z/OS MVS uses the IBM System Authorization Facility (SAF) as an interface to all external security products such as CA Top Secret. SAF uses the MVS router to process the security calls. CA Top Secret uses the information stored in its database to make a recommendation to the program making the security call. The program must act on the recommendation of CA Top Secret.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
  • CA Top Secret controls access to data sets and resources in a z/OS MVS system based on access and resource rules and security labels assigned to those data sets and resources.
  • Only users identified in CA Top Secret can access a z/OS MVS system
The following restrictions apply when MLS is active on an CA Top Secret system:
  • User-written exits or modifications should be removed from the system. 
    The system may still function if these exits and modifications have not been removed, however, depending on the options that have been set to establish the MLS environment, results may compromise an MLS system.
  • Do not allow operation of the system console in problem determination mode.
  • Do not allow remote APPC/MVS transactions or remote logical units, APPC/MVS servers, or multi-trans APPC/MVS transaction programs (TPs).
  • Some modules shipped with z/OS MVS and resident in link list or LPA libraries, implement features that should not be allowed in an MLS system. These modules should be moved to other, non-APF authorized libraries or deleted in order to disable these features:
    • CIPOPRT-This 3800 offline utility should be moved out of SYS1.LINKLIB
    • MVSSERV-This client-server platform should be moved out of SYS1.LPALIB
Configuration Checklist
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret for z/OS MVS system.
Force console operators to log on before issuing commands
Modify the CONSOLxx member of SYS1.PARMLIB
Create acid records for all operators
Assign security labels to console operators
Define console source controls (optional)
Write resource rules to control console access
Write resource rules for operator commands
Configure SCHEDxx for data set protection
Specify SMF controls
Provide an audit trail for accesses to protected objects using operator commands
Protect critical data sets
Write access rules
Assign security labels to critical data sets
Protect UNIX files and directories
Assign security labels to UNIX files and directories
Protect resources
Identify and classify users on the system
Create acids for users
Assign security labels to users
Establish JCL standards
Define acids for MVS started tasks
Define resource rules for LLA started task
Define access rules for BLSJPRMI started task
Make sure SMS is active in IEFSSNxx
Move forbidden modules out of system libraries
Forcing Log On
Console operators are considered trusted users. It is assumed that anyone with physical access to operator consoles is cleared to the label of all data on the system. However, the actions of console operators must be audited so that a specific action can be traced to a specific console operator. In order to ensure accountability, operators must sign on to operator consoles and undergo identification and authentication. Before signing on, they are able to view message traffic on the consoles, but they can issue no commands.
To force operators to sign on before issuing commands, you must do the following:
  • Modify the CONSOLxx member of SYS1.PARMLIB
  • Create acid records for console operators
  • Assign security labels to console operators
  • Define console source controls (optional)
Modifying the CONSOLxx Member of SYS1.PARMLIB
You must specify LOGON(REQUIRED) on the DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB. This forces users to undergo identification and authentication checks before entering commands through an operator console. The following exceptions apply:
  • Operators can issue commands from the master console before CA Top Secret is active.
  • Operators can issue the VARY MSTCONS command from any console before CA Top Secret is active. This command allows an operator to define the master console be