Interactive System Productivity Facility (ISPF)
ISPF/Program Development Facility (PDF) is an optional component in an MLS system configuration. In particular, CA Examine uses ISPF services to display and control its dialogs. If you are using CA Examine in an MLS system, you must also install ISPF/PDF.
Executed under a TSO/E subsystem session as an unauthorized program, ISPF is a dialog manager. A dialog is a “conversation” between a person using an interactive display terminal and a computer executing a program for a particular application.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
- ISPF/PDF provides services for dialogs to support full screen panels, message display, table storage, and skeleton JCL use.
- ISPF dialogs can be written in many programming languages and scripting languages (CLIST and REXX). ISPF/PDF provides a subroutine call for these languages to use the ISPF dialog services.
- ISPF/PDF provides a set of utility dialogs to: browse, edit, allocate, rename, delete, copy, move, print, compare, and list files.
Restricting Jobs to Specific Systems
A security administrator can restrict security labels to specific systems in a sysplex by defining security labels that can only be used on those systems to which the security label has been defined. Specifying one or more system IDs in the SYSID field of the SECLABEL Record and activating the MLSECBYS control option does this.
Note:If the SYSID field is excluded from the record, then the security label can be used on all systems.
When a security label is restricted to one or more systems, JES2 will ensure that a job that is using the security label is executed only on a system on which that security label is defined and active. This allows sharing of the CA Top Secret databases in a sysplex while keeping work segregated to different systems. If the security label of a job is not defined and active on any system, the job will remain in the conversion phase.
If necessary, you can review more information about defining and using system-specific security labels. For more information about the conversion phase in JES2 processing, see the IBM
If ISPF/PDF is used, the following restrictions apply when MLS is active on an CA Top Secret system:
- Do not make ISPF APF authorized
- Protect ISPF administration libraries
- Do not install ISPF session manager exits
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Do not make ISPF APF authorized
Protect ISPF administration libraries
Do not install ISPF session manager exits
Protecting ISPF Administration Libraries
It is typical for users to concatenate their own ISPF CLIST, panel, skeleton, and message libraries, in order to tailor the way ISPF works to meet their needs. In most cases, this is perfectly acceptable in an MLS configuration. There is, however, one case when it is not acceptable. This is when a security administrator is using the CA Top Secret ISPF panels to administer security. In this case, the ISPF libraries and the CA Top Secret ISPF libraries must be concatenated in front of any user libraries.
This example shows the JCL for how the ISPF libraries and CA Top Secret ISPF libraries concatenation would look in a TSO LOGON procedure:
//ISPPLIB DD DSN=ISP.V3R5M0.ISPPENU,DISP=SHR ISPF panels // DD DSN=ISP.V3R5M0.ISRPENU,DISP=SHR PDF panels // DD DSN=CAI.CAISPP,DISP=SHR <TSS> panels // DD ... User panels //* //ISPMLIB DD DSN=ISP.V3R5M0.ISPMENU,DISP=SHR ISPF messages // DD DSN=ISR.V3R5M0.ISRMENU.DISP=SHR PDF messages // DD DSN=CAI.CAISPM,DISP=SHR <TSS> messages // DD ... User messages //* //ISPSLIB DD DSN=ISP.V3R5M0.ISPSENU,DISP=SHR ISPF skeletons // DD DSN=ISR.V3R5M0.ISRSENU,DISP=SHR PDF skeletons // DD DSN=CAI.CAISPS,DISP=SHR <TSS> skeletons // DD ... User skeletons //* //ISTPLIB DD DSN=ISP.V3R5M0.ISPTENU,DISP=SHR ISPF tables // DD D5N=ISP.V3R5M0.ISRTENU,DISP=5HR PDF tables // DD ... User tables //* //SYSPROC DD DSN=ISR.V3R5M0.ISRCLIB,DISP=SHR PDF CLISTs // DD DSN=CAI.CAICLIB,D1SP=SHR <TSS> CLISTs // DD ... User CLISTs //*
These libraries must be protected with CA Top Secret access rules so only system maintenance personnel can update them. In an MLS system, if the option to require security labels is activated, they should be labeled, SYSLOW, so they are accessible to all users.
Note:If CA Examine is included in the configuration, the CA Examine libraries must also be concatenated before any user libraries. See the Protect CA-Examine Libraries section for an example of the library concatenations with CA-Examine.
Note:Do Not Install ISPF Session Manager Exits. ISPF includes exit routines for SVC 93 (TGET/TPUT/TPG) and SVC 94 (STCC) to allow the session manager to be invoked under ISPF, instead of the more usual case of invoking ISPF under the session manager. These exits should not be installed in an MLS environment. For more information about these exits, see the
IBM z/OS TSO/E Customizationmanual.
Configuring Network Job Entry (NJE) and Remote Job Processing (RJP)
If you want to successfully use NJE and RJP in an CA Top Secret MLS system, configure them as follows:
- Assign a security label and write resource rules for each NJE and RJP input device in the JESINPUT resource class. NJE or RJP input devices are not multi-label devices-they can only handle data with the same security label. All work coming to a JES2 input device is assumed to have the same security label as the JES2 in