search cancel

LAST USED In Top Secret Not Matching DATE REFERENCED in CA Cleanup

book

Article ID: 200462

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

How exactly related is the LAST USED date from the output of the TSS LIST command and the DATE REFERENCED from the CA Clean-up report?

Using the TSS LIST command, some ACIDs type USER are without corresponding LAST USED date (blank). On the other hand, on the CA Clean-up report, all ACIDs type USER have corresponding DATE REFERENCED.

Comparing the non-blank LAST USED date from TSS LIST command and DATE REFERENCED on the CA Clean-up, the dates are different for the same ACID.

If the LAST USED date and DATE REFERENCED are expected to have different values, could we make the DATE REFERENCED the same as LAST USED by changing our current CA Clean-up startup parameter?

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

For most acids, the LAST USED date on the acid will match the DATE REFERENCED in the CA Cleanup report. However, there are situations where an acid could signon with an id and password and NOT get the lastused info updated. It is entirely up to the caller (whoever is driving the signon) as to whether or not these stats are updated. The lastused stats will (or won't) be updated based on what the STAT= option is set to on the RACROUTE, REQ=VERIFY,ENVIR=CREATE request, which is what drives a signon.

Some examples of when lastused stats are not updated are ATS (automatic terminal signon) ACIDs and ISC signons in the AOR. (This is done for performance reasons. Updating the lastused stats for these signons would generate more I/O to the security file which may adversely affect the system's performance.) Top Secret has an OPTIONS control option, OPTIONS(30), that can be set to update lastused stats for ATS acids, but be aware that setting this option may adversely affect the system's performance.

CA Cleanup tracks the usage in the above scenarios.

Lastused stats are not CPF'd either. This is also done for performance reasons. If systems A and B CPF to each other, and the user only signs on to system A, the lastused stats won't be updated on system B. If the TSS LIST command is done on system B, you wouldn't see a lastused date.