Document ID:

TEC435526

Title: Implementing SPI and Secondary Resource Checking in CA-Top Secret

The purpose of this document is to detail the process of setting up SPI (Set, Perform, Inquire) resource checking and secondary resource checking in CA-Top Secret. SPI resource checking is a little different than secondary resource checking. SPI resource checking uses a keyword in the SPI resource class that corresponds to the command keyword in the CEMT or the EXEC CICS command. For example, with CEMT INQUIRE TRANSACTION(ABC), the keyword TRANSACT would be used in the SPI resource class (i.e., SPI(TRANSACT) ) when protecting this command using SPI. SPI resource checking is limited to CEMT and EXEC CICS commands. With XCMD=YES, there is no way to distinguish between CEMT and EXEC CICS. There is a security call made for CEMT prior to the SPI check. If the security call for CEMT fails, the transaction or EXEC CICS command fails and no SPI check is made. Secondary resource checking keys on the actual resource being accessed in the transaction. With CEMT INQUIRE TRANSACTION(ABC), a second check (after the check for access to CEMT) would occur against OTRAN(ABC) when using secondary resource checking. If the security call for CEMT fails, the transaction fails and no check is made for the secondary resource. Secondary resource checking is optional and somewhat redundant if used with SPI resource checking. However, if secondary resource checking is used with SPI resource checking:

SPI resource access ensures that the user is permitted to display or alter a particular type of CICS resource. Secondary resource checking allows or denies display or alteration of the individual resources.

Use SPI checking if you want to secure the command keywords in CEMT and EXEC CICS commands. Use secondary resource checking if you want to allow certain resources to be accessed with any or all CICS transactions (not just the CEMT transaction). SPI resource checking is limited to CEMT and EXEC CICS commands where secondary resource checking can be used on any or all CICS transactions. SPI Resource Checking CA-Top Secret provides the SPI resource for added security checking. With the CA-Top Secret SPI resource you can secure the following:

CEMT commands EXEC CICS INQUIRE and SET commands EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS commands EXEC CICS SPOOLOPEN command

To implement SPI resource checking 1. For CEMT commands, define OTRAN(CEMT) and permit ACCESS(EXECUTE) to the users that should be allowed to use CEMT. NOTE: Most users will not need access to CEMT. a. Own OTRAN(CEMT) via TSS ADD(dept) OTRAN(CEMT). To see if this is already owned, issue TSS WHOOWNS OTRAN(CEMT). b. Permit access to OTRAN(CEMT) via TSS PERMIT(acid) OTRAN(CEMT) ACCESS(EXECUTE).

2. Turn on SPI resource checking: a. If FACMATRX=YES is set on the CICS facility in CA-Top Secret, set XCMD=YES on the facility. No recycle of CICS should be required to pick up this change. b. If FACMATRX=NO is set on the CICS facility in CA-Top Secret, set XCMD=YES in the CICS System Initialization Table (SIT). A recycle of the CICS region is required to pick up this change.

3. Own and permit the SPI resources to be protected. a. TSS ADD(dept) SPI(xxxxxxxx) b. TSS PERMIT(acid) SPI(xxxxxxx) ACCESS(yyyyyyyyy) Below is a list of the command keywords and the corresponding SPI resource. For INQUIRE and SET: Command Keyword SPI Keyword 'Blanks' (default) SPI(SYSTEM) AUTINSTMODEL SPI(AUTINSTM) AUTOINSTALL SPI(AUTOINST) AUXTRACE SPI(TRACEDES) BEAN SPI(BEAN)

