Defining IBM's Common Event Adapter (CEA) for z/OS 1.9 To CA Top Secret.

Document ID : KB000026463
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

We need to setup an id for IBM's Common Event Adapter (CEA) for z/Os 1.9. The information from IBM on setting this up with RACF is as follows:

The following information documents the new security specification for the Common Event Adapter (CEA) and is valid for z/OS V1R9. This information replaces the security specification to enable full function mode for CEA as documented in Section 5.1, "Customizing for CEA", of the z/OS V1R9.0 Planning for Installation manual.

  1. Userid CEA must be defined to the security product as follows:
    ADDUSER CEA DFLTGRP(SYS1) OMVS(UID(any)                 
    FILEPROCMAX(1024))                                     
                                                                  
    RDEFINE STARTED CEA.** STDATA(USER(CEA) GROUP(SYS1)     
    TRACE(YES))                                            
                                                                  
    SETROPTS RACLIST(STARTED) REFRESH
  2. Give userid CEA read access to the profile protecting SYS1.PARMLIB:
    PERMIT 'SYS1.PARMLIB' GENERIC ACCESS(READ) ID(CEA)
    SETROPTS GENERIC(DATASET) REFRESH
  3. Userid CEA needs write and execute access to the z/OS UNIX directory, /SYSTEM/var, where it creates a UNIX domain socket address file (CEAServer). That directory is shipped from IBM with permission 1777. If the permission for that directory (or path to that directory) was changed, then you must perform the appropriate definitions to give userid CEA write and execute access to that directory.

Answer:

The CA Top Secret Equivalent commands are:

TSS CREATE(CEA) TYPE(USER) NAME('name') PASS(xxxx,0) DEPT(dept)

NOTE:
We recommend all STC acids be given a password and OPTIONS(4) be set in the CA Top Secret parameter file. OPTIONS(4) allows the started task to start without a password prompt, but if someone tries to signon with that acid, they will need to know the password.

 TSS ADD(CEA) FAC(STC)
 TSS ADD(CEA) UID(nnn)
 TSS ADD(CEA) GROUP(group) DFLTGRP(group)
 TSS ADD(CEA) OEFILEP(1024)
 TSS PERMIT(CEA) DSN(SYS1.PARMLIB) ACC(READ)

Acid CEA will also need access to any resources accessed at the start up of the region.

 TSS ADD(STC) PROCNAME(CEA) ACID(CEA)
 TSS MODIFY(OMVSTABS)

Item #3 in the Description/Summary above is the same for CA Top Secret , unless you are using HFSSEC security.

If you have HFSSEC security turned on, you will need to make sure the CEA acid is permitted to the z/OS UNIX directory, '/SYSTEM/var' in the HFSSEC resource class. You can do this via the following:

 TSS ADD(dept) HFSSEC(/SYSTEM) (if not already done)
 TSS PERMIT(CEA) HFSSEC(/SYSTEM.var) ACCESS(ALL)

NOTE:
The resource names in the HFSSEC resource class are case sensitive, so be sure that the case in your command to permit the HFSSEC resource matches what is in the TSS PERMIT command above.

Additional Information:

Please see the CA Top Secret Command Functions Guide for more information about the TSS ADD, CREATE, MODIFY, and PERMIT commands.