Sysview Setup In Top Secret
search cancel

Sysview Setup In Top Secret

book

Article ID: 48485

calendar_today

Updated On:

Products

WEB ADMINISTRATOR FOR TOP SECRET Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

How should Sysview be defined to Top Secret?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Here are the basics (define the facility, create region acid, etc).

  1. Define the facility to Top Secret by adding the following to the Top Secret parameter file:

    FAC(USERn=NAME=GSVX)
    FAC(GSVX=PGM=GSV,MULTIUSER,SHRPRF,KEY=8,NOLUMSG,NOSTMSG)
    FAC(GSVX=MODE=FAIL,LOG(NONE),ACTIVE,NOABEND)
    FAC(GSVX=SIGN(M),NOTRACE,AUTHINIT)
    FAC(GSVX=NOAUDIT,ASUBM,DEFACID(*NONE*))
    FAC(GSVX=UIDACID=8)

    where 'USERn' is a valid user facility number not currently in use.
    You can dynamically define the facility using the TSS MODIFY command:

    TSS MODIFY FAC(USERn=NAME=GSVX)
    ...
     
  2. Create a region acid for SYSVIEW with a MASTFAC of the facility defined in step 1.

    TSS CREATE(SYSVIEW) NAME('SYSVIEW ACID') FACILITY(STC) -
    MASTFAC(GSVX) PASSWORD(xxxx,0) DEPT(owningdept) -
    NOLCFCHK NORESCHK NODSNCHK NOVOLCHK NOSUBCHK

    We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the Top Secret parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password.
     
  3. Define the SYSVIEW address spaces as started tasks in the STC record using the region acid created in step 2.

    TSS ADDTO(STC) PROCNAME(SYSVIEW) ACID(SYSVIEW)
    TSS ADDTO(STC) PROCNAME(SYSVUSER) ACID(SYSVIEW)
    TSS ADDTO(STC) PROCNAME(SYSVAAST) ACID(SYSVIEW)
     
  4. Add an OMVS segment to the ACID.

    TSS ADDTO(SYSVIEW) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP) -
    HOME(/) OMVSPGM(/bin/sh)
    TSS MODIFY OMVSTABS
     
  5. Add the facility to the users that need it.

    TSS ADD(acid) FAC(SYSVIEW)

    where 'acid' is the user's acid, an attached profile, or the ALL record if all users should have access.
     
  6. See chapter 6 of the Sysview r13.9 Security Guide for how to setup Sysview to use external security instead of the internal security.

The Sysview Security Guide states that the PassTicket configuration is required for the SYSVIEW for  Insight DPM for DB2 component.

If using the Insight DPM for DB2 component, see the Sysview Security Guide, section 'PassTicket Configuration', which documents what is needed to set this up.

The Sysview Security Guide has a section 'External Security Section Display'. In this section, it recommends that you specify CAGSVX as the 'SAF Entity Class Name' with Top Secret. CAGSVX is a predefined resource class in the Top Secret RDT.

The Sysview Security Guide has another section, 'SAF Requirements', that documents the SAF authorizations that are required for both the SYSVIEW address spaces and for individual user IDs. The SAF authorizations depend on what features and components are implemented at your site. (NOTE: The FACILITY class in Top Secret is IBMFAC.)

Powered by Wolken Software