RACF

This article provides information and the required steps to achieve basic activation of a CA Workload Automation CA 7 Edition (CA 7) dad environment under RACF. Most of the steps are intended to activate any CA Datacom/AD environment currently running supported versions of the product. External security can be implemented in all supported versions of CA Datacom/AD and ddb. 
cdat15
This article provides information and the required steps to achieve basic activation of a CA Workload Automation CA 7 Edition (CA 7)
CA Datacom/AD
environment under RACF. Most of the steps are intended to activate any CA Datacom/AD environment currently running supported versions of the product. External security can be implemented in all supported versions of CA Datacom/AD and
CA Datacom®/DB
We strongly recommend that sites set up their CA Datacom/AD MUF for CA 7 Version 12.0 in a test environment before implementing external security. If you set up external security first, and it is not correct, the CA Datacom/AD installation and CA 7 Version 12.0 environment setup may fail. Required information that is used to define the security rules (for example,
cxxname
) is defined during the initial setup. For an overview of the installation process through production implementation, see Stage the CA Datacom/AD External Security Implementation. 
The following topics are covered for a successful activation process of RACF security for CA 7 Datacom/AD:
Prerequisites
Review the following prerequisites to activate external security for a CA 7 CA Datacom/AD environment under RACF: 
  • CAIRIM and CA IPC
  • Maintenance
  • Started Task ID
CAIRIM and CA IPC 
Before starting the external security effort, install the CAIRIM component of CA Common Services for z/OS and CA IPC. 
The CA Standard Security Facility (CAISSF), a subcomponent of CAIRIM, provides the link between the CA Datacom products and the external security package.
CA IPC is included in the target library (CAAXLOAD) for CA Datacom/AD environments. 
Maintenance 
Verify that your CA Datacom/AD maintenance is current. Fixes have been created for Datacom r15.1, r15.0, and r14.0. These fixes provide proper support for a successful implementation and configuration of external security for CA 7 Datacom/AD. 
Started Task ID 
Proper security rule setup requires that the CA Datacom/AD STC is assigned a user-ID. The rules that are described in subsequent sections assume that this ID has been assigned. When successful, the CA Datacom/AD STC contains a message in the JES2 Joblog that is similar to the following: 
START CA7MUF WITH JOBNAME CA7MUF IS ASSIGNED TO USER CA7MUF , GROUP CA7GRP
CA7MUF is the STC jobname.
Set up CA Datacom environment for External Security 
Changes are required in a CA Datacom environment to implement external security rules successfully. You must include the following entries in the Datacom startup deck (Member DBDATIN2) in the CUSMAC Library:
SECURITY DBDCSCI,DBDCSCQ,DBDCRCI,DBDCRCQ,DBDCRAQ
SECURITY DBDCSSR,DBDCRSR,DBDCSQL,DBDCSQQ,DBDCRAT
The CA 7 Datacom startup deck sample AL2MUFS1 (ca7hlq.CAL2OPTN) includes the previous statements.
CA Datacom allows different resource class names to be used for table security depending on the access path. The CA 7 Datacom startup deck sample specifies the same resource name for all paths by including the characters ‘DC’ on all ten paths. DC indicates that [email protected], as described later, is the resource name to use for table access regardless of access path. 
You can add these entries to the Datacom startup deck before defining any of the resource classes and rules that are discussed later. These entries must be present when CA Datacom is started with external security, or CA Datacom does not successfully start.
Enable External Security for CA Datacom 
CA Datacom products use four resource classes in the external security product:
The external security product controls the user access rights and levels.
Sample rules for Datacom Security are found in member AL2RACFD in the CA 7 distributed library CAL2OPTN.
The
cxxname
is one of the most important pieces of information that is required for the configuration and implementation of external security. You can retrieve the
cxxname
from the DB00201I message in the JES log for CA Datacom as shown in the following example: 
DB00201I - MULTI-USER ENABLED, CXX=QAMUFR MUFNAME=QAMUFR AD
The overall purpose of the CA 7 sample definitions for the [email protected] resource class is to:
  • Enable external security 
  • Secure Access Paths and Features 
The other rules ([email protected], [email protected] and [email protected]) control access after MUF security is enabled. 
Enable external security 
The [email protected] resource class is key to turning on external security for CA Datacom products. To enable external security, the CA Datacom STC ID (for example, CA7MUF) must be denied access to the [email protected] ACTIVATE.LEVEL05.FAIL resource and allowed access to the [email protected] ACTIVATE.LEVEL05.PASS resource. 
RDEFINE [email protected] ACTIVATE.LEVEL05.FAIL UACC(NONE)
RDEFINE [email protected] ACTIVATE.LEVEL05.PASS UACC(NONE)
If you were to start up the CA Datacom/AD MUF, the system would still not be secure. You need one more rule to activate security.
Important!
You should not set this rule until all other resource class rules in the subsequent sections have been defined and you are ready to run your MUF with security enabled.
