How to implement CA-ACF2 as the security system for TPX ?
search cancel

How to implement CA-ACF2 as the security system for TPX ?

book

Article ID: 11421

calendar_today

Updated On:

Products

TPX - Session Management

Issue/Introduction

CA-ACF2 as the security system for CA-TPX.

Environment

Release: TPX 5.4
Component: TPX for Z/OS

Resolution

Steps to implement CA ACF2 as the Enterprise Security Manager with TPX.

1. Specify ACF2 in the Security System field of the System Options Table (SMRT).

2. Put the application in an APF-authorized library, as described in the Installation Guide.

3. If you are running the product as a Multiple User Single Address Space System (MUSASS), you must:

  • Code an @MUSASS macro for the TPX region in the CA-ACF2 Field Definition Record(ACFFDR).
  • Assign the MUSASS attribute to the TPX region logonID.
  •  IPL the system.

4. If you are not running the product as a MUSASS, you must specify Y in the Bypass MUSASS Processing field of the SMRT.

5. If the CA-ACF2 CVT is pointed to by the CVTUSER field, specify CVTUSER in the CVT Location field of the SMRT.

6. If the CA-ACF2 CVT is offset into the ACTUSER area, specify OFFSET in the CVT Location field of the SMRT.

  • You must also specify the offset in the CVT Offset field of the SMRT.

7. If you are using an attribute byte for the product, examine the CA-ACF2 Logon ID record (LIDREC) and determine the location of the attribute byte.  

  • Specify the location of the byte in the Auth Offset field of the SMRT.

8. Examine the byte for the location of the CA-TPX bit.  

  • Specify the location of the bit in the Auth Mask field of the SMRT.

It is recommended to use the Security Action/Message Table (SAMT) to customize the response of the product to messages produced by ACF2
SAMT uses sense code for RACF or message ID for ACF2, to determine the proper action to return code messages.
The SAMT will contain an entry for the RACF sense code or ACF2 message ID.
The entry will specify what action to take, the cursor position, whether to suppress the message, and what message to display.
For additional  information on using this table, see the Administrator Guide - Security Action/Message Tables.  

You can use the ACF2 interface to specify how TPX determines profiles for dynamic users.  (optional)

    • “Dynamic users” are users who are not maintained by TPX administration.  Their profiles are not determined by records in the ADMIN files, but instead are determined when the dynamic user logs on.
    •  If you specify Save Dynamic Users, newly built dynamic users are saved to the User file (ADMIN2) at sign-on to TPX. If so, then the the user can perform self-maintenance in TPX Administration which is saved from one session to their next session.
    • You allow dynamic users and saved dynamic users in the SMRT System Features.
    • If not using security to determine profiles, use the customer-written TPXUSNSF exit.
    • You MUST define all profiles to be used, in TPX.

Here are two methods for defining profile selection :

  • USER-LEVEL PROFILE SELECTION:  
  • User-level selection involves specifying information in the user record that will allow the security system to determine which profiles can be assigned to the user.
    1. Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
    2. Specify "USER" in the “Profile Selection” field of the SMRT (Performance Parameters).
    3. Turn on attribute bits in the user’s LIDREC for each profile that you want to be included in the user’s profile list.
    4. Specify the profile bits:
      • Determine the offset of the profile bits from the beginning of the LIDREC or MLID.
      • Specify this offset value in the CA-ACF2 Authorization Offset field of the profile definition.
      • Specify the hex value of the bit in the CA-ACF2 Authorization Mask field of the profile definition.
    5. Indicate the profile that should appear first in the user’s list of profiles.  Specify this by entering Y in the “Profile Should be First” field of the profile.  This is done in Profile Maintenance in the product’s administration.
  • PROFILE-LEVEL PROFILE SELECTION:  
  • Profile-level selection involves specifying rules in the security system that will allow the security system to determine which profiles can be assigned to which users. 
    1. Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
    2. Specify "PROF" in the “Profile Selection” field of the SMRT (Performance Parameters).
    3. Set up a class of resource rules in your security system.
    4. Define the class to CA-TPX by specifying its name in the Resource Class field of the SMRT.
    5. Set up a rule in the class for each product profile, specifying which users can use that profile.
    6. Indicate the profile that should appear first in the user’s list of profiles. Specify this by entering Y in the “Profile Should be First” field of the profile. This is done in Profile Maintenance in administration.

NOTE: The TPXUSNSF exit can be used to add profiles to or delete profiles from the list provided by the security system.

 

Example of PROFILE-LEVEL PROFILE SELECTION:

    SMRT

     Security Parameters                                                                                                            

  * Security System:           ACF2       * Profile Selection:         PROF   

  * Alias Name:                           * Resource Class:           CA$TPX    

 _________________________________________________________________________

 

     Performance Parameters                                 

 

    VTAM Authorized Path Facility:       Y    

    Large Message Processing Option:  Y    

    Rtasks (Number of servers):         03   

    Load profiles at startup:                 Y

__________________________________________________________________________

      

Nothing needs to be ADDed to ACF2, but a resource RULE (RSRC) is needed to allow access.
 
By default, with CLASS=CA$TPX, ACF2 will use resource type of CA$ for resource rule validation. 
If a different resource type is to be setup, update the CLASMAP element in the CONTROL(GSO) record.

You may add a CLASMAP if needed:

TSO ACF
SET CONTROL(GSO)
INSERT CLASMAP.TPX RESOURCE(CA$TPX) RSRCTYPE(nnn) ENTITYLN(39) ; where nnn is the type code
F ACF2,REFRESH(CLASMAP)
END
 
Create or update the ACF2 RESOURCE RULE for the profname and TYPE to allow access:

$KEY(profname) TYPE(CA$)
 UID(uid string of user) SERVICE(READ) ALLOW

 

Additional information:

Depending on your security system, TPX may receive return codes, message IDs, or both from the security system when a user attempts to logon.

If SAF is used as the Security System in place of ACF2, TPX uses the group name(s), received from the security system as the profile names to match in TPX.

When - Return Messages from SAF is turned on (Y) in panel TEN0090.

This specifies whether messages from SAF should be returned to TPX.
The default is N, in which case the return and  reason codes will determine a message that is displayed from the TENMSGL member, in the same way that RACF operates. 

The limitation when using SAF instead of ACF2 is that the ACF messages will not be received from the security system - return codes.
The SAMT (security action message table) is used to interpret the return codes.  The SAMT (table) called  'SAF' is the one to use in this instance.

Powered by Wolken Software