JES3 (or JES3
) uses the system authorization facility (SAF) to pass security information about jobs and resources to CA Top Secret. CA Top Secret makes access decisions based on information in its databases and passes its decision back to JES3.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
  • Control the use of JES3 operator commands
  • Control access to JES3 spool data sets
  • Control access to JES3 system data sets
  • Audit the use of all JES3 operator commands and access to JES3 data sets
  • Control submission of jobs through JES3 input devices
In addition, CA Top Secret provides additional support beyond MLS requirements. You can control what data is output to a particular device and restrict certain users to specific output devices.
Certain JES3 functions should not be permitted in an MLS system when certain MLS options have been activated. The following restrictions apply when MLS is active on an CA Top Secret system:
  • The network job entry (NJE) and remote job entry (RJE) functions can be used, but they must be configured properly.
  • The only permissible output devices should be page printers, controlled by the PSF, and operated in deferred-printing mode, and line printers, operated as single-label devices, and labeled through procedural means.
  • No site-written routines should be permitted in JES3 libraries, nor should modifications to JES3 routines be permitted.
  • Entry of system commands through the input job stream is controlled by acid, just as when commands are entered from an operator console.
  • JES3 does not support isolating work to specific systems based on a security label
Configuration Checklist
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Control the use of JES3 operator commands
Protect JES3 Spool Data Sets
Define acid for JES3 started task
Assign security label SYSMULTI to the JES3 started task ID
Define access rules for JES3 started task
Control Job Input
Configure Network Job Entry (NJE) and Remote Job Processing (RJP)
Controlling the Use of JES3 Commands
The security administrator must be able to audit all JES3 commands in an MLS system. It is also necessary to control who can issue commands, since it is possible to issue commands not only from an operator console, but also from batch JCL. In either case, access is validated based on the acid associated with the job. To control JES3 commands and provide an audit trail for all JES3 commands, do the following:
  • Enable the protection of operator commands
  • Write resource rules to protect JES3 commands
JES3 Command Resource Names
JES3 commands have resource names that follow the example below:
  • jesname
    The name of the JES3 system requesting the command validation
  • command
    The name of the JES3 command
  • qualifier
    The type of object the command specifies, such as JOB or SYS.
See the IBM z/OS
JES3 Initialization and Tuning Guide
to determine the resource name of the JES3 command. It provides a list of JES3 commands, their resource names, and the SAF access level required to issue the command.
The $C'
' command has the following resource name:
A user requires UPDATE access to issue the command. Here are some sample rules to protect JES3 commands:
The following permit allows system operator OPER1 to issue any JES3 commands, but CA Top Secret creates a log record for each JES3 command issued.
TSS PER(oper1) OPERCMDS(*all*) ACTION(audit)
You could create more specific entries in the permit to establish a finer control over the operators issuing JES3 commands.
The following rule lets OPER1 cancel jobs
Protecting JES3 Spool Data Sets
JES3 maintains data sets in the JES3 spool. Some of these data sets are JES3 system and user data sets. Others contain SYSIN and SYSOUT data for jobs in the system. This section describes how to protect the following types of JES3 spool data sets:
  • SYSIN and SYSOUT data sets
  • JESNEWS data set
  • SYSLOG data set
  • System data sets (trace and checkpoint data sets)
In order for any users to read or update classified JES3 spool data sets in an MLS system, their security labels must dominate the security labels of the spool data sets they are trying to access.
Protection for SYSIN and SYSOUT Data Sets