Is there a CA-ACF2 Interface for CA-PanExec?

Document ID : KB000027961
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

CA-PanExec secures and controls the programs residing in executable program libraries. CA-PanExec gives programs access codes to control execution. CA-PanExec also controls the actual execution of the various programs through one control point so that all jobs are coded to execute CA-PanExec. A complete reporting system keeps management informed of program use and access violations. CA-PanExec can also keeps a history file of all deleted modules.

The CA-ACF2 CA-PanExec interface completely replaces the existing CA-PanExec security. You must install CA-PanExec 5.0 or higher before installing the CA-ACF2 CA-PanExec interface. After the interface is installed and completely tested, CA Technologies recommends that you remove all access codes from the CA-ACF2 protected CA-PanExec libraries. Prerequisite background reading for the successful use of this interface is the Security Exit section of the CA-PanExec System Reference Manual.

The CA-ACF2 CA-PanExec interface provides the following features:

1. CA-PanExec Command Validation

When a CA-PanExec command is issued, the CA-ACF2 CA-PanExec interface uses the CA-PanExec security exit $CMND000 to intercept the CA-PanExec command before execution. The interface then checks a privilege attribute in the user's logonid to validate the user's authority to issue the command. If the user has the required privilege, the CA-PanExec command is permitted to continue.

The site must define the privilege attribute associated with a group of CA-PanExec commands. You must also define the CA-PanExec command groupings. You can find information on defining CA-PanExec command groupings in step 4 of the Installing the CA-ACF2 CA-PanExec Interface section. You can find additional information on defining the privilege attribute in step 3 of the same section.

2. CA-PanExec or CA-Panvalet Member Validation

When a CA-PanExec command requesting access to a CA-PanExec or CA-Panvalet member is issued, the CA-ACF2 CA-PanExec interface intercepts the command through the CA-PanExec security exits $EXEC000, $ELEM000, and $ELEM001. CA-ACF2 interprets a resource rule to validate the user's authority to access the CA-PanExec or CA-Panvalet member.

The key of the resource rule is a resource name consisting of input values (data items) passed to the CA-ACF2 CA-PanExec security exits. The site must define the specific data items that make up the resource name.

3. Maintenance Facility

The maintenance facility permits the site to assign a maintenance attribute in the logonid record of the CA-PanExec maintenance person. A CA-PanExec maintenance person with this authority is not subject to CA-ACF2 resource rule validation when issuing commands the site has defined as CA-PanExec maintenance commands. (Refer to step 5 on CA-PanExec command definition in the Installing the CA-ACF2 CA-PanExec Interface section.)

The site must define the logonid privilege attribute associated with CA-ACF2 CA-PanExec maintenance authority. Even if a user has the maintenance privilege, the user is still subject to command validation.

You can find further information on defining the privilege attribute in step 3 of the Installing the CA-ACF2 CA-PanExec Interface section.

4. Trace Facility

The trace facility provides diagnostic information if the CA-ACF2 CA-PanExec interface is not functioning correctly. The input to the CA-PanExec security exits ($CMND000, $EXEC000, $ELEM000, and $ELEM001) is written to the job log so it can be reviewed. This lets the site determine whether the CA-ACF2 CA-PanExec interface errors are due to an interface malfunction or incorrect input. To use the trace facility, the trace attribute in the user's logonid must be on. Turn on the trace attribute only for diagnostic purposes because it produces a large amount of output.

The site must define the logonid attribute to associate with the CA-ACF2 CA-PanExec trace indicator.

Instructions for Installing the CA-ACF2 CA-PanExec Interface

To install the CA-ACF2 CA-PanExec interface, perform the following tasks.

Step 1: Choosing Undefined Library Action

The first task in installing the CA-ACF2 CA-PanExec interface is choosing the course of action to take when a CA-PanExec library is undefined. The CA-ACF2 CA-PanExec interface uses the ACFLOPT macro coded in CAI.ACF2.CAX1MAC0(ACFA3PEC) to provide three courses of action when a CA-PanExec library is undefined. The choices are:

Validate access to an undefined library against a default resource type
Permit access to an undefined library
Abort access to an undefined library.

The syntax for the ACFLOPT macro is:

ACFLOPT [VALIDATE|ALLOW|ABORT,TYPE=type]

The first parameter is positional and specifies the course of action.
Possible values are:

VALIDATE--Validate against the default resource type.
ALLOW--Grant access.
ABORT--Prevent access.

