Top Secret

I'm sitting down with the CICS admin to improve the security of IBM-supplied category-2 transactions.  For this purpose I'm hitting the documentation on CEMT.  I see that I should be able to secure specific CEMT commands, such as PERFORM CLASSCACHE or SET EVENTBINDING.  (I don't know what these things are, you understand; I just see them listed in IBM's documentation about securing CEMT.)  I gather the resource class used for the purpose in RACF is CCICSCMD.

However I don't see any mention of CCICSCMD in the TSS r15 documentation, neither the User Guide nor the CICS Implementation Guide.  Listing the RDT shows no such class.  So how does one secure specific CEMT subcommands in TSS?

CCICSCMD is a RACF resource class
ENF must be completely up before CICS starts.
You receive all three phase messages for CICS.(Phase 0, 1, 2)
What is supposed to happen is ENF will intercept the security call
and translate it to the appropriate resource class in Top Secret

If ENF is not up then IBM will make calls for CCICSCMD.
With ENF up, security call for CCICSCMD should be intercepted and then
translated and sent to TSS as a SPI check or OTRAN check.

Ok, so ENF (it says here) is a CA component which "Top Secret uses to obtain data from z/OS".  You're saying it can be trained to intercept SAF calls and translate the resource class?

I'm afraid I may have misunderstood, simply because I'm used to TSS using all the same classes as the OS except for a few that had to be renamed because TSS uses them differently, such as FACILITY (mapped to IBMFAC).  It isn't clear to me why the designers of TSS wouldn't simply have reproduced CCICSCMD.  Clearly they didn't; I just don't understand why not.

So if I can get my hands on an ENF manual, would it direct me how to translate CCICSCMD to something else?  Or wait:  Wouldn't it be simpler just to create the missing class in the RDT, and let the CCICSCMD call come through as-is?

CA Top Secret r16.0 Install Guide documents TSS uses the following DCMs:

KO50DCM2
Is needed to use CA Top Secret support for CICS CTS 2.3 and above. KO50DCM2 does not replace the KO43DCM2 used with earlier releases of CICS. KO50DCM2 specifies a new initialization routine named CAKSCINT.

Robert, was this post intended for me or did you mean to add it to a different thread?  I don't see any connection between it and my topic.  My questions are:

1) Is it true that ENF, a CA product, can be induced to intercept SAF calls and translate the resource class from the "standard" one used by z/OS to whatever equivalent is used by TSS?

2) If so, will an ENF manual describe to me how to do that?

3) Would it accomplish my purpose more simply to define CCICSCMD in the RDT, instead?

Your post, though, talked about "DCM", "CICS CTS" and an "initialization routine named CAKSINT", none of which convey anything to me.  Oh, and you mentioned TSS r16; the particular client on whose behalf I'm asking this question, though, uses r15.

Bob,

sorry for the confusion, I was replying back about your CCICSCMD question and why Top Secret will not 

use that RACF resource class but OTRAN for example because  ENF gets it's

hooks in and passed off to TSS for security . You could define a RDT entry but I would recommend you open a case we can have Development or Sustaining Engineering give some additional details as how CA Common Services, ENF, Top Secret interact.

Hi Bob,

Here is a link in the r16.0 doc for the perform command:
Securing PERFORM Commands - CA Top Secret® for z/OS - 16.0 - CA Technologies Documentation 

Classcache is part of PERFORM.

Here is a link to CEMT SET and INQUIRE:

Securing CEMT Commands - CA Top Secret® for z/OS - 16.0 - CA Technologies Documentation 
Look at the blue links for examples.

Here is a link for Secondary Resource Checks:

Secondary Resource Checks - CA Top Secret® for z/OS - 16.0 - CA Technologies Documentation 

Once you go to one of those links you will be able to see the other sections and go through whatever you want.

Cheers,

  ~Eileen~

Aha!  The SPI resource class.  I'll get started reading; thanks, Eileen.

I don't have to know this—it's purely out of curiosity—but why did the TSS designers do it that way, rather than simply using the resource class and names issue by the OS itself?  I'd expect there needs to be a good reason to add any extra translation work.