How to remove the VM:Secure Rules Facility.

Prepwork:

1.  Issue the VMSECURE QCPCFG command to find out what CP COMMANDS are authorized for various IDs when VM:Secure is not available (the ability to AUTOLOG/XAUTOLOG, the ability to LINK to minidisks without specifying a password, etc.):

• At a minimum for these IDs, their CP directory entries should be updated to include the corresponding directory statements to enable these functions (AUTOLOG, LNKNOPAS, etc.)

2.  Issue various VMSECURE QRULES commands to determine how general users are able to LINK to public minidisks. Also review the SYSTEM and USER rules for special authorizations for things like DAIGNOSE instructions, COUPLE, AUTOLOG/XAUTOLOG, LINK, LOGONBY, etc. The VMSECURE RULEMAP command can help with this also:

• For MINIDISK LINKS that return “VMXACQ0223I Accepted via NORULE default.”, ensure MINIDISK passwords exist in the directory; they must be added if not present. If there is no MINIDISK password and the user is one that will be prompted for the password, the LINK will immediately fail.
• Also add corresponding directory statements for those IDs that have special authorizations specified VIA SYSTEM or USER rules.

3.  Again, this is all about updating the CP DIRECTORY entries for IDs with MINIDISK passwords where needed, and adding DIRECTORY STATEMENTs for special authorizations that are currently being authorized by VM:Secure SYSTEM or USER rules, and the VMXRPI CONFIG file.
4.   Make backup copies of the PRODUCT CONFIG and SECURITY CONFIG files from VMSECURE.

AFTER PREPWORK is COMPLETED:

1.   Remove the VM:Secure CP TEXT files from the CP nucleus:

• Follow the CP Nucleus VMSES Procedures detailed in the “CP Nucleus VMSES Procedure” section below.
• Be sure that you have a backup copy of the CP nucleus on your PARM disk with the VM:Secure TEXT files installed in case you need to back out and redo missing PREP work.

2.   Before you IPL the system with the non-VM:Secure CP nucleus:

• Edit the CONFIG files from VMANAGER or other authorized userid with the command VMSECURE CONFIG {PRODUCT | SECURITY}.
• Comment out the ACCESS RULE statement in the PRODUCT CONFIG File
• Comment out RULES related statements in the SECURITY CONFIG File

5.  When ready to IPL, issue PUT2PROD to put the updated CP nucleus on the PARM disk in production. Then IPL the system with the new CP nucleus without VM:Secure.
6.  Test the result.
7.  If you need to revert back to VM:Secure with RULEs to make corrections:

• Uncomment the items commented out in Step 2 above.
• IPL with the backup copy of the CP nucleus that you kept on your PARM disk. This should bring the system back up with VM:Secure and RULEs the way it was originally.
• Fix the items that you missed in the PREPWORK section.
• Repeat Steps 2 and 3 above.

6.   When you are satisfied the system is running as well as it can without VM:Secure RULEs, if you choose to, you can permanently remove the commented out CONFIG file statements and delete the RULEs disk. 

CP Nucleus VMSES Procedure

For removing CP TEXT decks from the CP nucleus:

1.   Log on to MAINTnnn (the MAINT ID for the release of CP that you are running)
2.   Issue VMFSETUP for the CP environment:

VMFSETUP SERVP2P CP

3.  Issue VMFSIM to determine the MODID used to install the VM:Secure TEXT files:

VMFSIM QUERY vvtlcl_fn VVTLCL TDATA :MOD  (the VVTLCL file is located on the LOCALMOD disk with the installed LOCALMODs)

For example:

VMFSIM QUERY 6VMCPR30 VVTLCL TDATA :MOD
VMFSIP2480I Results for
            TDATA :MOD
:PART HCPRPI TXT
   :MOD LCLX031
:PART HCPRPD TXT
   :MOD LCLX031
:PART HCPRPG TXT
   :MOD LCLX031
:PART HCPRPW TXT
   :MOD LCLX031
:PART HCPRWA TXT
   :MOD LCLX031
Ready; T=0.01/0.01 10:47:32

The MODID is the LAST 5 Characters of the token following the :MOD Tag, in this case LX031.

4.  Issue VMFREM to remove the VM:Secure LOCALMODs from the CP nucleus:
   
   VMFREM PPF SERVP2P CP MOD LX031 ( NOEXCLIST UNRECEIVE
5. Issue the SERVICE command to regenerate the CP nucleus without VM:Secure TEXT files:

SSERVICE CP BUILD