Changing IBMFAC To Maskable In Top Secret
Article ID: 130128
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
Can the RDT (Resource Descriptor Table) entry for IBMFAC be changed from NOMASK to MASK safely?
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
NOMASK can be changed to MASK in the RDT for IBMFAC, however, there is a procedure to do this. It's not as simple as just changing the attribute because existing permits for this class could be affected.
The procedure is:
1) Revoke ALL permits in the IBMFAC resource class. (Issue
TSS WHOOWNS IBMFAC(*)
to see all ownerships and then
TSS WHOHAS IBMFAC(xxxx)
for each 'xxxx' that shows up in the WHOHAS output.
Save the WHOOWNS and WHOHAS output.)
TSS REVOKE(acid) IBMFAC(xxxx)
2) Remove ALL ownerships in the IBMFAC resource class.
TSS REMOVE(dept) IBMFAC(xxxx) for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1.
3) If SECCACHE is not active, skip to step 4.
If SECCACHE is active, SECCACHE must be turned off before changing NOMASK to MASK in the RDT.
a. Find the SECCACHE control option in your TSS parameter file. Note the settings for when SECCACHE is reactivated.
b. To turn off SECCACHE, issue:
TSS MODIFY SECCACHE(OFF).
c. Change the RDT entry to maskable:
TSS REPLACE(RDT) RESCLASS(resclass) ATTR(MASK).
d. To reactivate SECCACHE, issue:
TSS MODIFY SECCACHE(SIZE=xxxx,INDEX=xxxxx,EXP=x,WARN=xx)
where the values for the parameters match what you have in the TSS parameter file.
e. Skip to step 5 since step 4 was done in step 3c.
NOTE: The TSS REVOKE and TSS REMOVE commands done before changing NOMASK to MASK and the TSS ADDs and TSS PERMITs after changing NOMASK to MASK can be done with either SECCACHE active or turned off.
4) Change IBMFAC from NOMASK to MASK.
TSS REPLACE(RDT) RESCLASS(IBMFAC) ATTR(MASK)
5) Re-ADD all the ownerships that were removed in step 2.
TSS ADD(dept) IBMFAC(xxxx)
for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1.
6) Redo all the permits that were revoked in step 1.
Be sure to include the ACCESS and any other restrictions (ie DATE, TIMES, etc) that were on the old permits.
The procedure is:
1) Revoke ALL permits in the IBMFAC resource class. (Issue
TSS WHOOWNS IBMFAC(*)
to see all ownerships and then
TSS WHOHAS IBMFAC(xxxx)
for each 'xxxx' that shows up in the WHOHAS output.
Save the WHOOWNS and WHOHAS output.)
TSS REVOKE(acid) IBMFAC(xxxx)
2) Remove ALL ownerships in the IBMFAC resource class.
TSS REMOVE(dept) IBMFAC(xxxx) for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1.
3) If SECCACHE is not active, skip to step 4.
If SECCACHE is active, SECCACHE must be turned off before changing NOMASK to MASK in the RDT.
a. Find the SECCACHE control option in your TSS parameter file. Note the settings for when SECCACHE is reactivated.
b. To turn off SECCACHE, issue:
TSS MODIFY SECCACHE(OFF).
c. Change the RDT entry to maskable:
TSS REPLACE(RDT) RESCLASS(resclass) ATTR(MASK).
d. To reactivate SECCACHE, issue:
TSS MODIFY SECCACHE(SIZE=xxxx,INDEX=xxxxx,EXP=x,WARN=xx)
where the values for the parameters match what you have in the TSS parameter file.
e. Skip to step 5 since step 4 was done in step 3c.
NOTE: The TSS REVOKE and TSS REMOVE commands done before changing NOMASK to MASK and the TSS ADDs and TSS PERMITs after changing NOMASK to MASK can be done with either SECCACHE active or turned off.
4) Change IBMFAC from NOMASK to MASK.
TSS REPLACE(RDT) RESCLASS(IBMFAC) ATTR(MASK)
5) Re-ADD all the ownerships that were removed in step 2.
TSS ADD(dept) IBMFAC(xxxx)
for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1.
6) Redo all the permits that were revoked in step 1.
Be sure to include the ACCESS and any other restrictions (ie DATE, TIMES, etc) that were on the old permits.
Feedback
Yes
No
Powered by