CFDTPOOL SPI(CFDTPOOL) CONNECTION SPI(CONNECTI) CORBASERVER SPI(CORBASER) DB2CONN SPI(DB2CONN) DB2ENTRY SPI(DB2ENTRY) DB2TRAN SPI(DB2TRAN) DELETESHIPPED SPI(DELETESH) DELTSHIPPED SPI(DELTSHIP) DJAR SPI(DJAR) DLIDATABASE SPI(DLIDATAB) DOCTEMPLATE SPI(DOCTEMPL) DSA SPI(SYSTEM) DSNAME SPI(DSNAME) DUMP SPI(DUMP) DUMPDS SPI(DUMPDS) ENQ SPI(UOWENQ) ENQMODEL SPI(ENQMODEL) EXCI SPI(EXCI) FECONNECTION SPI(FEPIRESO) FENODE SPI(FEPIRESO) FEPOOL SPI(FEPIRESO) FEPROPSET SPI(FEPIRESO) FETARGET SPI(FEPIRESO) FILE SPI(FILE) GTFTRACE SPI(TRACEDES) INTTRACE SPI(TRACEDES) IRBATCH SPI(IRBATCH) IRC SPI(IRC) JMODEL SPI(JMODEL) JOURNALNAME/JOURNALNUM SPI(JOURNAL) * JVMPOOL SPI(JVMPOOL) LINE SPI(LINE) MODENAME SPI(MODENAME) MONITOR SPI(MONITOR) NETNAME SPI(TERMINAL) PARTNER SPI(PARTNER) PITRACE SPI(PITRACE) PROCESSTYPE SPI(PROCESST) PROFILE SPI(PROFILE) PROGRAM SPI(PROGRAM) REQUESTMODEL SPI(REQUESTM) RRMS SPI(RRMS) STATISTICS SPI(STATISTI)

STREAMNAME SPI(STREAMNA) SYSDUMPCODE SPI(SYSDUMPC) SYSTEM SPI(SYSTEM) TASK SPI(TASK) TCLASS SPI(TCLASS) TCPIP SPI(TCPIP) TCPIPSERVICE SPI(TCPIPSER) TDQUEUE SPI(TDQUEUE) TERMINAL SPI(TERMINAL) TRANSACTION SPI(TRANSACT) TRDUMPCODE SPI(TRANDUMP) TSMODEL SPI(TSMODEL) TSPOOL SPI(DB2CONN) TSQUEUE SPI(TSQUEUE) UOW SPI(UOW) UOWDSNFAIL SPI(UOWDSNFA) UOWENQ SPI(UOWENQ) UOWLINK SPI(UOWLINK) VOLUME SPI(VOLUME) VTAM SPI(VTAM) WEB SPI(WEB) * Note: JOURNALNAME is used for CTS 1.2 and above; JOURNALNUM is used for CICS 4.1 and CTS 1.1. For PERFORM: Command Keyword SPI Keyword DELETESHIPPED SPI(DELETESH) DUMP SPI(DUMP) ENDAFFINITY SPI(CONNECTI) RECONNECT SPI(RECONNEC) RESET SPI(RESET) SECURITY SPI(SECURITY) SHUTDOWN SPI(SHUTDOWN) SNAP SPI(SNAP) STATISTICS SPI(STATISTI) For DISCARD: Command Keyword SPI Keyword DB2CONN SPI(DB2CONN) DB2ENTRY SPI(DB2ENTRY)

DB2TRAN SPI(DB2TRAN) DOCTEMPLATE SPI(DOCTEMPL) ENQMODEL SPI(ENQMODEL) JMODEL SPI(JOURNALM) JOURNALNAME SPI(JOURNAL) PROCESSTYPE SPI(PROCESST) REQUESTMODEL SPI(REQUESTM) TCPIPSERVICE SPI(CONNECTI) TSMODEL SPI(TSMODEL) For EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS: Command Function SPI Keyword ENABLE SPI(EXITPROG) DISABLE SPI(EXITPROG) EXTRACT SPI(EXITPROG) COLLECT STATISTICS SPI(EXITPROG) EXEC CICS SPOOLOPEN: Command Function SPI Keyword SPOOLOPEN SPI(JESSPOOL) SPI access levels: For CEMT commands: CEMT Action SPI Access Level INQUIRE INQUIRE PERFORM PERFORM SET SET DISCARD DISCARD For example, if a CEMT INQUIRE is done, ACCESS(INQUIRE) is required to the protected SPI resource in order to perform the function. For EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS: Command Function SPI Access Level ENABLE SET DISABLE SET EXTRACT INQUIRE COLLECT STATISTICS COLLECT

