Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 9 Archiving the Audit Log Data : Archiving the Audit Log–z/OS

Archiving the Audit Log–z/OS
On an ongoing basis, the data in the audit log must be archived to an external file and deleted from the TIBCO Object Service Broker table. For security reasons, the only way to archive the data is to use either:
PURGELOG_SCREEN, which is an interactive tool
PURGELOG_BATCH, which is a batch tool
Conditions for Using the PURGELOG Tools
To run the PURGELOG tools, both the Data Object Broker and the Execution Environment must run on the same z/OS domain and be connected by z/OS Cross Memory Services (XMS). This ensures that the audit log data is protected by the resource-owning z/OS security definitions. To use XMS, both the Data Object Broker and the Execution Environment must run as Authorized Program Facility (APF) authorized programs.
In addition:
Adequate security must be defined externally for TIBCO Object Service Broker to enable you to run the PURGELOG routines and/or specify the external file that is used to store the archive data. Refer to Task A, Enter the name of the file where the audit data is to be stored for information about the purge file.
External Security Required to Archive Data
Through the z/OS security interface, System Authorization Facility (SAF), a RACROUTE call is made to a SAF-compliant security package such as CA‑ACF2, RACF, or CA-Top Secret to verify access to the archive files.
To run the PURGELOG tools, two security definitions, nodename.SPECFILE and nodename.PURGELOG, must be defined to the external security system. The nodename is specified via the NODENAME Data Object Broker parameter.
These definitions are required so that a user(s) can:
Security Definition for Specifying an Archive File
nodename.SPECFILE must be specified as the name of the external security definition to which the user must be granted access before the user can specify the name of the archive file from within the PURGELOG tools. The definition must also identify the name of the TIBCO Object Service Broker node where the data is stored. It must be defined to the external security system in the form: nodename.SPECFILE.
Security Definition for Archiving the Data
nodename.PURGELOG must be specified as the name of the external security definition to which the user must be granted access before the user can archive the data from within the PURGELOG tools. The definition must also identify the name of the TIBCO Object Service Broker node where the data is stored. It must be defined to the external security system in the form: nodename.PURGELOG.
SAF Parameters Required
The following SAF parameters and values are defined for the RACROUTE macro definition. You must take these into consideration when defining the security definitions for your site:
 
USERID=userid
The TIBCO Object Service Broker user ID of the user initiating the archiving session
ENTITYX= nodename.secdefn
The name of the security definition that is to be verified. Depending on the action being preformed, the value is either nodename.PURGELOG or nodename.SPECFILE (where nodename is the name of the Data Object Broker that contains the data).
Samples Provided
Samples are provided with TIBCO Object Service Broker to assist you with preparing your security setup for your purge log functions. Your preparation depends on the external security package in use at your site. The following table lists the samples that are shipped with the CNTL data set distributed with TIBCO Object Service Broker:

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved