Changing IBMFAC To Maskable In CA Top Secret

book

Article ID: 130128

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction



Can the RDT (Resource Descriptor Table) entry for IBMFAC be changed from NOMASK to MASK safely?

Environment

Release:
Component: TSSMVS

Resolution

NOMASK can be changed to MASK in the RDT for IBMFAC, however, there is a procedure to do this. It's not as simple as just changing the attribute because existing permits for this class could be affected. 

The procedure is: 
1) Revoke ALL permits in the IBMFAC resource class. (Issue
TSS WHOOWNS IBMFAC(*) 

to see all ownerships and then

TSS WHOHAS IBMFAC(xxxx) 

for each 'xxxx' that shows up in the WHOHAS output. 

Save the WHOOWNS and WHOHAS output.) 

TSS REVOKE(acid) IBMFAC(xxxx) 

2) Remove ALL ownerships in the IBMFAC resource class. 

TSS REMOVE(dept) IBMFAC(xxxx) for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1. 

3) If SECCACHE is not active, skip to step 4. 

If SECCACHE is active, SECCACHE must be turned off before changing NOMASK to MASK in the RDT. 

a. Find the SECCACHE control option in your TSS parameter file. Note the settings for when SECCACHE is reactivated. 

b. To turn off SECCACHE, issue:

TSS MODIFY SECCACHE(OFF). 

c. Change the RDT entry to maskable:

TSS REPLACE(RDT) RESCLASS(resclass) ATTR(MASK). 

d. To reactivate SECCACHE, issue:

TSS MODIFY SECCACHE(SIZE=xxxx,INDEX=xxxxx,EXP=x,WARN=xx)

where the values for the parameters match what you have in the TSS parameter file. 

e. Skip to step 5 since step 4 was done in step 3c. 

NOTE: The TSS REVOKE and TSS REMOVE commands done before changing NOMASK to MASK and the TSS ADDs and TSS PERMITs after changing NOMASK to MASK can be done with either SECCACHE active or turned off. 

4) Change IBMFAC from NOMASK to MASK. 

TSS REPLACE(RDT) RESCLASS(IBMFAC) ATTR(MASK) 

5) Re-ADD all the ownerships that were removed in step 2. 

TSS ADD(dept) IBMFAC(xxxx)

for each 'xxxx' that shows up in the TSS WHOOWNS IBMFAC(*) output in step 1. 

6) Redo all the permits that were revoked in step 1. 

Be sure to include the ACCESS and any other restrictions (ie DATE, TIMES, etc) that were on the old permits.