For example, if an EXEC CICS ENABLE is done, ACCESS(SET) is required to the protected SPI resource in order to perform the function. For EXEC CICS SPOOLOPEN: Command Options SPI Access Level INPUT SET OUTPUT SET For example, if an EXEC CICS SPOOLOPEN INPUT is done, ACCESS(SET) is required to the protected SPI resource in order to perform the function. Examples: 1. To protect users from issuing CEMT PERFORM SHUTDOWN, issue: TSS ADD(dept) SPI(SHUTDOWN) Any user that should be allowed to shutdown the CICS region should be given the following permit: TSS PER(acid) SPI(SHUTDOWN) ACCESS(PERFORM) 2. To protect users from doing CEMT INQUIRE TRANSACTION(xxxx), issue: TSS ADD(dept) SPI(TRANSACT) Any user that should be allowed to issue CEMT INQUIRE TRANSACTION(xxxx) should be given the following permit: TSS PER(acid) SPI(TRANSACT) ACCESS(INQUIRE) 3. To protect users from doing CEMT INQUIRE DUMP commands, issue: TSS ADD(dept) SPI(DUMPDS) Any user that should be allowed to issue CEMT INQUIRE DUMP should be given the following permit: TSS PER(acid) SPI(DUMPDS) ACCESS(INQUIRE) 4. To protect users from doing EXEC CICS SET FILE(PAYROLL) OPEN, issue: TSS ADDTO(dept) SPI(FILE) Any user that should be allowed to issue EXEC CICS SET FILE(PAYROLL) OPEN should be given the following permit: TSS PERMIT(acid) SPI(FILE) ACCESS(SET) SPI(*ALL*) ACCESS(acc) can be owned and permitted to allow access to all of the SPI resources; however, in order to have all the SPI resources protected, you must own all of them

via TSS ADD(dept) SPI(xxxx). You can set DEFPROT on the SPI resource class; however, you have to be VERY careful about this because with DEFPROT set on the SPI resource class, access will be denied to any SPI resource that is not permitted to the user. For example, a user who used to successfully issue CEMT INQ TRANS(ABC) will be denied access once DEFPROT is set if he is not permitted ACCESS(INQUIRE) to SPI(TRANSACT). SPI bypass list The SPI access levels can be put in the bypass list on the CICS facility in CA-Top Secret. For example, to put INQUIRE in the CEMT bypass list to bypass the INQUIRE checks: TSS MODIFY((FAC(cicsfac=BYPADD(CEMT=INQUIRE))) In the TSS parameter file add "FAC(cicsfac=BYPADD(CEMT=INQUIRE))". This will bypass SPI security for all CEMT INQUIRE commands. Note: To bypass SET you also need to add INQUIRE to the Bypass List because CEMT SET redisplays the items altered in the CEMT SET. Secondary resource checking To turn on secondary resource checking for a specific transaction: 1. Define the transaction to CA Top Secret. 2. Permit ACCESS(EXECUTE) to the transaction. 3. Set PCTRESSEC=HONOR on the CICS facility in CA Top Secret. This will honor the RESSEC= parameter in the CSD. 4. Set RESSEC=YES in the CSD entry in CICS for the specific transaction(s) that are to use secondary resource checking. (Set RESSEC=NO in the CSD entry in CICS for the transactions that are not to use secondary resource checking.) 5. Set RESSEC=ASIS in the CICS SIT. For example, to activate secondary resource checking for CEMT: 1. TSS ADD(dept) OTRAN(CEMT) 2. TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE) 3. Set PCTRESSEC=HONOR on the CICS facility in CA Top Secret. 4. Set RESSEC=YES on the CSD entry in CICS for CEMT.

