Preparing CA Top Secret For IBM's Removal Of BPX.DEFAULT.USER for UNIX

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

IBM has presented a path to replace access for BPX.DEFAULT.USER for UNIX. Does CA Technologies have something relative for CA Top Secret?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

The equivalent in CA Top Secret is the UNIQUSER control option. (The OMVSUSR control option is the equivalent of the BPX.DEFAULT.USER for Unix.) After z/OS 1.13, the OMVSUSR control option will no longer work. The UNIQUSER control option in CA Top Secret will have to be used. And the OMVSGRP control option will still be needed.

For the UNIQUSER control option, the values are:

ON
Activates the AUTOUID OMVS log on feature. When active, if a user logs on to OMVS and does not have an OMVS segment, CA Top Secret permanently assigns a UID to the ACID as if added by the administrator using a TSS command. In addition, the OMVS segment information from the ACID specified in the MODLUSER control option is added to the ACID. If the DFLTGRP ACID does not have a GID, one is automatically be generated and added to the DFLTGRP.

OFF
(Default) Deactivates the AUTOUID OMVS log on feature. Normal default processing occurs for ACIDs who log on to OMVS without OMVS segment information.

The MODLUSER acid should be given the fields UID, HOME, OMVSPGM, OECPUTM, PROCUSER, ASSIZE, THREADS, MMAPAREA, MEMLIMIT, and SHMEMMAX.

The sequence of events, (starting in z/OS 1.11 when BPX.UNIQUE.USER was introduced), is:

If the user has an OMVS segment, this is used for the OMVS access.
If the user does not have any OMVS fields at all, there is a check for BPX.UNIQUE.USER. If UNIQUSER(ON) is set in CA Top Secret, CA Top Secret permanently assigns a UID to the acid as if added by the administrator using a TSS command. In addition, the OMVS segment information from the ACID specified in the MODLUSER control option is added to the ACID. If the DFLTGRP ACID does not have a GID, one is automatically generated and added to the DFLTGRP. The assignment of the OMVS segment is permanent and will remain with the acid once it has been assigned. It will show up in a listing of the acid. The UID that is assigned will be unique to each acid. The current acid in OMVSUSR can be used as the MODLUSER acid if desired.)
If UNIQUSER(OFF) is set in CA Top Secret, then a check is done for BPX.DEFAULT.USER and the information in the OMVSUSR and OMVSGRP control options is returned
to be used for the OMVS segment. At some point in the future, IBM may remove the check for BPX.DEFAULT.USER, meaning the OMVSUSR control option will no longer be used.

Sites should consider preparing for IBM removing the BPX.DEFAULT.USER by either:
1. Giving all acids a valid OMVS segment.
2. Setting up the UNIQUSER and MODLUSER control options in CA Top Secret.

For sites interested in finding what users are actually accessing Unix System Services using the BPX.DEFAULT.USER values (OMVSUSR control option), CA Top Secret r15 fix RO58980 adds the ability to turn on a BPX.DEFAULT.USER "trace".

To activate this support, you will need to set CA Top Secret Control Option OPTIONS(32) to enable the USS logging feature and OPTIONS(85) to generate the default use trace messages.

By activating Options(32,85), you will automatically log any successful initUSP callable service that has used the BPX.DEFAULT.USER values.