The second parameter, TYPE, specifies the type code used as the default resource type for validation purposes. Type is specified as a one- to three-character value. This value corresponds to the type code used in the CA-ACF2 resource rules. TYPE is valid only when you specify VALIDATE with the ACFLOPT macro. For example, to validate against PAN rules by default, enter:

ACFLOPT VALIDATE,TYPE=PAN

Step 2: Defining Libraries and Selecting Resource Types

The CA-ACF2 CA-PanExec interface uses the ACFPLIB macro to define CA-PanExec libraries and CA-Panvalet libraries that the CA-PanExec command can access. If you do not define a library, a course of action is chosen in accordance with the setting of the ACFLOPT macro.

The CA-ACF2 CA-PanExec interface uses the ACFPLIB macro to associate a three-character resource type with a CA-Panvalet or CA-PanExec library. The syntax for the ACFPLIB macro is:

ACFPLIB type,dsn

type specifies the CA-ACF2 resource type code. The type can be any three characters and is user-defined. You can use any resource type that you want to associate with CA-PanExec. It is recommended that you make the selected type unique. You cannot specify the same type more than once nor can you mask it. Refer to the eTrust CA-ACF2 Administrator Guide for more information on resource types.

dsn specifies the CA-Panvalet or CA-PanExec data set name, which is up to 44 characters long. This field is not maskable. CAI.ACF2.CAX1MAC0(ACFA3PEC) contains the default CA-PanExec library definitions. One ACFPLIB entry should exist for each protected library. The defaults are:

ACFPLIB PAN,SYS1.PANTEST
ACFPLIB PN1,SYS1.PANPROD

Step 3: Defining the Resource Name ($KEY)

The CA-ACF2 CA-PanExec interface validates CA-PanExec member access through a resource rule validation. The resource rule set that the interface uses for validation is based on the following model:

$KEY(resource name) [TYPE(type)]
[UID(uid mask)] [SERVICE(ADD,READ,UPDATE,DELETE)]
[ALLOW|LOG|PREVENT]

In this rule set, TYPE is the resource type (as defined in the CA-ACF2 CA-PanExec library definitions above) for the accessed CA-PanExec or CA-Panvalet library. The $KEY of the resource rule set is a user-defined resource name. This resource name consists of one or more data items in the control block available to each CA-PanExec exit. The Security Exit section of the CA-PanExec System Reference Manual contains information on the data items available to each exit.

The CA-ACF2 CA-PanExec interface uses the following exits and their associated control blocks:

Exit Input
$EXEC000 EVENTBLK, ENVIRBLK, DATALIST
$CMND000 EVENTBLK, ENVIRBLK, DATALIST
$ELEM000 EVENTBLK, ENVIRBLK, DATALIST
$ELEM001 EVENTBLK, ENVIRBLK, DATALIST

The syntax for defining the resource name is:

ACFPRKEY list,DEFAULT=,TYPE=

list specifies the data item name, length to use, and the offset to start at in the data item. You must specify these parameters in triplets. (This is similar to a substring operation.) The maximum length of the resource name ($KEY) is 40 characters.

DEFAULT specifies the default fill character to use when a data item is not found. The default character also is a pad character when two or more data items make up the resource name and the values of the data items do not fill the required space. No imbedded blanks are permitted in the resource names; however, trailing blanks are not padded.

TYPE specifies whether the resource name is for CA-PanExec (TYPE=PanExec) or CA-PanExec referencing a CA-Panvalet member (TYPE=$ELEM001). Do not confuse this parameter with the TYPE in the resource rule set. They are not the same.

The member ACFA3PEC in CAI.ACF2.CAX1MAC0 contains the following default resource name definitions:

ACFPRKEY (FUNCTION,8,0,ELEMNAME,8,0),
        DEFAULT=*,
        TYPE=PanExec

ACFPRKEY (FUNCTION,8,0,SUPERSET,8,0),
        DEFAULT=*,
        TYPE=$ELEM001

Definition #1 is used with the CA-PanExec commands that drive the $EXEC000 and $ELEM000 exits. The CA-PanExec commands driving these exits access the CA-PanExec libraries. The site chooses data items available to both these CA-PanExec security exits (that is, data items in DATALIST for each exit) to build into the resource name ($KEY).

Definition #2 is used with the CA-PanExec command %WRITE that drive the $ELEM001 exit. The %WRITE command accesses the CA-Panvalet libraries. The site chooses data items available to the $ELEM001 exit (in the DATALIST control block). If the same CA-ACF2 resource rules are used for CA-ACF2 CA-Panvalet support, be careful to choose data items available to both interfaces.

Note: Exit $CMND000 does not perform resource rule interpretation. Therefore, no resource name definition is needed for this exit.

The following example illustrates how a resource rule is built using the defaults specified above. In this example, a user is trying to change MEMBER1 in SYS1.PANPROD. Using the default resource name construction as outlined in the ACFPRKEY macro for CA-PanExec libraries above, the following applies:

FUNCTION is CHANGE.

