Enable Security Access to Web Services

As a security administrator, configure the security software or your site to support Web Services. Web Services is a prerequisite for the Eclipse-Based UI and user-written programs that connect to the API.
ce18
As a security administrator, configure the security software or your site to support Web Services. Web Services is a prerequisite for the Eclipse-Based UI and user-written programs that connect to the
CA Endevor
API.
The following graphic shows how to enable security access for Web Services:
How to Configure Security Access for Web Services
To enable security access for Web Services, do the following to configure the security software of your site:
  1. Review the prerequisite information for an understanding of how Web Services works. For more information, see How to Enable Web Services.
  2. Enable authorized users access to MODHLI data sets, if MODHLI is defined in the
    CA Endevor
    C1DEFLTS table.
Security Software Customization for Web Services
Configure your security software so that all authorized users can initiate WSEWSSTC correctly as a started task.
Web Services uses started tasks that are started by the CA Common Services CAICCI SPAWN facility to communicate with the
CA Endevor
API. Your CA Common Services administrator must configure the spawn facility for Web Services. The administrator configures the WSEWSSTC procedure to specify the high-level and second-level qualifiers for the
CA Endevor
data sets. The WSEWSSTC copy is initiated as a started task.
Review the following sample configuration for the software that is used at your site. These samples are only examples and may not conform to your security standards.
For more information about setting up started task security, see the product-specific documentation or contact Technical Support for the security software you are using.
Files are compressed, but no data encryption occurs during the transfer of files from the client to the Web Services server. Data that are communicated between
CA Endevor
and Web Services is not compressed or encrypted, except for passwords. For data encryption between the client and the Web Services server, configure the Tomcat to use HTTPS.
Configure CA Top Secret
If your site uses CA Top Secret, configure CA Top Secret so that all authorized users can initiate WSEWSSTC correctly as a started task. To configure CA Top Secret, define a new facility with the name ENDEVOR, add a new ACID, and give the ACID a MASTFAC definition. Make this facility the default ACID for the CAICCI-spawned task WSEWSSTC defined by your CA Common Services administrator. Finally, add all users of Web Services to the ENDEVOR facility.
For more information about completing the following steps, see your CA Top Secret documentation or contact Technical Support for CA Top Secret.
Follow these steps:
  1. Define a new facility with the name ENDEVOR for
    CA Endevor
    by adding the following definitions to the CA Top Secret parameter file (specified by the PARMFILE DD statement):
    * USERnn FACILITY FOR * FAC(USERnn=NAME=ENDEVOR)
  2. Define a new ACID named ENDEVOR by entering the following command:
    TSS CRE(ENDEVOR) NAME('endevor userid') TYPE(USER) FAC(STC,ENDEVOR) PAS(NOPW,0)
    The NODSNCHK, NORESCHK, and NOSUBCHK bypass attributes on the ENDEVOR ACID may be required. If not, ensure that the ACID is authorized to access all the files and resources it requires.
  3. Give the ENDEVOR ACID a MASTFAC definition by entering the following command:
    TSS ADD(ENDEVOR) MASTFAC(ENDEVOR)
  4. Assign ENDEVOR as the default ACID for the CAICCI-spawned task WSEWSSTC by entering the following command:
    TSS ADD(STC) PROCNAME(WSEWSSTC) ACID(ENDEVOR)
  5. Grant each user of Web Services access to the ENDEVOR facility by entering the following command:
    TSS ADD(USERID) FAC(ENDEVOR)
For more information about defining a new facility, and the CRE and ADD commands, see CA Top Secret.
Automated CA Top Secret Configuration
Part of the installation is a bash script (ENWStss.sh). The script provides an automated configuration of CA Top Secret.
Before you launch the script, define a new facility in the CA Top Secret parameter file and tailor the following parameters in the parameter file ENWSInstallOptions.properties.
TSS_FACILITY=ENDEVOR TOMCAT_USER=ENDEVOR CAICCI_STC=WSEWSSTC TSS_ACF_LOGINS=path to the file that contains the list of userids that grant Web Services access.
To launch the script, follow these steps:
  1. Start the TSO OMVS environment from the USS command prompt.
  2. From the OMVS command prompt, execute the following command to change to the install directory where the script ENWStss.sh resides:
    cd <USS install directory>/tpv
  3. Execute the following script:
    sh ENWStss.sh
After the script is finished, review the output messages from the security system on the screen.
Configure CA ACF2
If your site uses CA ACF2, configure CA ACF2 so that all authorized users can initiate WSEWSSTC correctly as a started task. To configure CA ACF2, you create an STC login, verify that the data set access is correct, and define a resource class. This section is only a sample of how your site can set up security. For more information about setting up started task security, see your CA ACF2 documentation or contact Technical Support for CA ACF2.
Follow these steps:
  1. Create an STC logon ID named ENDEVOR for the WSEWSSTC started task by entering the following commands:
    ACF INSERT ENDEVOR NAME(ENDEVOR) STC
  2. Verify that the ENDEVOR logon ID is defined with site-specific logon ID fields such as those fields used to create the UID string.
  3. Verify that the ENDEVOR logon ID has access to all required data sets by writing CA ACF2 ACCESS rules for the logon ID.
  4. Define a resource class with the name FACILITY and assign a resource type code of FAC.
    1. Enter the following commands to create the CLASMAP record for the FACILITY resource class:
      ACF SET CONTROL(GSO) INSERT CLASMAP.FAC RESOURCE(FACILITY) RSRCTYP(FAC)
    2. Enter the following commands to add the FAC resource type code to the CA-ACF2 GSO INFODIR record:
      SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RFAC)
    3. Do one of the following to activate the CLASMAP and the INFODIR record change:
      • Restart the CA-ACF2 address space.
