CA Sysview Setup In CA Top Secret

Document ID : KB000048485
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

How should CA Sysview be defined to CA Top Secret?

Solution:

Here are the basics (define the facility, create region acid, etc).

  1. Define the facility to CA Top Secret by adding the following to the CA Top Secret parameter file:

    FAC(USERn=NAME=GSVX)
    FAC(GSVX=PGM=GSV,MULTIUSER,SHRPRF,KEY=8,NOLUMSG,NOSTMSG)
    FAC(GSVX=MODE=FAIL,LOG(NONE),ACTIVE,NOABEND)
    FAC(GSVX=SIGN(M),NOTRACE,AUTHINIT)
    FAC(GSVX=NOAUDIT,ASUBM,DEFACID(*NONE*))
    FAC(GSVX=UIDACID=8)

    where 'USERn' is a valid user facility number not currently in use.
    You can dynamically define the facility using the TSS MODIFY command:

    TSS MODIFY FAC(USERn=NAME=GSVX)
    ...

  2. Create a region acid for SYSVIEW with a MASTFAC of the facility defined in step 1.

    TSS CREATE(SYSVIEW) NAME('SYSVIEW ACID') FACILITY(STC) -
    MASTFAC(GSVX) PASSWORD(xxxx,0) DEPT(owningdept) -
    NOLCFCHK NORESCHK NODSNCHK NOVOLCHK NOSUBCHK

    We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the CA Top Secret parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password.

  3. Define the SYSVIEW address spaces as started tasks in the STC record using the region acid created in step 2.

    TSS ADDTO(STC) PROCNAME(SYSVIEW) ACID(SYSVIEW)
    TSS ADDTO(STC) PROCNAME(SYSVUSER) ACID(SYSVIEW)
    TSS ADDTO(STC) PROCNAME(SYSVAAST) ACID(SYSVIEW)

  4. Add an OMVS segment to the ACID.

    TSS ADDTO(SYSVIEW) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) -
    HOME(/) OMVSPGM(/bin/sh)
    TSS MODIFY OMVSTABS

  5. Add the facility to the users that need it.

    TSS ADD(acid) FAC(SYSVIEW)

    where 'acid' is the user's acid, an attached profile, or the ALL record if all users should have access.

  6. See chapter 6 of the Sysview r13.9 Security Guide for how to setup Sysview to use external security instead of the internal security.

The Sysview Security Guide states that the PassTicket configuration is required for the CA SYSVIEW for CA Insight DPM for DB2 component.

If using the CA Insight DPM for DB2 component, see chapter 5 of the Sysview r13.9 Security Guide for the section 'PassTicket Configuration' that documents what is needed to set this up.

Chapter 4 of the Sysview Security Guide has a section 'External Security Section Display'. In this section, it recommends that you specify CAGSVX as the 'SAF Entity Class Name' with CA Top Secret. CAGSVX is a predefined resource class in the CA Top Secret RDT.

Chapter 5 has another section, 'SAF Requirements', that documents the SAF authorizations that are required for both the CA SYSVIEW address spaces and for individual user IDs. The SAF authorizations depend on what features and components are implemented at your site. (NOTE: The FACILITY class in CA Top Secret is IBMFAC.)