How do I change from Internal to External Security for CA Roscoe?

Document ID : KB000027409
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

ROSCOE is a very powerful program and it is essential, therefore, that security be properly implemented so that the users of the product not present data integrity exposures.

Properly securing the use of various commands and features is crucial.

  • All ROSCOE privileged commands should be reviewed for potential security exposures and to prevent unauthorized use. For example, the use of the ZAP monitor command should be restricted to system programmers who would normally have access to AMASZAP type of system level utility programs.
  • Control all ROSCOE system data sets so that only authorized users can access these data sets and only with the appropriate levels of permission.

Background:

CA-Roscoe 6.0 supports external security by making SAF compliant RACROUTE calls. The resource used for ROSCOE as noted in the ROSCOE Security Administrators Guide is ROSRES (CA TSS), RO@RES (IBM RACF), ROSRES or ROS (CA ACF2).   

The key to external security, is the ACFEXT= parameter. If specified as "YES", external security checking will be initiated at user signon. It must be specified as "YES" for any other external security parameters to be valid. The first time it is used, all passwords in the CA-Roscoe profile key (UPS) will be set to "EXTERNAL", they can only be reset manually. CA Roscoe uses the EXTSEC= SYSIN parameter to determine the type of external security.  

Environment: 

CA ACF2, IBM RACF, CA Top Secret  

Instructions:

  1. If you have IBM RACF, resource class RO@RES must be defined, see TEC475388 ROS453I: Resource Class RO@RES Inactive or not Defined to Security System - RC=08
  2. EXTSEC must be set to ACF2, RACF or TOPS.
  3. CA-Roscoe security SYSIN Parameters must be defined as follows:
    ACFEXT=YES/NO Indicates the type of security used at user signon. CA Roscoe will use external security if set to "YES"
    CLLEXT=YES/NO Indicates the type of security used for ETSO calls. CA Roscoe will use external security if set to "YES"
    JOBEXT=YES/NO Indicates the type of security used for Attach Job calls. CA Roscoe will use external security if set to "YES".
    LIBEXT=YES/NO Indicates the type of security used at user signon. CA Roscoe will use external security if set to "YES".
    MONEXT=YES/NO Indicates the type of security used for monitor routine calls. CA Roscoe will use external security if set to "YES".
    PRVEXT=YES/NO Indicates the type of security used for privileged command calls. CA Roscoe will use external security if set to "YES".
    RPFEXT=YES/NO Indicates the type of security used for RPF calls.  CA Roscoe will use external security if set to "YES".
    UPSEXT=YES/NO Indicates the type of security used for UPS calls.
  4. Please refer to the CA Roscoe Security Administration Guide Section 2.1.2 for a description of the access attribute translation and Section 2.1.2.1 for a listing of the resource names by command. The resource classes and names are discussed below.  The rosid is optional.  For more information about the rosid, please see TEC265220 What is the Rosid and when is it used?  

    If CLLEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.ETSO.program ACCESS(READ)

    example
    TSS PERMIT(userid) ROSRES(rosid.ROSCMD.ETSO.program) ACCESS(READ)

    If JOBEXT=YES
    The resource class and name when attaching a job:
    JESSPOOL
    localnodeid.userid.jobname.jobid.dsnumber.name ACCESS(UPDATE)

    If LIBEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.PRIV.ROSLIB ACCESS(UPDATE)

    If PRVEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.PRIV.OPER.cmd.cmd2 ACCESS(CONTROL)

    If MONEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.MONITOR.mon ACCESS(READ)

    If RPFEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.RPF.pfx.rpf ACCESS(READ)

    If UPSEXT=YES
    The resource class and name is:
    ROSRES
    [rosid.]ROSCMD.PRIV.ROSUPS ACCESS(UPDATE)

  5. The CA Roscoe job must have access to all data sets. CA Roscoe does not call security prior to issuing the "open" for each file.
  6. To avoid S913 (insufficient access authority) dumps, a slip should be present in the IEASLPxx member of SYS1.PARMLIB to default the S913 abend to NODUMP as shown below.
    SL SET, C=913, A=NODUMP
    The DSAEXIT may issue a security call, the ACEE will be the Roscoe userid.
    The class and entity for data set security as shown below:

CLASS=DATASET
ENTITY=data set name
ATTR=READ/UPDATE