ELEMNAME is MEMBER1.

The default fill character is asterisk (*). The fill character fills the imbedded blanks in the resource name. The fill character does not fill trailing blanks.

Therefore, the $KEY for this rule set is:

$KEY(CHANGE**MEMBER1)

Since the library in this example is SYS1.PANPROD, the TYPE of the resource rule is PN1.

A completed rule covering this situation might look like this:

$KEY(CHANGE**MEMBER1) TYPE(PN1) UID(***USER1) SERVICE(READ) LOG

You can mask any part of the $KEY if you specify the resource type as globally resident in the CA-ACF2 GSO INFODIR record. See the CA-ACF2 Administrator Guide for further information on the GSO INFODIR record.

Step 4: Defining Logonid Privileges

The site must define a logonid attribute for the maintenance facility. This attribute can be any bit field in the logonid record. The default attribute name is PEMAINT. CAI.ACF2.CAX1MAC0(PANECFDE) contains the following default specifications:

@CFDE PEMAINT,LIDPEFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        LIST=ALL,FLAGS=NULL,
        BITMAP=LIDPEMNT,PRTN=3,RRTN=3,GROUP=2

The site must define a logonid attribute for the trace facility. This attribute can be any bit field in the logonid record. The default attribute name is PETRACE. CAI.ACF2.CAX1MAC0(PANECFDE) contains the following default specifications:

@CFDE PETRACE,LIDPAFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        LIST=ALL,FLAGS=NULL,
        BITMAP=LIDPETRC,PRTN=3,RRTN=3,GROUP=2

The site must also define the logonid attributes associated with each CA-PanExec command or command grouping as defined in section 4 below. The table below shows the default @CFDE entries for these attributes. CAI.ACF2.CAX1MAC0(PANELID) contains the default user field definitions.

Refer to the appropriate release of the CA-ACF2 Getting Started Guide for instructions on adding user logonid fields and CFDE macros. If your site chooses to use the provided default CA-PanExec logonid attributes and the @CFDE definitions are not currently in the CA-ACF2 Field Definition Record (ACFFDR), you must regenerate the CA-ACF2 ACFFDR, and then reload the ACFFDR into LLA and ACF2 using the following commands:

F LLA,ACFFDR
F ACF2,NEWMOD(ACFFDR)

Step 5: Defining CA-PanExec Command Groupings

You must define CA-PanExec commands to the CA-ACF2 CA-PanExec interface to be executable. If a CA-PanExec command is not defined, its execution is aborted.

The CA-ACF2 CA-PanExec interface checks the user's logonid for the attribute that gives the user the authority to issue a CA-PanExec command. Therefore, each command definition must include the external name of the logonid attribute the user must have to execute the CA-PanExec command.

Command definitions must also include the service attribute (READ, ADD, UPDATE, or DELETE) associated with each CA-PanExec command.

The syntax of the command definitions is:

ACFPCMD NAME=,CFDE=,SERVICE=,TYPE=,ENVIR=,ACTION=

NAME is one or more command names of the same group. The maximum size of one command name is eight characters.

CFDE is the external name of the @CFDE entry in the ACFFDR that corresponds to this group of commands.

SERVICE is the service attribute associated with this group of commands. This refers to the SERVICE keyword support for the resource rules. The valid values are READ, ADD, UPDATE, or DELETE. You can specify only one.

TYPE specifies whether the commands are maintenance commands. The only valid specification is MAINT. The default is NOMAINT. (When commands are considered maintenance commands, users who have the maintenance attribute can bypass resource rule validation.)

ENVIR relates to the CA-ACF2 CA-Panvalet interface. Do not code this parameter.

ACTION refers to the pending action that is a data list item. Valid values for this parameter are READ or WRITE. Use this parameter for commands that drive the exit twice, such as COPY on CA-Panvalet. You must set the pending action for the specified command entry to match. This parameter is optional and the default is blanks.

ACFA3PEC in CAI.ACF2.CAX1MAC0 contains the following default command groupings:

ACFPCMD NAME=(ACCESS,BRANCH,CONCAT,END,EQUATE,EXEC,FETCH,
        INPUT,INSERT,LIST,NOTE,PRINT,WRITE),
        CFDE=PEUSER,SERVICE=READ

ACFPCMD NAME=(ADD,CHANGE,CONVERT,COPY,ID,MODE,PLINK,PANLINK,
        RENAME,STATUS,ZAP),CFDE=PEUSER,SERVICE=UPDATE

ACFPCMD NAME=(ALTER,CREATE,DROP,FILEOPT,MERGE,OVERRIDE,
        RESTORE,TRANSFER),SERVICE=UPDATE,CFDE=PEMANAGE

ACFPCMD NAME=(DIRSTAT,BACKUP),SERVICE=READ,CFDE=PEMANAGE

ACFPCMD NAME=(REMOVE),CFDE=PEMANAGE,SERVICE=DELETE

When a CA-PanExec command is about to access a CA-PanExec or CA-Panvalet member, the CA-ACF2 CA-PanExec interface uses the command definition to supply the SERVICE type on the CA-ACF2 resource rule validation.

