is ACTIVEThe R_cachesrv file name is HLQ.VSAM.FILECache Names Eligible For Hardening REALM------------------------------------------aaaaaaabbbbbbbccccccc• eTrust Audit EnhancementSupport for enhanced logging of events to the eTrust Audit product isprovided on this service pack.After installing this service pack, you will notice a new option, ETAUDIT,present in the GSO OPTS record. Setting this field will activate the routingof security event information to eTrust Audit.This enhancement adds support for eTrust CA-ACF2 to send security eventnotification to outside security monitoring products, eTrust Audit andUnicenter TNG Monitor Facility.Communication with both products is performed using the ENFSNMP event.eTrust CA-ACF2 passes the event information to ENF with the event dataparameter. ENF then examines the information passed and the followingactions are taken; if the event data is for Unicenter TNG, ENF sends theevent to Unicenter using SNMP traps. If it is for eTrust Audit, ENF sends theevents to eTrust Audit using SAPI (Audit API) calls.Important NoteBefore activating the ETAUDIT option in eTrust CA-ACF2, you must ensurethat the fixes QO39451 and QO39446 have been applied to the CA CommonServices component.• Support the “COPY” parameter on RACROUTESupport is provided for the COPY parameter of the RACROUTEREQUEST=STAT macro. See the RACROUTE MACRO reference forfurther information about this feature.August 2003 7 eTrust CA-ACF2 Security for z/OS and OS/390

• Unnecessary INFOSTG DBASE I/O for OMVS ProfilesCode introduced by problem #3517 (circa 1996) attempted to address aproblem with the ISHELL administration SETUP script. The script attemptedto insert a new OMVS profile, and was followed immediately by aRACROUTE EXTRACT for this information. This did not work if a clienthad PUSR defined as a resident directory via the GSO INFODIR record. Anintervening REBUILD command was required to bring the new profile intocore. Problem #3517 changed the RACROUTE EXTRACT processor,ACF9CXTR, to read the database for an OMVS USER PROFILE even if thedirectory suggested that the record did not exist. This made the ISHELLUSER SETUP work, but has also caused much un-needed I/O in Websphere,elongating the signon process. Since the negative aspect of problem #3517clearly outweighs the positive today, problem #3517 is being effectivelyreversed by this APAR.• Support for GSO STC AttributeSupport to assign logonids to specific started tasks through GSO STC recordshas been added in Release 6.5. Part of the support is to allow for the logonidnot to require the STC attribute, if a GSO STC record assigns it.The logonid can have, but does not require, the STC attribute. If the logoniddoes not have the STC attribute it can be used for other system accessesincluding inheritance for batch jobs submitted by the started task.Additionally, if the start of a started task fails due to a security violation, theACF2 (ACF01XXX) message will be issued.• New Mixed-case Password ExitThis enhancement adds a new input parm at +12 to the New Password Exit(NEWPXIT). The new input parm will be the mixed-case new password(new password exactly as entered by the user).R1 - Standard parameter list:+0 - Address of ACVALD or ACALT parameter list+4 - Address of eight-character new password - upper-cased+8 - Address of logonid record+12 - Address of eight-character new password as entered by the userProcessing notes:• None of the existing parms have changed. Existing new password exitswill work the same as always.• The mixed-case new password will be provided to the New PasswordExit regardless of whether it is indeed mixed-case or not. Someapplications may pass to ACF2 the upper-cased new password, andtherefore the New Password Exit has no way of knowing for sure if theAugust 2003 8 eTrust CA-ACF2 Security for z/OS and OS/390

