Top Secret

  • 1.  Top Secret - Defining zOS Connect to Top Secret

    Posted Jul 18, 2018 10:43 AM

    Does anyone have experience with this Product?  CA translated the RACF commands to Top Secret but when the System Programmer brings up the product the IDs are receiving a violation that they need access to the facility Started Task.  Additionally, our company policy requires a password on the WSGUEST ID with access to an isolated group and OMVS (USS) which is like a secondary auth ID which may also be an issue.  Also, the Resource Class EJBROLE in the RDT table has DEFACC of all is there a way to change it?  We have not defined any digital certificates for this product yet and trying to use SAF security.  The closest product definition that we have seen is ZOSMF.  We are trying to this install and continue to run into issues.   



  • 2.  Re: Top Secret - Defining zOS Connect to Top Secret
    Best Answer

    Broadcom Employee
    Posted Jul 19, 2018 12:11 PM

    Mike,

     

    You need to assign a FACILITY to the started task.

     

    See the following knowledge document for creating a FACILITY. The example is for RDZ, but can be used for any application. You just need to change the FACILITY name to what you want and the program name you are using.

     

    To add a password and GROUP, issue a :

    TSS ADD(WSGUEST) PASSWORD(xxxxxxxxxx)

    TSS ADD(WSGUEST) GROUP(xxxxxxxx)

     

    Why do you want to change the access level for EJBROLE? You either have access to it or you dont.

     

    Here is the TSS LIST(RDT) for the EJBROLE resource class:

     

    tss list(Rdt) resclass(ejbrole)

    ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS

    RESOURCE CLASS = EJBROLE
    RESOURCE CODE = X'068' POSIT = 568
    ATTRIBUTE = MASKABLE,MAXOWN(26),MAXPERMIT(246),ACCESS,PRIVPGM,MIXCASE
    ACCESS = NONE(0000),ALL(FFFF)
    DEFACC = ALL
    TSS0300I LIST FUNCTION SUCCESSFUL
    READY

    There are 2 access level, ALL or NONE.

     

    Currently if you dont specify an ACCESS Level on a PERMIT, ALL will be used as the default access level.

    Setting the DEFACC(NONE) would not make sense.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support



  • 3.  Re: Top Secret - Defining zOS Connect to Top Secret

    Posted Jul 19, 2018 12:28 PM

    Thank you.  I was re-examining the violations and researching the product documentation.  Not sure how many other businesses are using this but when I have the facility defined; the RACF to TOP Secret documentation for the ZOS Connect should probably be updated to include the facility.  The zOS Connect documentation states once a Liberty Angel  Started task is created if you are using another product such as zOSMF the STC does not have to be redefined just modified.  Thank you.



  • 4.  RE: Re: Top Secret - Defining zOS Connect to Top Secret

    Posted Jun 17, 2019 05:53 PM
    Hi Michael, you mentioned there is a "RACF to TOP Secret documentation for the ZOS Connect"; can you kindly let me know where I might be able to find this documentation?  I only found the documentation with RACF commands.  Than you very much.
    Original Message


  • 5.  RE: Re: Top Secret - Defining zOS Connect to Top Secret

    Broadcom Employee
    Posted Jun 18, 2019 10:34 AM
    Maria,

    Yes there is a Top Secret article "Liberty Server RACF Command conversion to Top Secret" available at the following link:

    https://ca-broadcom.wolkenservicedesk.com/kb/liberty-server-racf-command-conversion-to-top-secret/kb000076389

    regards,
    Michael
    Original Message


  • 6.  RE: Re: Top Secret - Defining zOS Connect to Top Secret

    Broadcom Employee
    Posted Jun 18, 2019 10:36 AM
    Yes there is a Top Secret Article "Liberty Server RACF Command conversion to Top Secret" available at the following link:

    https://ca-broadcom.wolkenservicedesk.com/kb/liberty-server-racf-command-conversion-to-top-secret/kb000076389

    regards,
    Michael
    Original Message


  • 7.  RE: Re: Top Secret - Defining zOS Connect to Top Secret

    Posted Jun 18, 2019 12:28 PM
    This is the information for the conversion.  KB 76389.  Additionally, you may need to create a facility zOS connect.  BC(CA) took the information that someone gleemed from the RACF security definitions for zOSMF and then converted them to RACF for the liberty server.  PTF SO03835 for CA Top Secret release 16 should have definitions for the Liberty server (zOSMF) in the AAKOJCL0 pds. 
    https://ca-broadcom.wolkenservicedesk.com/kb/liberty-server-racf-command-conversion-to-top-secret/kb000076389​
    There is crossover between zOSMF and zOS Connect for security definitions look at the RACF definitions.  Also, if you need the IBM RACF-to-CA Top Secret Translation please look at the Top Secret documentation in the Using Top Secret.  Hope that helps.

    Original Message


  • 8.  RE: Re: Top Secret - Defining zOS Connect to Top Secret

    Posted Jun 18, 2019 01:59 PM
      |   view attached
    Hi Michaek,

    Thank you very much for the information; this will definitely help us setup a POC environment for z/OS Connect.  I do have the RACF-commands translation to TopSecret for zOSMF and noticed now that some of the security definitions for zOSMF are very similar to the ones for z/OS Connect - like the ones for angel support and liberty server.
    Thanks again, Mike and to the other folks in this thread for the information.

    Best, 
    Maria

    Attachment(s)

    txt
    isuzec translation.txt   44 KB 1 version
    Original Message


  • 9.  Re: Top Secret - Defining zOS Connect to Top Secret

    Posted Jul 19, 2018 04:03 PM

    Joe,

     

    One additional comment for ZOS Connect the EJBROLE information in the RACF command has ACCESS READ for the permit.  That is why I asked.