      • Enter the following commands:
      F ACF2,REFRESH(CLASMAP) F ACF2,REFRESH(INFODIR)
  5. Create a FACILITY resource rule record with the name ENDEVOR and grant users access to this resource by issuing the following commands:
    ACF SET RESOURCE(FAC) COMPILE */pds.name $KEY(ENDEVOR) TYPE(FAC) UID(user1 uid string) ALLOW UID(user2 uid string) ALLOW ....... STORE
  6. Enter the following command to rebuild the FAC directory:
    F ACF2,REBUILD(FAC)
Automate CA Top Secret Configuration
Part of the installation is a bash script (ENWSacf2.sh). The script provides an automated configuration of CA ACF2 by creating and submitting a job that accesses the ACF2 batch interface.
Before you launch the script, tailor the following parameters in the parameter file ENWSInstallOptions.properties.
TOMCAT_USER=ENDEVOR TSS_ACF_LOGINS=path to the file that contains the list of USERIDs and their uid strings that grant Web Services access.
To launch the script, follow these steps:
  1. Start the TSO OMVS environment from the USS command prompt.
  2. From the OMVS command prompt, execute the following command to change to the directory where the script ENWSacf2.sh resides:
    cd <USS install directory>/tpv
  3. Execute the following script:
    sh ENWSacf2.sh
After the script is finished, review the output messages from the security system on the screen.
Configure IBM RACF
This section provides basic instructions for customizing IBM RACF to allow the WSEWSSTC started task to initialize correctly. According to the RACF Security Administrator Guide, you can use one of the following methods to define a started task to RACF:
  • Define a new profile to the STARTED class (recommended by IBM)
  • Add an entry in the started procedures table (ICHRIN03)
Also assign a RACF user ID to the started task WSEWSSTC and assign the user ID to a RACF group authorized to initiate started procedures.
To define a RACF user ID for WSEWSSTC, use the ADDUSER command and associate it with your existing started task RACF group, as follows:
ADDUSER user_name DFLTGRP(default_group) OWNER(default_group) OMVS(AUTOUID) NOPASSWORD
  • user_name
    Specifies the name of the new RACF user ID. This name should be the same as the name of the started task member in your PROCLIB that Web Services uses.
  • default_group
    Specifies the default group that contains all system started tasks; for example, STCGROUP.
  • AUTOUID
    Specifies either AUTOUID or the UID number of an OMVS segment according to your RACF setup.
This command is only an example. For more information about using the ADDUSER command, about how to implement the RACF STARTED class or to modify the started task table (ICHRIN03), see your RACF administrator or the RACF documentation.
Automate IBM RACF Configuration
Part of the installation is a bash script (ENWSracf.sh). The script provides an automated configuration of IBM RACF.
Before you launch the script, tailor the following parameters in the parameter file ENWSInstallOptions.properties.
TOMCAT_USER=ENDEVOR TOMCAT_GROUP=ENWGROUP CAICCI_STC=WSEWSSTC
The script creates a user that is defined in TOMCAT_USER and asks if the RACF uses STARTED class or if the RACF uses started procedure table (ICHRIN03). If RACF uses STARTED class, the script adds TOMCAT_STC to STARTED class. If RACF uses started procedure table, the script stops because you must edit the started procedure table manually.
To launch the script follow these steps:
  1. Start the TSO OMVS environment from the USS command prompt.
  2. From the OMVS command prompt, execute the following command to change to the directory where the script ENWSracf.sh resides:
    cd <USS install directory>/tpv
  3. Execute the following script:
    sh ENWSracf.sh
After the script is finished, review the output messages from the security system on the screen.
Enable User Access to MODHLI Data Sets
To enable client programs to access the API, your security administrator may need to enable user access to MODHLI data sets. The
CA Endevor
administrator must determine the security requirements for MODHLI data sets.
Follow these steps:
  1. Ask your
    CA Endevor
    administrator if MODHLI is coded in the
    CA Endevor
    C1DEFLTS table.
    • If the MODHLI value is coded, grant all user IDs access to all data sets with the MODHLI high-level qualifier (HLQ). This requirement applies to access under all security products including RACF, CA Top Secret, or CA ACF2. For a client program to access the API, the user ID sent to CAICCI to spawn the pool STCs and the user IDs that issue requests to Web Services must have read/write access to these data sets. To enable this, the MODHLI parameter causes the data set names to be built with the following format:
      modhli.Dyyddd.Thhmmss.STCnnnnn.ddname
      • STCnnnnn, ddname
        The job ID and ddname that is the unique qualifier for one of the nine API-related files (APIMSGS, C1MSGS1).
    • If a MODLHI value is not coded, then security is not affected, because the temporary data set names are built by the operating system with the standard temporary data set HLQ in the following format: SYSyyddd.Thhmmss.RA000.jobname.nnnnnn
  2. Configure your security software to grant all user IDs access to all data sets with the MODHLI high-level qualifier (HLQ), if the MODHLI value is coded in C1DEFLTS.
Enable Authority to Start the Tomcat Server
To enable an administrator to start the Tomcat server, their user ID must have access to specific JVM environment values used by the Tomcat Server. These values are set by your web services administrator. The security administrator grants access to these paths in your site security software.
Follow these steps:
  1. Ask your web services administrator what values are set for the following JVM environment values. The web services administrator sets these values in member WSTOMENV.
    INSTALL_HOME
    Specifies the location where Tomcat has been installed on the system. This should be based on the value of CCS_TOMCAT_DIR.
    PRODUCT_HOME
    Specifies the location where Web Services is implemented. This should be based on the value of TARGET_TOMCAT_DIR.
  2. Update your security software to enable the appropriate users to access the paths as follows:
    • Read access to the path defined in INSTALL_HOME.
    • Write access to the path defined in PRODUCT_HOME.