new password was entered by the user in upper-case or if the callingapplication upper-cased it.• This enhancement does not change in any way the manner by whicheTrust CA-ACF2 processes passwords. eTrust CA-ACF2 will stillupper-case all password data before using it.This support is limited to situations where it is possible to provide the mixedcasenew password. The following are supported:• TSO logon with new password.• JCL password changes via the //*PASSWORD oldpswd/newpswd card.• Password changes via the ACF command.• CICS ACFM CP with fix QO40799 (TC6511M) applied.• CICS logon with new password, with the following considerations:Each terminal must be capable of mixed-case data entry. This iscontrolled via the UCTRAN definition within the TYPETERM CICSRDO definition used for terminal auto-install processing or via theUCTRAN definition for TERMINAL CICS RDO definitions. Inaddition, the signon transaction itself must have UCTRAN(NO) (whichis the default) specified in the PROFILE CICS RDO definitionassociated with it. See the CICS Resource Definition Guide or the CICSInformation Center for additional information. Failure to properly setthese CICS options may result in CICS automatically upper-casing allinput data.Consider the method of signon used. The eTrust CA-ACF2 CICSACFAEUSC sample signon program does not upper-case the newpassword, thus the entry case of the new password is preserved. If,however, you are using CICS-provided facilities for signon, you have toidentify which you use in your environment and consider their impact.For example, it appears that the EXEC CICS SIGNON commandpreserves entry case of new password data, but it also appears that theOCO IBM-supplied DFHSNP signon program does not, altering the caseof the new password, forcing it to be upper-case. As both functions areIBM controlled and are distributed in OCO format, they are, in theory,susceptible to changes by IBM maintenance or by new IBM productreleases.Consider the impact of any terminal-related changes on yourapplications. Legacy application systems may assume that all inputterminal data is upper-cased and application failures and, in a worse-casescenario, application corruption and/or outages could result if mixed-casedata is introduced. Investigate your installation's current terminal autoinstallconfiguration and determine the UCTRAN option that is set forauto-installed terminals. Consider also any hardcoded terminaldefinitions that may exist.August 2003 9 eTrust CA-ACF2 Security for z/OS and OS/390

Section A – InstallationFollow the installation procedures documented in the Release 6.5 eTrustCA-ACF2 Security for OS/390 and z/OS Getting Started guide.Installation InstructionsInstallation instructions for eTrust CA-ACF2® Security for CICS can be foundin the eTrust CA-ACF2 Security for z/OS and OS/390 CICS Support Guide.eTrust CA-ACF2® Security for IMS installation instructions can be found inthe eTrust CA-ACF2 Security for z/OS and OS/390 IMS Support Guide and IMSBatch Support Guide.Installation Changes1. The SMPMCS deck now contains DATA element types replacing'++MAC' element types where appropriate. The new DATA elementtypes include: ++MOD, ++SRC, ++PROC, ++PNL, ++CLIST,++MSG, ++SKL, ++HELP, and ++MSGENU. The main impact is thatDATA elements cannot be updated, only replaced.2. If you are installing MAC, the following High Level Assemblermessages can be ignored: ASMA301W, ASMA303W, and ASMA435I.Notes regarding eTrust CA-ACF2 Release 6.5 installation processing, JXB2APPAPPLY job:• You can expect to get a return code of four from the JXB2APP job. Youmay see error messages IEW2470E and IEW2468E for the CAIXJ815 loadmodule; these can be ignored.• You can expect to see IEW2454W warning messages for program objectbind processing to the CAI.SMPLTS dataset. These are normal and can beignored.Notes regarding eTrust CA-ACF2 Release 6.5 CICS installation processing,CX65APP APPLY job:• You can expect to get a return code of four from the CX65APP job. Youmay also see messages IEC141I and IEW2745S; these can be ignored.Important Note for IMS UsersAfter completing the eTrust CA-ACF2 Release 6.5 base maintenance you shouldapply PTF TT65658 to refresh the local copies of base processing modules in theeTrust CA-ACF2 Release 6.5 IMS interface. Refer to the IMSLVL member ofthe ACF2IMS.SAMPJCL data set to install this PTF.August 2003 10 eTrust CA-ACF2 Security for z/OS and OS/390

