Making changes to the CA Top Secret parameter file

book

Article ID: 15741

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Making changes to the CA Top Secret parameter file.



Our security administrator wants me to replace the following statement to the CA Top Secret parameter file:

FAC(WYLBUR=SIGN(S),MODE=FAIL,NOSTMSG,LUMSG,NOAUDIT,NORNDPW)

with the following two statements;

FAC(WYLBUR=NAME=ZOSMF)
FAC(ZOSMF=SIGN(M)

To implement this only on our test systems, I'm wondering if I can just add the new statements ahead of the current statement, or if I need to also completely exclude current statement.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

The CA Top Secret Control statements are read in sequential order.

So, if you have multiple entries for the same control statements, the last one will take effect.

Example:

FAC(ZOSMF=SIGN(M)

FAC(ZOSMF=SIGN(S)


SIGN(S) will be in effect since it was the last one encountered.

Having multiple statements can lead to confusion.

Best practices are to only have one unique control statement per CA Top Secret parameter file.