How to setup the CA Spool External Security Interface with CA-Top Secret?

Document ID : KB000027560
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How to setup the CA Spool External Security Interface with CA-Top Secret?

Answer:

First setup your CAIQPARM member in CA Spool to use the External Security Interface using the the following statements:

SAFDEF NOINT,EXT,CLASS=DATASET
SAFTYPE 1,'ESFSECU.FIGR&REQ(6,2).G&GRP(1,7).&UID(0,8).&FNM(0,8)',
    NOINT,EXT
SAFTYPE 2,'ESFSECU.FINO&REQ(6,2).&NOD(0,8).&UID(0,8).&FNM(0,8)',
    NOINT,EXT
SAFTYPE 3,'ESFSECU.FIGR&REQ(6,2).G&GRP(1,7).&FUI(0,8).&FFN(0,8)',
    NOINT,EXT
SAFTYPE 4,'ESFSECU.FINO&REQ(6,2).&NOD(0,8).&FUI(0,8).&FFN(0,8)',
    NOINT,EXT
SAFTYPE 5,'ESFSECU.FIGR&REQ(6,2).G&GRP(1,7).&FUI(0,8).&FNM(0,8)',
    NOINT,EXT
SAFTYPE 6,'ESFSECU.FINO&REQ(6,2).&NOD(0,8).&FUI(0,8).&FNM(0,8)',
    NOINT,EXT
SAFTYPE 7,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',NOINT,EXT
SAFTYPE 8,'ESFSECU.NONO&REQ(6,2).&NOD(0,8)',NOINT,EXT
SAFTYPE 9,'ESFSECU.CMND.&CMD(0,8)',NOINT,EXT
SAFTYPE 10,'ESFSECU.AUTH.A2',NOINT,NOEXT
SAFTYPE 11,'ESFSECU.AUTH.A3',NOINT,NOEXT
SAFTYPE 12,'ESFSECU.AUTH.ALLGR',NOINT,EXT,LOG=NOSTAT
SAFTYPE 13,'ESFSECU.AUTH.EXCMD',NOINT,EXT,LOG=NOSTAT
SAFTYPE 14,'ESFSECU.AUTH.GLACC',NOINT,EXT,LOG=NOSTAT
SAFTYPE 15,'ESFSECU.NOGR&REQ(6,2).G&GRP(1,7)',NOINT,EXT,LOG=NOSTAT
SAFTYPE 16,'ESFSECU.NONO&REQ(6,2).&NOD(0,8)',NOINT,EXT,LOG=NOSTAT

The following is a detailed procedure how to setup external security rules using CA-Top Secret.

  1. Define ESF as a facility to CA Top Secret:

    TSS MODI FAC(USERnn=NAME=ESF)
    TSS MODI FAC(ESF=RES)
    TSS MODI FAC(ESF=MODE=mode)

    Where "USERnn" is a user defined facility in CA Top Secret that is not currently in use.
  2. Create the CA Spool started task ACID with a master facility:

    TSS CREATE(CASPOOL) TYPE(USER) NAME('CA SPOOL REGION ACID') DEPT(dept)
    MASTFAC(ESF) FAC(STC) PASS(xxxx,0)

    (CA Top Secret recommends that all started task acids be given a password and OPTIONS(4) be set in the CA Top Secret parameter file.)
  3. To add bypass attributes to the CA Spool acid, to bypass data set checking, volume checking, etc...:

    TSS ADD(CASPOOL) NODSNCHK NOVOLCHK NORESCHK NOLCFCHK NOSUBCHK
  4. To define Unicenter CA Spool to OMVS:

    TSS ADD(CASPOOL) UID(n) HOME(/) OMVSPGM(/bin/sh)
    TSS ADD(CASPOOL) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
    TSS MODIFY OMVSTABS

    Where n for UID should be a value your site requires. The CA Spool ACID does not require 0, only a defined OMVS Segment.
  5. Define CA Spool to the started task table in CA Top Secret:

    TSS ADD(STC) PROCNAME(CASPOOL) ACID(CASPOOL)
  6. To secure the ESFSECU high level data set, it needs to be added to a department in CA Top Secret in the DSN resource class:

    TSS ADD(dept) DSN(ESFSECU.)
  7. Define a default group for the userid in the userid's installation data and give appropriate access to the ESFSECU resources within the DSN resource class. Below are only samples and should be modified by the customer depending on the level of authority they desire for each user. The default group (number) value normally would be specified based on the network group that the userid's available printers are defined to. Check the CAIQPARM member where your Printer DEFNODE and NODE statements are defined. Ultimately you would want to define each group of printers based on the department that will be accessing them with the same network group number.

Example from CAIQPARM. The only important info below on the DEFNODE and NODE is the GROUP parameter. Printer HPPCL is defined to network group 1 as found on the DEFNODE and the same is found on the NODE. We have specified a group parameter on both as a different value so that you look at both. Any parameter specified on the NODE will override the same parameter specified on the DEFNODE statement.

DEFNODE TCPIP1,TCPIP,GROUP=2,CLASS=A,TCPHOST=111.22.333.4

NODE HPPCL,TCPIP1,GROUP=1,TCPDRIV=PCL5

With the above sample printer defined to network group 1 we will use that as our group number to define the default group for a userid.

Here we have described 5 different USERID names, and based on the name, the level of authority they will be given by CA Top Secret defined rules:

SUPER is a fully authorized user. Once in the menu interface there are no further security checks. This user can update, change, delete and issue any type of command.

OPER is an operator level user. This user can update, change, delete across multiple network groups as well as issue normal level 1 commands and most extended level 2 commands except for reinit and shutdown.

JUNIOR is like a supervisor department level user. The definitions for this userid has access to multiple network groups of printers and their own files. This userid also has access to level 1 commands related to the network groups they are defined to.

ORDINA is a regular level user. This user can access a network group of printers. They can see all files created to the same network group, but only able to access files they created. This userid also has access to level 1 commands related to the network group they are defined to.

TINY is the lowest level user. It is used to provide a userid access only to a particular network group printer/file and no further access is allowed. This userid also has access to level 1 commands related to the printer or file they have access to.

Here we are using the same above userid names and defining the new userid's in CA Top Secret:

TSS ADD(SUPER) FAC(ESF)
TSS ADD(SUPER) INSTDATA('ESFDGRP(1)')
TSS PERMIT(SUPER) DSN(ESFSECU.) ACC(UPDATE)

TSS ADD(OPER) FAC(ESF)
TSS ADD(OPER) INSTDATA('ESFDGRP(1)')
TSS PERMIT(OPER) DSN(ESFSECU.) ACC(UPDATE)
TSS PERMIT(OPER) DSN(ESFSECU.CMND.REINIT) ACC(NONE)
TSS PERMIT(OPER) DSN(ESFSECU.CMND.SHUTDOWN) ACC(NONE)

TSS ADD(JUNIOR) FAC(ESF)
TSS ADD(JUNIOR) INSTDATA('ESFDGRP(1)')
TSS PERMIT(JUNIOR) DSN(ESFSECU.AUTH.GLACC) ACCESS(READ)
TSS PERMIT(JUNIOR) DSN(ESFSECU.AUTH.ALLGR) ACCESS(READ)
TSS PERMIT(JUNIOR) DSN(ESFSECU.NOGR++.G0000001) ACCESS(UPDATE)
TSS PERMIT(JUNIOR) DSN(ESFSECU.NOGR++.G0000002) ACCESS(UPDATE)
TSS PERMIT(JUNIOR) DSN(ESFSECU.FIGR++.G0000001.JUNIOR.) ACCESS(UPDATE)
TSS PERMIT(JUNIOR) DSN(ESFSECU.FIGR++.G0000002.JUNIOR.) ACCESS(UPDATE)
TSS PERMIT(JUNIOR) DSN(ESFSECU.CMND.) ACCESS(READ)

TSS ADD(ORDINA) FAC(ESF)
TSS ADD(ORDINA) INSTDATA('ESFDGRP(1)')
TSS PERMIT(ORDINA) DSN(ESFSECU.NOGR++.G0000001) ACCESS(UPDATE)
TSS PERMIT(ORDINA) DSN(ESFSECU.FIGR++.G0000001.) ACCESS(READ)
TSS PERMIT(ORDINA) DSN(ESFSECU.FIGR++.G0000001.ORDINA.) ACCESS(UPDATE)
TSS PERMIT(ORDINA) DSN(ESFSECU.CMND.) ACCESS(READ)

TSS ADD(TINY) FAC(ESF)
TSS ADD(TINY) INSTDATA('ESFDGRP(1)')
TSS PERMIT(TINY) DSN(ESFSECU.NONO++.PRT1A) ACCESS(UPDATE)
TSS PERMIT(TINY) DSN(ESFSECU.FINO++.PRT1A.TINY.) ACCESS(UPDATE)
TSS PERMIT(TINY) DSN(ESFSECU.CMND.) ACCESS(READ)

Additional Information:

You can find additional information at our website: CA Technologies Documentation