CA Top Secret
The following is supported when MLS is active on an CA Top Secret system:
- MAC protection
- DAC protection
- Object reuse protection
- Identification and authentication
If you are running any of the following software, it must meet the following minimum requirements to run concurrently with CA Top Secret:
- CA Top Secret Security Option for DB2 r1.2
- CICS/ESA Release 4.1 (includes CICS Transaction Server for z/OS and OS/390 Version 1 Release 1)
- IMS/ESA Version 6 Release 1
- CA Common Services for z/OS r1, Genlevel 9901
If your site shares DASD, the following restrictions apply:
- All z/OS systems must be operating at z/OS 1.5 or higher
- z/OS MLS systems should not share DASD with systems that are not MLS
- All z/OS MLS systems must share the same CA Top Secret databases
- All z/OS MLS systems in the global resource serialization complex must be the same set of z/OS systems that are sharing the CA Top Secret databases
- The JES2 complex must be the same set of z/OS systems that are sharing the CA Top Secret databases or a subset of these systems
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Provide DAC controls
DAC control mechanisms
Provide accountability controls
Do not use UADS
Identify all system users to CA Top Secret
Do not reuse acids
Define required acids
Identify users with special privileges
Specify PSWD control options
Provide MLS controls
Define the MLS control options
Define MLS SECLEVEL Records
Define MLS CATEGORY Records
Define MLS SECLABEL Records
Assign Security Labels to Users
Assign Security Labels to Objects
Assign Security Labels to DB2 Objects
Protect object reuse
DAC Control Mechanisms
CA Top Secret provides several mechanisms to achieve DAC controls. Global control options establish site options for your CA Top Secret system. The security administrator must ensure that the system provides controlled access to data sets using ownership and permissions.
Providing Accountability Controls
This section describes the following identification and authentication controls that you should configure in an MLS system:
- Do not use the user attribute data set (UADS)
- Identify all system users to CA Top Secret
- Do not reuse acids
- Define required acids
- Identify users with special privileges
- Specify password control options
Do Not Use UADS
If your site is currently using UADS, CA Top Secret provides a conversion utility.
Identifying All System Users
A security administrator must create a unique acid record for each system user. The account manager assigns various privileges to each user based on the tasks the user must perform.
Do Not Reuse Acids
Acids should never be reissued to different people. When this is done, it makes it very difficult to determine from security logs who the person responsible for an action was and it then becomes necessary to keep a log of who owned each acid at various times. This is error-prone, and can be avoided by simply not reissuing acids.
Defining Required Acids
You should define the following CA Top Secret acids that are used by system-started tasks: INIT, JES2 or JES3, LLA, VLF and other system address spaces.
In addition, you should assign security label, SYSHIGH, to each of these acids by adding the seclabel to the acid record.
Providing MLS Controls
This section describes the required settings of the following MLS records:
- Define the MLS control options