How do we set up CA Top Secret security for ZSeries File System (ZFS)?

Document ID : KB000026262
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How do we set up CA Top Secret security for ZSeries File System (ZFS)?

 

Answer:

  1. Create the DFSGRP group acid:

    TSS CREATE(DFSGRP) TYPE(GROUP) NAME('DFS GROUP') DEPT(dept)
    TSS ADD(DFSGRP) GID(2)
  2. Create the DFS region acid:

    TSS CREATE(DFS) TYPE(USER) PASS(xxxx,0) NAME('ZFS region acid') DEPT(dept)
    TSS ADD(DFS) UID(0) HOME(/opt/dfslocal/home/dfscntl) DFLTGRP(DFSGRP) GROUP(DFSGRP)  
    TSS ADD(DFS) FAC(STC) 
  3. Add the ZFS and DFS started tasks to the STC table in CA Top Secret using ACID DFS as the region ACID:

    TSS ADD(STC) PROCNAME(ZFS) ACID(DFS)
    TSS ADD(STC) PROCNAME(DFS) ACID(DFS)
  4. Refresh the OMVS tables:

    TSS MODIFY(OMVSTABS)
  5. Define the IBMFAC(BPX.SUPERUSER) resource and PERMIT it to ACIDs that need it:

    TSS ADD(dept) IBMFAC(BPX.SUPE) (This may have already been done.)
    TSS PERMIT(acid) IBMFAC(BPX.SUPERUSER) ACCESS(READ)
  6. Define the UNIXPRIV(SUPERUSER.FILESYS.PFSCTL) and UNIXPRIV(SUPERUSER.FILESYS.MOUNT) resources and permit them to ACIDs that need it:

    TSS ADD(dept) UNIXPRIV(SUPERUSE) (This may have already been done.)

        TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.PFSCTL) ACCESS(READ)
        TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.MOUNT) ACCESS(UPDATE)

7.    Define the ZFS. high level qualifier dataset and permit the ZFS.SC43.IEOSZFS dataset to the DFS ACID:

TSS ADD(dept) DSN(ZFS.)
TSS PERMIT(DFS) DSN(ZFS.SC43.IEOSZFS) ACCESS(ALL)

 

Additional Information:

Please refer to the CA Top Secret Command Functions Guide for more details about the TSS ADD, TSS CREATE, TSS MODIFY and TSS PERMIT command.