5. Set RESSEC=ASIS in the CICS SIT. This means any resource CEMT goes after will be checked. For example, with CEMT I TRAN(ABC), there would first be a check for EXECUTE access to OTRAN(CEMT) and if access is allowed, an additional (second) check for INQUIRE access to OTRAN(ABC). To turn on secondary resource checking for all transactions: Set PCTRESSEC=OVERRIDE on the CICS facility in CA Top Secret. This will override the RESSEC= parameter in the CSD entry and enforce secondary resource checking for all CICS transactions. Notes: The secondary resource checking is a little trickier to set up because CEMT I TRAN(CEMT) would require EXECUTE and INQUIRE access to OTRAN(CEMT). Assuming your AUTH control option is AUTH(OVERRIDE,ALLOVER), EXECUTE and INQUIRE access would have to be in the same place (e.g., user record, same profile, or the ALL record). If EXECUTE is permitted in the user record and INQUIRE in a PROFILE, the transaction will fail because the permit for EXECUTE on the user record will be picked up as a match and it won't get to the INQUIRE permit. However, the secondary resource checking is more granular. You could allow CEMT INQ for certain transactions, but not others. You can ADD and PERMIT OTRAN(*ALL*) ACCESS(acc). The PERMIT for OTRAN(*ALL*) ACCESS(acc) will include all OTRANs. Also, as long as NONGENERIC is not set on the OTRAN, permits for the OTRAN are generic, so OTRAN(AB) includes all transactions that start with AB. WARNING: USING ACCESS(EXECUTE) WITH TSS PER(acid) OTRAN(*ALL*) ACCESS(acc) WILL ALLOW THE USER TO EXECUTE ANY TRANSACTION. Secondary resource checking includes the following resource classes: CEMT Keyword Secondary Resource Type DB2ENTRY* DB2ENTRY DB2TRAN* DB2TRAN DSNAME DATASET FILE FCT JOURNAL JCT PROGRAM PPT QUEUE DCT TRANSACTIONS OTRAN or LCF VOLUMES VOLUMES * - CTS 1.2 and above only.

DSNAME access checking by CA Top Secret requires DSNCHECK=YES be set on the CICS facility in CA Top Secret. This is set via the command: TSS MODIFY FACILITY(cicsfac=DSNCHECK=YES) In the CA Top Secret parameter file. add "FAC(cicsfac=DSNCHECK=YES)". When DSNCHECK=YES is in effect, CA Top Secret checks DATASET, but not FCT resources for FILE or DATASET keywords in INQUIRE or SET actions used through CEMT.

FCT access checking by CA Top Secret requires the FACILITY control option DSNCHECK=NO (the default). This is set via the command: TSS MODIFY FACILITY(cicsfac=DSNCHECK=NO) In the CA Top Secret parameter file, add "FAC(cicsfac=DSNCHECK=NO)" or don't specify DSNCHECK and it will default to NO.) When DSNCHECK=NO is in effect, CA Top Secret checks the FCT but not DATASET resources when FILE or DATASET keywords with INQUIRE or SET actions used through CEMT.

NOTES: Like CEMT INQUIRE, the CEMT SET action is also used to provide a display of affected resources (after the SET operands are implemented). For this reason, individual resources described in the table above will often need both INQUIRE and SET access to invoke alteration through CEMT. You should also note that: 1. SET access does not imply INQUIRE access. 2. When the CEMT SET action is applied to these resources, both SET and INQUIRE access is required through CA Top Secret. 3. Whether the CEMT SET or INQUIRE action is used to initiate a resource display for the keywords in the table above, both SET and INQUIRE access through CA Top Secret are required to alter the individual CICS resource. EXAMPLES The following examples assume PCTRESSEC=HONOR is set on the CICS facility in CA Top Secret, RESSEC=YES is set on the CSD entry in CICS for CEMT, RESSEC=ASIS is set in the CICS SIT, and TSS ADD(dept) OTRAN(CEMT) has been done.

To allow a user to issue CEMT INQUIRE TRANSACTION(CS*) but prevent others from doing so: TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE) TSS ADDTO(dept) OTRAN(CS) TSS PERMIT(acid) OTRAN(CS) ACCESS(INQUIRE) Note: The OTRAN(CS) permission in the above example does not allow the ACID to use the CSxx transactions. To allow a user to issue CEMT SET FILE(WXYZ) where 'WXYZ' is an FCT entry that points to dataset ABC.DEF and then alter characteristics of the file, but prevent others from doing so: With DSNCHECK=YES on the CICS facility in CA Top Secret: TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE) TSS ADDTO(dept) DSNAME(ABC.DEF) TSS PERMIT(acid) DSNAME(ABC.DEF) ACCESS(INQUIRE,SET) With DSNCHECK=NO on the CICS facility in CA Top Secret: TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE) TSS ADDTO(dept) FCT(WXYZ) TSS PERMIT(acid) FCT(WXYZ) ACCESS(INQUIRE,SET)