JES2 uses the system authorization facility (SAF) to pass security information about jobs and resources to CA Top Secret. CA Top Secret makes access decisions based on information in its databases and passes its decision back to JES2.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
- Control the use of JES2 operator commands
- Control access to JES2 spool data sets
- Control access to JES2 system data sets
- Audit the use of all JES2 operator commands and access to JES2 data sets
- Control submission of jobs through JES2 input devices
- Restrict jobs to specific systems based on security labels
In addition, CA Top Secret provides additional support beyond MLS requirements. You can control what data is output to a particular device and restrict certain users to specific output devices.
Certain JES2 functions should not be permitted in an MLS system when certain MLS options have been activated. The following restrictions apply when MLS is active on an CA Top Secret system:
- The network job entry (NJE) and remote job entry (RJE) functions can be used, but they must be configured properly.
- The only permissible output devices should be page printers, controlled by the Print Services Facility (PSF), and operated in deferred-printing mode, and line printers, operated as single-label devices, and labeled through procedural means.
- No site-written routines should be permitted in JES2 libraries, nor should modifications to JES2 routines be permitted.
- Entry of system commands through the input job stream is controlled by acid, just as when commands are entered from an operator console.
- Do not use the JES2 spool offload facility
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Control the use of JES2 operator commands
Protect JES2 Spool Data Sets
Define acid for JES2 started task
Assign security label SYSMULTI to the JES2 started task ID
Define access rules for JES2 started task
Control job input
Configure Network Job Entry (NJE) and Remote Job Processing (RJP)
Restrict jobs to specific systems
Controlling the Use of JES2 Commands
The security administrator must be able to audit all JES2 commands in an MLS system. It is also necessary to control who can issue commands, since it is possible to issue commands not only from an operator console, but also from batch JCL. In either case, access is validated based on the acid associated with the job.
To control JES2 commands and provide an audit trail for all JES2 commands:
- Enable the protection of operator commands
- Write resource rules to protect JES2 commands
JES2 Command Resource Names
JES2 commands have resource names that follow the example below:
- jesnameThe name of the JES2 system requesting the command validation
- commandThe name of the JES2 command
- qualifierThe type of object the command specifies, such as JOB or SYS.
See the IBM z/OS
JES2 Initialization and Tuning Guideto determine the resource name of the JES2 command. It provides a list of JES2 commands, their resource names, and the SAF access level required to issue the command.
jobname' command has the following resource name:
A user requires UPDATE access to issue the command.
Protecting JES2 Spool Data Sets
JES2 maintains data sets in the JES2 spool. Some of these data sets are JES2 system and user data sets. Others contain SYSIN and SYSOUT data for jobs in the system. This section describes how to protect the following types of JES2 spool data sets:
- SYSIN and SYSOUT data sets
- JESNEWS data set
- SYSLOG data set
- System data sets (trace and checkpoint data sets)
In order for any users to read or update classified JES2 spool data sets in an MLS system, their security labels must dominate the security labels of the spool data sets they are trying to access.
Protection for SYSIN and SYSOUT Data Sets
MLS protection mechanisms for JES2 SYSIN (for the job's input) and SYSOUT (for the job's output) data sets allow access to them only by the user who created the data sets. The user can also allow other users access.
When the MLS option to protect write-down is active, the system assigns the SYSIN and SYSOUT data sets the same label as the job. The subject that submits the job can access these data sets if their security label dominates the job's security label.
While a job executes, JES2 creates SYSIN and SYSOUT data sets using the following naming conventions: