CA-Remote Console External Security with CA-ACF2

Document ID : KB000028101
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

A refresh command from TSO (SDSF) works with out any problems.
Invoking the same command under CA-Remote Console the following error is observed even though REFRESH privileges are activated.


 - SYSNAME RESPONSE --------------------------------------------
 - ACF79343 OPERATOR FUNCTION: AUTHORIZATION FAILURE

Answer:

The following defines the requirements for using CA-Remote Console in an external security environment protected by CA-ACF2. CA-Remote Console must be defined to CA-ACF2 security system in order to run as a started task. The related CA-Remote Console initialization parameters are:

RCSINIT SECURITY=ACF2
RCSINIT SECCLASS=secclass
RCSINIT SECRESOURCE=secresource
RCSINIT SECTOKEN=YES/NO

secclass is the 8 byte class name to be specified for the resource keyword on the GSO CLASMAP record. secresource represents an 8 byte resource name that is specified on the $KEY statement in an CA-ACF2 resource rule.

Specify RCSINIT SECURITY=ACF2 if you want CA-ACF2 to secure the logon to CA-Remote Console. To use CA-ACF2 as the logon verification mechanism, you must define CA-Remote Console as a MUSASS to ACF2 using the following CA-ACF2 commands

SET LID
INSERT REMCONS STC MUSASS

Note: The above example assumes REMCONS is the started task name of CA-Remote Console

If you set the RCSINIT SECURITY= to RCS, USER or NONE, then the CA-REMOTE CONSOLE started task does not need the MUSASS privilege. In this case the  CA-ACF2 INSERT command would be modified to the following:

SET LID
INSERT REMCONS STC 

SECCLASS and SECRESOURCE

Use of the RCSINIT SECCLASS and SECRESOURCE parameters is optional. These parameters allow you to control which users are permitted to log on to CA-REMOTE Console. You can activate logon checking by adding the values in CA-Remote Console that are similar to the following:

RCSINIT SECCLASS=REMCONS
RCSINIT SECRESOURCE=RCSLOGON

To define this resource to eTrust CA-ACF2, create the following CLASMAP record:

SET CONTROL(GSO)
INSERT CLASMAP.RCS RESOURCE(REMCONS) TYPE(RCS) ENTITYLN(8)

Once this is in place, create the following CA-ACF2 resource rule to allow selected users or groups of users access to CA-Remote Console

$KEY(RCSLOGON) TYPE(RCS)
UID(user1) ALLOW
UID(user2) ALLOW

OPERATOR COMMAND VALIDATION

If you validate operator commands (OPERCMDS) or have an automation package such as CA-OPSMVS-II, you should set RCSINIT SECTOKEN to a value of YES. This setting causes CA-Remote Console to propagate the userid to CA-ACF2 and the automation package each time that a user issues a command through CA-Remote Console. When SECTOKEN=NO is set, the userid information is not passed resulting in the commands being validated under the CA-Remote Console stated task logonid.

GROUP PROCESSING

If you currently use the GROUP field of the LOGONID record in CA-ACF2, CA-Remote Console will copy this value at logon time. You can then use the CA-Remote Console ACCOUNT command to specify characteristics of the GROUP names copied from the CA-ACF2 logonid. You can display the GROUP names of logged on CA-Remote Console users by issuing the RDISPLAY SESS,ALL command from within a CA-Remote Console session. An example of this output is presented below:

- RCS5660 SESSION SUMMARY 148 DATA LINE 1 OF 3
- LOGONID TERMID LOGON AUTH GROUP STATUS
- LUTDA01 A55TU009 SYS AUTM INHIBITED,COLOR
- KELGR01 A55TU062 SYS MGMT COLOR

Additional notes:

Review Appendix E, of the RCS User Guide that has the recommended ACF2 setup.