PERMIT ACTIVATE.LEVEL05.PASS CLASS([email protected]) ID(CA7MUF) ACC(ALTER)
Once you set this rule, and re-start your MUF, you should see the messages described in Determine if CA Datacom External Security is Enabled. Just remember, you must set up the rules in the following sections before defining the PERMIT rule. If you fail to do so, CA 7 and possibly other CA products (for example, CA 11) will not successfully start up.
If you start your MUFs with different assigned user-ids (for example, CA7MUF above), each must have ALTER access to ACTIVATE.LEVEL05.PASS profile.
Secure Access Paths and Features 
Once external security is enabled, the [email protected] resource is used to determine which access paths and features are secured. If access is denied to the resource name for the access path or feature, then the access path or feature is secured. If access is allowed, then the access path or feature is not secured. 
Secure DBDC table path access through the [email protected] resource class 
RDEFINE [email protected] cxxname.DBDC* UACC(NONE)
Secure the Datadictionary feature functions 
RDEFINE [email protected] cxxname.DD* UACC(NONE)
Allow remote user access to the MUF using the XCF feature
RDEFINE [email protected] cxxname.XCF UACC(ALTER)
The [email protected] table classes identify CA Datacom/AD tables and multiple access levels for each table. They are used to secure access to the CA 7 tables stored in Datacom and tables of other AD applications.
RACF authorizations are hierarchical, that is:
  • READ authority allows only read access. 
  • ALTER authority allows read, update, delete, and add access.
The table class resources consist of system, database, and table identifiers in the following format:
cxxname
.DB0
nnnn.table
For example, CA7MUF.DB00770.* identifies all of the tables in database with DBID 770 in the system with
cxxname
of CA7MUF. 
Sample for setting up [email protected] Resource class access: 
RDEFINE [email protected]
cxxname
.DB00002.* UACC(NONE)
RDEFINE [email protected]
cxxname
.DB00015.* UACC(NONE)
RDEFINE [email protected]
cxxname
.DB00770.* UACC(NONE)
RDEFINE [email protected]
cxxname
.DB01000.* UACC(NONE)
DB00002 and DB00015 access is needed for installing database definitions and PTFs that contain Datacom Datadictionary updates. DB01000 is used by CA 7 to access Datacom Dynamic System Tables.
Sample for setting CA 7 Access to the [email protected] Resource class:
PERMIT
cxxname
.DB00770.* CLASS([email protected]) ID(CA7STC) ACC(ALTER)
PERMIT
cxxname
.DB01000.* CLASS([email protected]) ID(CA7STC) ACC(READ)
CA7STC is the ID used to start CA 7.
Sample for setting Systems Programmer and User Access to the [email protected] Resource class:
PERMIT
cxxname
.DB00002.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT
cxxname
.DB00015.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT
cxxname
.DB00770.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT
cxxname
.DB00770.* CLASS([email protected]) ID(userid1) ACC(READ) 
  • CA7SPG is the user-ID of your systems programmer for you site who will perform any HOLD ACTIONs described in CA 7 PTFs.
  • Sites that want to allow users to run SQL (samples in CAL2SQL) will need to grant those users READ access to [email protected]
The [email protected] class associates system product combinations with those individuals who have product administrator authority. This authority could be needed during the initial installation of CA 7 and the Datacom environment, but only if you set up security before commencing the installation (not recommended). It might also be needed if CA puts out a PTF that affects table definitions. 
Sample for setting up [email protected] Resource class access: 
RDEFINE [email protected] cxxname.* UACC(NONE) 
Sample in providing the Systems Programmer access to the [email protected] Resource class: 
PERMIT cxxname.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER) 
The [email protected] controls access to the DBUTLTY utility, which is the base utility that performs reporting and maintenance for the CA Datacom environment.
The [email protected] resource class is used to identify CA Datacom product utility functions and the users who are allowed to execute them. Each resource in the [email protected] class represents one CA Datacom product function. The resource format varies within and for each of the three products it supports.
Sample for setting up the [email protected] Resource class access:
RDEFINE [email protected]
cxxname
.* UACC(NONE)
Sample for setting Systems Programmer and user access (Datacom Backup and SPILL jobs) to the [email protected] Resource class: 
PERMIT
cxxname
.* CLASS([email protected]) ID(CA7SPG) ACC(ALTER)
PERMIT
cxxname
.* CLASS([email protected]) ID(BKUPID) ACC(ALTER)
BKUPID does not need access to [email protected] to perform backups or spills.
Determine if CA Datacom External Security is Enabled
Datacom now issues a message in the MUF indicating that external security is not enabled. For more information, see Prerequisites. 
The following messages are seen in the JES log of the MUF when external security is enabled successfully:
DB00271I - AREAEV -YES, DATAFS -YES, DATAHU -YES, SU - NO
DB00231I - EXTERNAL SECURITY LEVEL 05 ACTIVE
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON SQL OTHER DQ WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON RAT OTHER DQ WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON SQL CICS DQ WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON RAT CICS DQ WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON SQL SERVER WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON RAT SERVER WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON SQL CICS WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON RAT CICS WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON SQL OTHER WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON RAT OTHER WITH [email protected]
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON DATADICTIONARY
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON DATAQUERY
DB00220I - EXTERNAL SECURITY ACTIVE FOR QAMUFR ON VIEW
If you do not see these messages in the JES log of the CA Datacom environment, then the following message appears: 
DB00270W - ACCESS TO DATACOM TABLES NOT PROTECTED BY EXTERNAL SECURITY
Recheck you [email protected] rules to verify all are defined correctly. 
