How do you limit where the SCA can signon to limit potential exploitation?
To limit the potential exploitation of the SCA, restrictions should be placed on the acid to limit where it can be used.
1. Restrict its use by FACILITY
TSS ADD(sca_id) FAC(facility_name)
SCA will be allowed to sign on only to the designated FACILITY.
2. Restrict it by SOURCE
TSS ADD(sca_id) SOURCE(terminal/IP)
Note:
3. Restrict it by CPU
SCA will only be able to sign on to the specified CPU.
4. Limit SCA TSS ADMIN privileges on "as-needed" basis.
Example:
If the SCA is only resetting passwords, then only that TSS ADMIN privilege should be given and not allow updating the user privileges.
5. If the SCA uses CA LDAP to read and update the Top Secret Security File, SSL should be configured in CA LDAP to establish a secure connection.
6. If the SCA will be used for a started task region acid, recommend creating the acid with the PROTECTED attribute.
Acids with the PROTECTED attribute do not have passwords and can ONLY be used with started tasks or batch jobs.
Since the SCA doesn't have a password, it cannot be used to signon to a terminal.