Preparing CA Top Secret For IBM's Removal Of BPX.DEFAULT.USER for UNIX

Document ID : KB000020128
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

IBM has presented a path to replace access for BPX.DEFAULT.USER for UNIX. Does CA Technologies have something relative for CA Top Secret?

Solution:

The equivalent in CA Top Secret is the UNIQUSER control option. (The OMVSUSR control option is the equivalent of the BPX.DEFAULT.USER for Unix.) After z/OS 1.13, the OMVSUSR control option will no longer work. The UNIQUSER control option in CA Top Secret will have to be used. And the OMVSGRP control option will still be needed.

For the UNIQUSER control option, the values are:

ON
Activates the AUTOUID OMVS log on feature. When active, if a user logs on to OMVS and does not have an OMVS segment, CA Top Secret permanently assigns a UID to the ACID as if added by the administrator using a TSS command. In addition, the OMVS segment information from the ACID specified in the MODLUSER control option is added to the ACID. If the DFLTGRP ACID does not have a GID, one is automatically be generated and added to the DFLTGRP.

OFF
(Default) Deactivates the AUTOUID OMVS log on feature. Normal default processing occurs for ACIDs who log on to OMVS without OMVS segment information.

The MODLUSER acid should be given the fields UID, HOME, OMVSPGM, OECPUTM, PROCUSER, ASSIZE, THREADS, MMAPAREA, MEMLIMIT, and SHMEMMAX.

The sequence of events, (starting in z/OS 1.11 when BPX.UNIQUE.USER was introduced), is:

  1. If the user has an OMVS segment, this is used for the OMVS access.

  2. If the user does not have any OMVS fields at all, there is a check for BPX.UNIQUE.USER. If UNIQUSER(ON) is set in CA Top Secret, CA Top Secret permanently assigns a UID to the acid as if added by the administrator using a TSS command. In addition, the OMVS segment information from the ACID specified in the MODLUSER control option is added to the ACID. If the DFLTGRP ACID does not have a GID, one is automatically generated and added to the DFLTGRP. The assignment of the OMVS segment is permanent and will remain with the acid once it has been assigned. It will show up in a listing of the acid. The UID that is assigned will be unique to each acid. The current acid in OMVSUSR can be used as the MODLUSER acid if desired.)

  3. If UNIQUSER(OFF) is set in CA Top Secret, then a check is done for BPX.DEFAULT.USER and the information in the OMVSUSR and OMVSGRP control options is returned
    to be used for the OMVS segment. At some point in the future, IBM may remove the check for BPX.DEFAULT.USER, meaning the OMVSUSR control option will no longer be used.

    Sites should consider preparing for IBM removing the BPX.DEFAULT.USER by either:

    1. Giving all acids a valid OMVS segment.
    2. Setting up the UNIQUSER and MODLUSER control options in CA Top Secret.

For sites interested in finding what users are actually accessing Unix System Services using the BPX.DEFAULT.USER values (OMVSUSR control option), CA Top Secret r15 fix RO58980 adds the ability to turn on a BPX.DEFAULT.USER "trace".

To activate this support, you will need to set CA Top Secret Control Option OPTIONS(32) to enable the USS logging feature and OPTIONS(85) to generate the default use trace messages.

By activating Options(32,85), you will automatically log any successful initUSP callable service that has used the BPX.DEFAULT.USER values.