Setting up security for the IBM Health Checker for z/OS started task with CA-TOP SECRET

Products

Top Secret Top Secret - LDAP

Issue/Introduction

The following document provides guidelines on setting up security for the IBM Health Checker for z/OS started task with CA-TOP SECRET.

IBM Health Checker for z/OS documentation provides RACF examples, but unfortunately no CA-TOP SECRET examples.

Note: The IBM Health Checker for z/OS documentation provides RACF examples were converted to CA-TOP SECRET examples in order to produce this document.

What are the CA-TOP SECRET equivalents of the RACF commands?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

You must set up security for IBM Health Checker for z/OS the same way you would for any other started task.

To do this task with CA-TOP SECRET, do the following steps:

1. Create a user ID for IBM Health Checker for z/OS with superuser authority (UID(0)) and connect this superuser user ID to a group.

For example:

TSS CREATE(hcsuperid) NAME('hcsuperid') TYPE(USER) DEPT(dept) PASS(password,0)
TSS ADD(hcsuperid) UID(0) HOME('/') OMVSPGM('/bin/sh') GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADD(OMVSGRP) GID(46)
TSS ADD(hcsuperid) FACILITY(STC)
TSS MODIFY(OMVSTABS)

2. Associate the superuser User ID, hcsuperid, with the IBM Health Checker for z/OS started task, HZSPROC.

For example:

TSS ADD(STC) PROCN(HZSPROC) ACID(hcsuperid)

3. Give the IBM Health Checker for z/OS started task super User ID access to the HZSPDATA data set on each system where you'll run IBM Health Checker for z/OS.

For example, you might specify the following:

TSS ADD(owningacid) DSN(SYS1.PRODSYS.HZSPDATA)
TSS PER(hcsuperid) DSN(SYS1.PRODSYS.HZSPDATA) ACCESS(UPDATE)

4. Give IBM Health Checker for z/OS started task super User ID READ access to the HZSPRMxx parmlib member(s).

For example, you might specify the following:

TSS ADD(owningacid) DSN(SYS1.PARMLIB)
TSS PER(hcsuperid) DSN(SYS1.PARMLIB) ACCESS(READ)

5. If you will be using a log stream, you must define UPDATE access for the IBM Health Checker for z/OS started task super User ID to each RESOURCE(logstreamname) CLASS(LOGSTRM). IBM Health Checker for z/OS connects directly to the defined log stream or streams.

For example, you might specify the following:

TSS ADD(owningacid) LOGSTRM(logstreamname) 
TSS PER(hcsuperid) LOGSTRM(logstreamname) ACCESS(UPDATE)

Setting up security for the HZSPRINT utility

If you will be using HZSPRINT to view check output, you must authorize HZSPRINT users to QUERY and MESSAGES services. To do this with CA-TOP SECRET, you must authorize the users who need access to check information through HZSPRINT.

The way you do this depends on how users will be using HZSPRINT.

Note that in the following examples, hcprintuserid is the ID of either a user or group you're giving access to HZSPRINT output.

If you use HZSPRINT with a wildcard character in the check owner:
```
   // EXEC PGM=HZSPRNT,PARM='CHECK(*,GRS_Mode)') 
```
Or if you use HZSPRINT with a wildcard character in both the check owner and check name:
```
   // EXEC PGM=HZSPRNT,PARM='CHECK(*,*)'
```
you'll need to define access to the following set of resources:
- HZS.sysname.QUERY
- HZS.sysname.check_owner.MESSAGES
- HZS.sysname.check_owner.check_name.MESSAGES
For example, you might define the following:
```
TSS ADD(owningacid) XFACILIT(HZS.sysname.QUERY)
TSS PER(hcprintuserid) XFACILIT(HZS.sysname.QUERY) ACC(READ)
TSS ADD(owningacid) XFACILIT(HZS.sysname.check_owner.MESSAGES)
TSS PER(hcprintuserid) XFACILIT(HZS.sysname.check_owner.MESSAGES) ACC(READ)
```
If you use HZSPRINT with an explicit check owner, but a wildcard character for the check name to look at multiple checks, as follows:
```
// EXEC PGM=HZSPRNT,PARM='CHECK(IBMRACF,*)' 
```
you'll need to define access to the following set of resources:
- HZS.sysname.check_owner.QUERY
- HZS.sysname.check_owner.MESSAGES or HZS.sysname.check_owner.check_name.MESSAGES
For example, you might define the following:
```
TSS ADD(owningacid) XFACILIT(HZS.sysname.IBMRACF.QUERY)
TSS PER(hcprintuserid)  XFACILIT(HZS.SYS1.IBMRACF.QUERY) ACCESS(READ) 
TSS ADD(owndingacid) XFACILIT(HZS.sysname.IBMRACF.check_name.MESSAGES)
TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.check_name.MESSAGES) ACCESS(READ
```
If you use HZSPRINT to look at one check at a time, explicitly specifying both check owner and check name, as follows:
```
// EXEC PGM=HZSPRNT,PARM='CHECK(IBMRACF,RACF_GRS_RNL)'
```
then you must define access:

For QUERY in one of the following ways:
- HZS.sysname.check_owner.QUERY
- HZS.sysname.check_owner.check_name.QUERY
For MESSAGES in one of the following ways:
- HZS.sysname.check_owner.MESSAGES
- HZS.sysname.check_owner.check_name.MESSAGES
For example, you might define the following:
```
TSS ADD(owndingacid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY) 
TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY) ACCESS(READ) 
TSS ADD(owndingacid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES) 
TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES) ACCESS(READ) 
```
Note that IBM Health Checker for z/OS looks first at the shorter, higher level definitions, then if it finds no match, it looks for a more detailed one.
If you use HZSPRINT to print IBM Health Checker for z/OS log stream data, as follows:
```
// EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname)'
```
OR
```
// EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname),CHECK(owner,name)'
```
OR
```
// EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname),CHECK(owner,name),EXCEPTIONS'
```
then you must define the log stream and assign READ access to users accessing the log stream through HZSPRINT.

For example, you might do this as follows:
```
TSS ADD(owndingacid) IBMFAC(log_stream_data_set_name) 
TSS PERMIT(hcprintuserid) IBMFAC(log_stream_data_set_name) ACCESS(READ) 
```
Please note : Generic prefixing may be used for the IBMFAC, XFACILIT, and LOGSTRM resource names.