Important Note for eTrust CA-ACF2 Security for DB2 UsersUsers wishing to reinstall eTrust CA-ACF2® Security Option for DB2 for anyreason once eTrust CA-ACF2 Release 6.5 is installed must reinstall eTrustCA-ACF2 for DB2, Release 1.1 at the SP06 Service pack level. In addition, userswishing to apply any maintenance to eTrust CA-ACF2 for DB2 once eTrustCA-ACF2 Release 6.5 is installed will first need to reinstall eTrustCA-ACF2 Security for DB2 Release 1.1 at the SP06 Service pack level.Note to Users of EKC, Inc.‘s ETF/A 1.6.0 ProductIf your installation uses EKC, Inc.’s ETF/A product at the V1.6.0 level, beadvised that EKC technical support has written ETF/A APAR LD16037(prerequisite APAR is LD16018) to provide support for eTrust CA-ACF2Release 6.5. Please contact your EKC, Inc. technical support representativedirectly for further information.Section B - Maintenance InstallationThe maintenance contained on this tape updates an existing eTrust CA-ACF2Release 6.5 system to Service pack SP01 status.Installation instructions for eTrust CA-ACF2 Security for CICS can be found inthe eTrust CA-ACF2 Security for z/OS and OS/390 CICS Support Guide. eTrustCA-ACF2 Security for IMS installation instructions can be found in the eTrustCA-ACF2 Security for z/OS and OS/390 IMS Support Guide and the IMS BatchSupport Guide.Refer to the $DOC member of ACF2.FIXLIB, (file 30 on this tape) forupgrade/maintenance documentation on eTrust CA-ACF2 Security for z/OS andOS/390, eTrust CA-ACF2 Security for CICS, and eTrust CA-ACF2 Security forIMS. Refer to CAI.ACF2.SAMPJCL(ACFMAINT) for the JCL to unload theACF2.FIXLIB file.An APAR cross-reference file, ACF2.FIXXREF (file 31), is included on the tape.It includes an entry for each APAR written against eTrust CA-ACF2 Release 6.5since its inception. Each entry contains the APAR number, the level at which itwas distributed, the modules that it affects, a short description, and the originaltest fix number. This file is unloaded in job step FIXXREF of the ACFMAINTprocedure.Important Note for IMS UsersAfter completing the eTrust CA-ACF2 Release 6.5 base maintenance you shouldapply PTF TT65658 to refresh the local copies of base processing modules in theeTrust CA-ACF2 Release 6.5 IMS interface. Refer to the IMSLVL member ofthe ACF2IMS.SAMPJCL data set to install this PTF.Section C - CAIRIM and LMP KeysAugust 2003 11 eTrust CA-ACF2 Security for z/OS and OS/390

License Management Program (LMP)eTrust CA-ACF2 licensing is maintained by the CA License ManagementProgram (LMP). LMP provides a standardized, automated approach to licensemanagement and is designed to eliminate the difficulties inherent in tracking theaccurate licensed use of CA products.LMP runs as a component of CAIRIM. CAIRIM must be installed prior toinitializing eTrust CA-ACF2. If CAIRIM is not running, eTrust CA-ACF2issues message ACF79452. If CAIRIM is not started in 30 minutes, eTrustCA-ACF2 issues this message:ACF79457 CPU nnnnnn REQUIRES A LMP KEY TO RUN PROD(X1)eTrust CA-ACF2 MVSYou should already have received an LMP Product Key Certificate. If you do nothave a valid LMP KEY for the CPU on which you are running, CA CommonServices for z/OS and OS/390 message CAS9180E appears on your systemconsole. Once the appropriate key is entered and CAIRIM is restarted, enter thefollowing console command:F ACF2,LMPCHECKeTrust CA-ACF2 immediately verifies the new key. If it is still not valid,another message is generated to your console.If you have any questions about LMP and CAIRIM call the CA LicenseManagement Program Hotline at 1-800-338-6720 in North America (24 hours aday, 7 days a week). Outside of North America, contact your local ComputerAssociates Technical Support Center during local business hours.August 2003 12 eTrust CA-ACF2 Security for z/OS and OS/390

END OF PMLAugust 2003 13 eTrust CA-ACF2 Security for z/OS and OS/390