Defining Acids for VLF, XCFAS and IEEVMPCR Started Tasks In CA Top Secret

book

Article ID: 125225

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction



In the CA Top Secret documentation, it lists which started tasks should have ACIDs defined to them. However, it does not specify what type of access is needed for these tasks. Particularly VLF, XCFAS and IEEVMPCR. How should these ACIDs be defined?

Environment

Release:
Component: TSSMVS

Resolution

VLF and XCFAS are system address spaces. These should be defined to the STC table in CA Top Secret with ACID(BYPASS). 

IEEVMPCR should be defined to the STC table in CA Top Secret with a region acid. Here are example CA Top Secret commands:

TSS CRE(IEEVMPCR) TYPE(USER) NAME(‘IEEVMPCR USER’) PASS(xxxx,0) DEPT(dept) 
TSS ADD(IEEVMPCR) FAC(STC) 
TSS ADD(IEEVMPCR) UID(0) HOME(/) DFLTGRP(group) GROUP(group) PROGRAM(/bin/sh) 

Where: 
‘dept’ is the type DEPT acid you want to own the IEEVMPCR user acid 

‘group’ is an OMVS group that the IEEVMPCR acid should have as a GROUP and DFLTGRP 

‘xxxx’ is a password. We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the CA Top Secret parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password. 

NOTE: The acid does not have to be called IEEVMPCR. It can be something different. 

- To add it to the STC table in CA Top Secret: 

TSS ADD(STC) PROCNAME(IEEVMPCR) ACID(IEEVMPCR) 

- While implementing this change, consider starting with this acid in WARN mode: 

TSS PER(IEEVMPCR) MODE(WARN) 

After bringing up IEEVMPCR, run TSSUTIL with the following to see if there are any violations for this acid: 

REPORT EVENT(VIOL) ACID(IEEVMPCR) LONG END 

If there are violations, permit the appropriate resources with the required access levels, then revoke the MODE permit: 

TSS REV(IEEVMPCR) MODE(WARN)