You can ignore the DB00220I messages for DATAQUERY and VIEW. These are not applicable in the CA Datacom/AD environment. 
Recycle the MUF when making RACF security changes as they are not automatically picked up. For more information, see the CA Common Services documentation.
Debugging tips
CA Datacom/AD abends with security rules in place 
If you set up the security rules and the CA Datacom/AD MUF abends when you start it, check the JES2 joblog for ICH408I messages that identify the exact cause of the problem.
The MUF abends with a completion code of U0004 if the security rules are set up incorrectly.
If the MULTI-USER ERROR is 1076, verify that the RDEFINE [email protected] cxxname.DBDC* UACC(NONE) is in place.
CA 7 Errors when [email protected] rules are not properly defined
If the [email protected] rules are not properly defined, sites see DBTSK WTOs in the CA 7 JES2 joblog. These WTOs show an RC=15(139) indicating a security problem. Check the CA Datacom/AD MUF STC JES2 joblog for the ICH408I messages that identify the exact cause of the problem. It will most likely be that the DB00770 or DB01000 [email protected] rules are not properly defined.
Stage the CA Datacom/AD External Security Implementation
For most sites, the group responsible for installing software is not the same group that administers external security. It can be challenging to coordinate implementing security without impacting day-to-day activity. The following steps provide a phased approach to external security implementation. They are applicable to a single MUF or Multi-MUF environment that are controlled by the same security environment. 
  1. Follow the steps in the CA Workload Automation CA 7 Edition Installation documentation for setting up the CA 7 Datacom environment. These steps access the Datacom Datadictionary and utilities which are secured later. It is assumed that this is done in a test environment with no security rules in place. 
  2. Start the CA Datacom/AD MUF without any security rules in the test environment. 
  3. Start CA 7 and run any test suites you would normally run when upgrading to a new release. 
    This is also when you would test the conversion, validation, and reversion aspects of the CA 7 Version 12.0 implementation.
4. Setup and run your CA Datacom/AD MUF backup and spill jobs.
5. Define all the [email protected] resource class and rules
except
the PERMIT ACTIVATE.LEVEL05.PASS access rule. 
Remember, the PERMIT ACCESS rule for ACTIVATE.LEVEL05.PASS security is the key to activation external security. It should be done after all security rules are defined (Step 8).
6. Define the [email protected] resource class and rules. 
7. Define the [email protected] and [email protected] resource class and rules. 
Remember that the ID of the job that SPILLs the LXX file and the job that backs up the MUF must have access to [email protected] If you cannot SPILL your LXX file, your CA 7 system might ultimately hang.
8. Define the PERMIT ACTIVATE.LEVEL05.PASS CLASS([email protected]) ID(CA7MUF) ACC(ALTER) rule.
9. Recycle the CA Datacom MUF. Verify that the WTOs described in the Determine if CA Datacom External Security is Enabled section appear. If they do not, review the ICH408I messages to determine what is missing. 
10. Start CA 7. Make sure there are no RC=15(139) errors in the CA 7 STC JES2 joblog. If there are, check the CA Datacom/AD MUF STC JES2 joblog for ICH408I messages to determine the cause of the error.
11. Re-run in-house validation tests in your test environment with security in place.
At this juncture, sites can take different paths. Some sites can set up an entirely different MUF for their production environment while others can use the MUF they set up for testing. The following steps show a typical situation where a site sets up a production MUF (different STC ID) and converts from production CA 7 Version 11.3 to production CA 7 Version 12.0 on a weekend.
  1. Steps 1 and 4-7 above can be done before the weekend. 
  2. On the Conversion weekend
    1. Start the MUF without security. 
    2. Run the conversion and validation steps as described in CA 7 Version 12.0 implementation conversion process. 
    3. Perform Step 8 in the previous tasks shown above for the new MUF STC ID. 
    4. Perform Step 9 in the previous tasks shown above for the production MUF. 
    5. Perform Step 10 in the previous tasks shown above for the production CA 7. 
  3. Assuming the conversion was successful, logon to CA 7 and check the queues to verify that they match Version 11.3 at the point of shutdown. 
  4. Start the queues and schedule scan.
Disable Security 
It is not expected that sites should need to disable external security, nor do we recommend doing so. However, if you absolutely must run your production jobs and your external security environment is not properly defined, you can disable security. 
  1. Change the PERMIT ACTIVATE.LEVEL05.PASS CLASS([email protected]) ID(CA7MUF) ACC(ALTER) to ACC(NONE). 
  2. Restart the CA Datacom/AD MUF. 
  3. Restart CA 7.
Again, CA does
not
recommend disabling external security. Sites need to access the impact of disabling external security versus production SLAs not being met.