Configure Security With eTrust CA-Top Secret

If you use Computer Associates eTrust CA-Top Secret, follow these guidelines and refer to the security vendor manual for implementing user-level security.

The TSS PERMIT command for BPX.FILEATTR.APF facility class access is:

TSS PER(user_acid) IBMFAC(BPX.FILEATTR.APF) ACC(READ)

This allows users to turn on the APF-authorized attribute for a ZFS file. Refer to z/OS UNIX System Services Support in the eTrust CA-Top Secret Security Cookbook for more information.

To use eTrust CA-Top Secret, perform the following steps:

  1. Create an eTrust CA-Top Secret facility entry for the server security module, *PATHNAM.

    This is an example of a facility entry defining the server to eTrust CA-Top Secret:

    FACILITY DISPLAY

PGM=*PATHNAM ID=9 TYPE=26

ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,ASUBM,TENV,NOABEND,MULTIUSER,NOXDEF

ATTRIBUTES=LUMSG,STMSG,SIGN(M),NOPSEUDO,INSTDATA,NORNDPW,AUTHINIT

ATTRIBUTES=NOPROMPT,MENU,NOAUDIT,RES,NOMRO,WARNPW,NOTSOC

ATTRIBUTES=NOTRACE,NOLAB,NODORMPW,NONPWR,NOIMSXTND

MODE=IMPL

LOGGING=ACCESS,INIT,SMF,MSG,SEC9

UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8

    For more information, see How to Define z/OS UNIX System Services Users in the Computer Associates eTrust CA-Top Secret Security for OS/390 and z/OS Cookbook.

  2. Within this entry, include eTrust CA-Top Secret parameters to establish the proper operating characteristics.

    The ISERVER and IADMIN ACIDs must have authority to the facility you have defined for the server and to the resources within the facility:

    TSS ADD(region_acid) MASTFAC(facility) <- defines the facility to CA-Top Secret

    TSS ADD(user_acid) FAC(facility) <- adds it to users requiring server access

  3. Each user of the server must be defined to eTrust CA-Top Secret and given access to the appropriate system resources, including the facility you have defined for the server.

    Each user requires an OMVS segment and ZFS directories.

  4. If you are operating with eTrust CA-Top Secret HFSSEC=ON, continue with Step 5. Otherwise, skip to Step 7.
  5. In the definitions for IADMIN and ISERVER ACIDs (shown in the previous examples), set up the following security authorization:
    XA HFSSEC = /U.IADMIN

ACCESS = ALL
  6. eTrust CA-Top Secret provides superuser granularity with separate definitions for the following resource names:
    SUPERUSER.FILESYS.FILE (CONTROL access)

SUPERUSER.FILESYS.CHOWN

SUPERUSER.FILESYS.MOUNT

SUPERUSER.FILESYS.PFSCTL

SUPERUSER.FILESYS.VREGISTER

SUPERUSER.IPC.RMID

SUPERUSER.PROCESS.GETPSENT

SUPERUSER.PROCESS.KILL

SUPERUSER.PROCESS.PTRACE

SUPERUSER.SETPRIORITY

    Ensure that the server system ID, ISERVER, which has UID=0, is granted full access to all these resources. Grant access to the superuser-listed resources by means of the UNIXPRIV resource class. For example:

    TSS ADD(owning_acid) UNIXPRIV(SUPERUSE)

TSS PER(acid) UNIXPRIV(SUPERUSER.FILESYS.FILE) ACC(CONTROL)

    For details see the Superuser Granularity topic in the Computer Associates eTrust CA-Top Secret Security for OS/390 and z/OS Cookbook.

  7. After you create a new user ID or change a user UID or GID, you must issue the following command to reflect the updates in Top Secret's in-storage tables:
    TSS MOD(OMVSTABS)

    The following commands can also be used to list all UIDs, GIDs and their owners:

    TSS WHOOWNS UID(*)

TSS WHOOWNS GID(*)

    This information can be used for diagnostic purposes.

    For more information, see the Computer Associates eTrust CA-Top Secret Security for OS/390 and z/OS Cookbook.

Facility Entry Defining the Server to CA-Top Secret

The following is an example of a facility entry that defines the server to eTrust CA-Top Secret:

FACILITY DISPLAY

PGM=*PATHNAM ID=9 TYPE=26

ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,ASUBM,TENV,NOABEND,MULTIUSER,NOXDEF

ATTRIBUTES=LUMSG,STMSG,SIGN(M),NOPSEUDO,INSTDATA,NORNDPW,AUTHINIT

ATTRIBUTES=NOPROMPT,MENU,NOAUDIT,RES,NOMRO,WARNPW,NOTSOC

ATTRIBUTES=NOTRACE,NOLAB,NODORMPW,NONPWR,NOIMSXTND

MODE=IMPL

LOGGING=ACCESS,INIT,SMF,MSG,SEC9

UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8

ISERVER ACID Definition for CA-Top Secret

The following is an example of an ISERVER ACID definition for eTrust CA-Top Secret. Note that:

  • UID is zero.
  • The facility of the server is set to IWAY as an example; it can differ at your site.
  • The SOURCE = INTRDR setting prevents this ACID from logging in.
TSS LIST(ISERVER) DATA(ALL,PROFILE)

ACCESSORID = ISERVER             NAME = IWAY ID

TYPE       = USER                SIZE = 512 BYTES

SOURCE     = INTRDR

DEPT ACID  = IWAY                DEPARTMENT = IWAY DEPT

DIV ACID   = IWAYDIV             DIVISION = IWAYDIV

GROUPS     = IWAYGRP

DFLTGRP    = IWAYGRP

----------- SEGMENT OMVS

HOME       = /

OMVSPGM    = /bin/sh

UID        = 0000000000

IADMIN ACID Definition for CA-Top Secret

The following is an example of an IADMIN ACID definition for eTrust CA-Top Secret. Note that UID is not zero. 

TSS LIST(IADMIN) DATA(ALL,PROFILE)

ACCESSORID = IADMIN             NAME = IWAY ADMIN ID

TYPE       = USER               SIZE = 512 BYTES

FACILITY   = TSO

FACILITY   = BATCH

DEPT ACID  = IWAY               DEPARTMENT = IWAY DEPT

DIV ACID   = IWAYDIV            DIVISION = IWAY DIVISION

GROUPS     = IWAYGRP

DFLTGRP    = IWAYGRP

----------- SEGMENT OMVS

HOME       = /u/iadmin

OMVSPGM    = /bin/sh

UID        = 0000000008