Refer to the following CA-ACF2 CA-PanExec CFDE definitions (defaults) and CA-PanExec logonid fields (defaults) for the default CA-ACF2 CA-PanExec interface logonid attributes and fields in the user portion of the logonid record:

@CFDE PETRACE,LIDPEFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        LIST=ALL,FLAGS=NULL
        BITMAP=LIDPETRC,PRTN=3,RRTN=3,GROUP=

@CFDE PEISO,LIDPEFLG,BIT,ALTER=SECURITY,
        LIST=ALL,FLAGS=NULL+RESTRICT,
        BITMAP=LIDPEISO,PRTN=3,RRTN=3,GROUP=2

@CFDE PEUSER,LIDPEFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        LIST=ALL,FLAGS=NULL,
        BITMAP=LIDPEUSR,PRTN=3,RRTN=3,GROUP=2

@CFDE PEMANAGE,LIDPEFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        BITMAP=LIDPEMNG,PRTN=3,RRTN=3,GROUP=2

@CFDE PEMAINT,LIDPEFLG,BIT,
        AUTH=PEISO,ALTER=ALL,
        LIST=ALL,FLAGS=NULL,
        BITMAP=LIDPEMNT,PRTN=3,RRTN=3,GROUP=2

LIDPEFLG DS XL1 *** PanExec FLAGS
LIDPEISO EQU X'80' *** PanExec ISO
LIDPEUSR EQU X'40' *** PanExec USER COMMANDS
LIDPEMNG EQU X'20' *** PanExec MANAGEMENT COMMANDS
LIDPEMNT EQU X'10' *** PanExec MAINTENANCE
LIDPETRC EQU X'08' *** PanExec TRACE ATTRIBUTE

Step 6: Assemble the CA-ACF2 CA-PanExec Interface

After you complete steps 1 through 5, run PANEASM in CAI.ACF2.SAMPJCL. This job assembles the CA-ACF2 CA-PanExec interface. Each assembly must have a return code of zero.

Step 7: Link Edit the CA-ACF2 CA-PanExec Interface

After successfully assembling the CA-ACF2 CA-PanExec interface, run PANELINK in CAI.ACF2.SAMPJCL. This job links the CA-ACF2 CA-PanExec interface into a staging library. Each module linked must have a return code of zero.

After linking the CA-ACF2 CA-PanExec interface, the CA-ACF2 portion of the installation is complete. The balance of the installation consists of defining the CA-ACF2 CA-PanExec interface exits to CA-PanExec and moving the exits into the CA-PanExec security exits library.

Administering the CA-ACF2 CA-PanExec Interface

To successfully use the CA-ACF2 CA-PanExec interface, the security administrator must understand how to set the privilege attributes for each user.

When you use the suggested default @CFDE definitions, various authorities are required to set the attributes described in the Defining the Logonid Attributes section. The following diagram describes the relationship between these authorities. Under the default definitions, an unscoped security administrator is the only person who can grant the privilege of PEISO. In turn, a logonid with the PEISO attribute can add or remove the PEUSER, PEMANAGE, PETRACE, and PEMAINT attribute from another logonid.

This method of setting authority lets the security administrator delegate authority over the CA-ACF2 CA-PanExec interface to an individual responsible only for the administration of the CA-ACF2 CA-PanExec interface. If your site requires a different chain of administrative authority, define the AUTH= parameter of the @CFDE entries as appropriate rather than using the default valuess.

Interface Support

CA-PanExec provides appropriate security exits. CA Technologies installed code in these security exits that permits CA-ACF2 to interface with CA-PanExec.

Disclaimer

A security exposure can still exist in dealing with CA-PanExec. A table mechanism describes the CA-PanExec exits. This table and the exit loader can reside on any JOBLIB or STEPLIB DD statement. This opens up the possibility that a user could load an exit table without the $CMND000 exit. This bypasses CA-ACF2 because CA-PanExec never takes the exit. This is a design constraint of the current CA-PanExec exit facility.

A temporary solution is to place the exit table, the exit loader, and the other CA-PanExec programs into a protected library. Using the CA-ACF2 program pathing and execute-only facilities, you can restrict access to this library.