What is the R_cachserv Callable Service?

Article Id: 19786
Status: Published
Updated On: 14-02-2018 07:49
Legacy Id: TEC600628
Products:
CA Cleanup , CA Datacom , CA CIS , CA Common Services for z/OS , CA 90s Services , CA Database Management Solutions for DB2 for z/OS , CA Common Product Services Component , CA Common Services , CA Datacom/AD , CA ecoMeter Server Component FOC , CA Easytrieve Report Generator for Common Services , CA Infocai Maintenance , CA IPC , Unicenter CA-JCLCheck Common Component , CA Mainframe VM Product Manager , CA Chorus Software Manager , CA On Demand Portal , CA Service Desk Manager - Unified Self Service , CA PAM Client for Linux for zSeries , CA Mainframe Connector for Linux on System z , CA Graphical Management Interface , CA Web Administrator for Top Secret , CA CA- Xpertware , CA Top Secret , CA Top Secret - LDAP , CA Top Secret - VSE
Issue/Introduction:

Description:

What is R_cacheserv callable service and what is the relationship with CA Top Secret?

Solution:

The R_cacheserv SAF callable service provides a mechanism for the storage and retrieval of security relevant information from a cache.

  1. TSS security for HARDENNING:

    Function codes X'0001' through X'0005' only:

    For callers not running in system key or supervisor state, the use of R_cacheserv is authorized by the resource IRR.RCACHESERV.cachename in the IBMFAC class.

    The application server must be running with a TSS acid or profile that has at least READ authority to this resource. READ allows the application server to utilize the Fetch function, x'0004', while UPDATE authority provides the capability to use all the functions.

    Function code X'0006' only:

    For callers not running in system key or supervisor state, the use of R_cacheserv is authorized by the resource IRR.RCACHESERV.ICTX in the FACILITY class.

    The application server must be running with a TSS acid or profile that has at least READ authority to this resource. READ allows the application server to utilize the Retrieve, and RetrieveAppl, and RemoveExpired options (X'0003', X'0004', and X'0006'), while UPDATE authority provides the capability to use all of the options.

    Function code X'0007' only:

    For callers not running in system key or supervisor state, the use of R_cacheserv is authorized by the resource IRR.RCACHESERV.ICRX in the IBMFAC class.

    The application server must be running with a TSS acid or profile at the address space level that has at least READ authority to this resource.

    READ authority allows the application server to utilize the RetrieveAppl and Remove options ( X'0002' and X'0003'), while UPDATE authority provides the capability to use all of the options.

  2. How to call the R_cachserv callable service and relationships with TSS control options:

    How to call:

    CALL IRRSCH00 (Work_area,
    ALET, SAF_return_code,
    ALET, RACF_return_code,
    ALET, RACF_reason_code,
    ParmALET,
    NumParms,
    Function_code,
    Option,
    Version,
    Version_length,
    Record_name_ptr,
    Record_name_length,
    Data_ptr,
    Data_length,
    Data_timeout,
    Source_ptr,
    Source_length,
    Reference_timeout,
    Reference_userID,
    Reference,
    Subpool,
    ACEE_ALET,
    ACEE,
    ICRX_area,
    ICRX_length
    )

How to harden:

  1. Add the following DD statement to the CA Top Secret procedure JCL:

    //RCACHE DD DSN=rcache.vsam.file.name, DISP=OLD

    file.name : Specifies the file name used in the INITCSRV job.

  2. Insert RCACHE and RCQNAME control options to specify hardening and to define the cache names that are to be hardened.

    What the RCQNAME contains is the Cache_name. It's 6 chars long starting with 'R'.
    RCACHE(YES) to allow cache hardening.
    You have RCACHE(YES) and NO R_CACHSERV HARDENING TABLE ENTRIES, it means there is no RCQNAME defined to TSS.

Environment:

Release: TOPSEC00200-15-Top Secret-Security
Component: