In the CA Top Secret documentation, it lists which started tasks should have ACIDs defined to them. However, it does not specify what type of access is needed for these tasks. Particularly VLF, XCFAS and IEEVMPCR. How should these ACIDs be defined?
VLF and XCFAS are system address spaces. These should be defined to the STC table in CA Top Secret with ACID(BYPASS).
IEEVMPCR should be defined to the STC table in CA Top Secret with a region acid. Here are example CA Top Secret commands:
TSS CRE(IEEVMPCR) TYPE(USER) NAME(‘IEEVMPCR USER’) PASS(xxxx,0) DEPT(dept)
TSS ADD(IEEVMPCR) FAC(STC)
TSS ADD(IEEVMPCR) UID(0) HOME(/) DFLTGRP(group) GROUP(group) PROGRAM(/bin/sh)
‘dept’ is the type DEPT acid you want to own the IEEVMPCR user acid
‘group’ is an OMVS group that the IEEVMPCR acid should have as a GROUP and DFLTGRP
‘xxxx’ is a password. We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the CA Top Secret parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password.
NOTE: The acid does not have to be called IEEVMPCR. It can be something different.
- To add it to the STC table in CA Top Secret:
TSS ADD(STC) PROCNAME(IEEVMPCR) ACID(IEEVMPCR)
- While implementing this change, consider starting with this acid in WARN mode:
TSS PER(IEEVMPCR) MODE(WARN)
After bringing up IEEVMPCR, run TSSUTIL with the following to see if there are any violations for this acid:
REPORT EVENT(VIOL) ACID(IEEVMPCR) LONG END
If there are violations, permit the appropriate resources with the required access levels, then revoke the MODE permit:
TSS REV(IEEVMPCR) MODE(WARN)