Procedures for system administrators to manage and use this product
This section provides an overview of the tasks of system administrators in
CA VM:Secure. These tasks include :
- Ensuring that software requirements are met.
- Starting and stoppingCA VM:Secure, including setting up startup options.
- General system security
- Interfacing with other VM:Manager Suite products.
- Managing directories and disk spaces. However, this responsibility is usually delegated to designated directory managers...
- ReleasingCA VM:Secureto directory managers and general users.
CA VM:Secure Directory and Disk Space Management
CA VM:Secureprovides the following features for managing minidisks and directories:
- DASD ManagementCA VM:Secureoffers several commands and user exits to help manage DASD. You can easily accomplish common DASD management tasks, such as mapping volumes, defragmenting volumes, migrating volumes, and protecting minidisks from being scratched accidentally.
- Shared File Space ManagementCA VM:Secureoffers several commands and special comments to help manage shared file space. You can easily identify toCA VM:Securethe file pools and user storage groups you want it to manage; specify which directory managers can control allocations of shared file space; and then accomplish common SFS management tasks, such as enrolling user IDs in SFS, allocating space to user IDs, and migrating data from minidisks to SFS.
- AuditingCA VM:Secureprovides auditing for all its functions. If the Rules Facility is installed, auditing is provided for all CP activity that the Rules Facility processes. Chronological reports by CP commands are available, showing the reason for the rejection where appropriate. Additional reports display all directory maintenance activity. You can tailor these reports to display information in a format that suits your needs or that includes only the kinds of information you require.
- Configurable AuthorizationsCA VM:Securelets you authorize user IDs to use commands or parts of commands. For instance, you can authorize a user ID to use a command with only some of its options. You can also group user IDs or commands into lists. By using lists, you can use a single authorization record to give a set of command authorizations to multiple user IDs.
- Disaster RecoveryCA VM:Secureprovides three utilities for disaster recovery of your directory from disk.
- Directory ProfilesYou can easily change directory profiles with oneCA VM:Securecommand. You can also expand directory entries that contain directory profiles and edit the working directory entry.
- Access ControlCA VM:Securemonitors all access and attempted access to your system and tracks repeated invalid logon attempts to user IDs and terminal addresses. When a threshold (that you specify to suit your system security needs) of invalid logon attempts to either a particular user ID or a particular terminal address is reached,CA VM:Secureprevents further attempts at access through that user ID or terminal.
General System Security
CA VM:Secureprovides basic security features to sites that are not running the
CA VM:SecureRules Facility. These features include:
- Password verification with other security systemsCA VM:Securecan examine the source directory to verify logon passwords that users enter while executingCA VM:Securecommands. If the password is managed by a separate External Security Manager product like RACF, then the command processor can call the CHKPASS User Exit, which could ask the ESM to verify the password.
- Directory link statement verificationCA VM:Securecan verify a directory link to a virtual machine. You can also prevent users from defining directory links to sensitive or privileged user IDs, such as MAINT or OPERATOR.
- Minidisk link mode and password verificationCA VM:Securecan secure sensitive minidisks from harm by verifying changes made to a minidisk’s access mode and link passwords.
- Logon password checkingCA VM:Securelets you define standards for how many characters a password can have and which characters are allowed. The product can also force users to change their passwords on a regular schedule and prevent reuse of recently used passwords.
CA VM:Secure System and Resource Management
The CA VM:Secure rules facility provides additional security for managing access to your system and its resources:
- Rules FacilityThe Rules Facility provides complete rule-based security control. For more information, see theRules Facility.
- Logon access controlWith the Rules Facility, CA VM:Secure monitors invalid logon attempts and records them by user ID and terminal address. When a threshold you specify for invalid attempts is reached, the user or terminal is denied system access.
- Multiple layers of access controlCA VM:Secure verifies logon passwords, but prevents a user ID or a terminal address from logging on if it has made too many invalid attempts at logging on. Even after a user ID is logged on, CA VM:Secure checks passwords before it processes most CA VM:Secure commands that user IDs can enter. Combined, these features provide several levels of control to your system.You determine the thresholds for access. For instance, you decide how many istoo manyinvalid logon attempts for your system security needs. Additionally, you decide whether CA VM:Secure needs to check passwords before it processes commands that can affect your system resources.
- Password management and standardizationWith CA VM:Secure, you can set systemwide standards that require users to change their system passwords on a set frequency. You can also set a minimum password length to make passwords more difficult to decipher, and deny password reuse so that old passwords are of no consequence should they become known to other users.User IDs with expired passwords must enter new passwords before they can complete a system logon. You can also configure CA VM:Secure so that users with expired passwords must have their directory managers reactivate their user IDs. This feature lets you easily spot inactive user IDs or user IDs that do not use the system often.
- Delegated minidisk access controlIf you have installed the Rules Facility , users can specify who can link to their minidisks. CA VM:Secure can force users to enter their passwords to link to a minidisk owned by another user, or you can selectively allow links to occur without passwords.
- Tape volume access controlThe CA VM:Secure interface to the CA VM:Tape product allows users to restrict who can access their tape volumes. You can add another level of tape security by configuring CA VM:Secure to require that users enter a password when they access a tape.
With the Rules Facility, CA VM:Secure monitors invalid logon attempts and records them by user ID and terminal address. Terminal addresses can identify logical devices (LDEV), TCP/IP IPv4 and IPv6 addresses, network IDs (NETID), or real terminals.
For TN3270 connected terminals, the IPv4 dotted decimal IP address or IPv6 colon hexadecimal IP address can be used to control access to the system.
If you use the CA resource accounting product,
CA VM:Secureperforms the following accounting functions:
- Passing all account number changes to CA VM:Account for validation.CA VM:Secureprevents users from charging resources consumed to invalid account numbers.
- When user IDs exceed the CA VM:Account budget limits,CA VM:Securecan change the logon password to NOLOG in the CP source and object directory.
For more information about how
CA VM:Secureworks with CA VM:Account to validate account number changes, see the
CA Mainframe VM Product Manager Product Interface Guide. For more information about how account numbers work with
CA VM:Secure, see Assigning Account Numbers to User IDs
Starting and Stopping the Product
You can start
CA VM:Secureautomatically at each system initialization or manually after your system is running.
Starting the Product Automatically
CA VM:Securestart automatically when you initialize your z/VM system, include an XAUTOLOG command for the
CA VM:Secureserver virtual machine in the PROFILE EXEC of your AUTOLOG1 user ID.
For more information about installing and starting
CA VM:Secure, see
Starting the Product Manually
Follow these steps to start
CA VM:Securemanually (after your system is IPLed and is already running):
- Enter the following command on theCA VM:Secureserver console:IPL CMSYou will see a prompt asking if you want to startCA VM:Secure.
- Respond to the prompt by enteringyes.WhenCA VM:Securecompletes initialization, with or without prompting of Steps 1 and 2, it displays the following message:CA VM:SecureINITIALIZATION COMPLETE ONmm/dd/yy
- DisconnectCA VM:Secure:#cp disconn
Changing the Startup Options
Startup options control how
CA VM:Secureoperates. You can change the options at any time. The
CA VM:Secureservice virtual machine implements the changes when it next gets autologged.
To change startup options, use the VMSERVER command to update the definition in the VMSERVER NAMES file, as follows:
- Log on to VMANAGER.
- Issue this command:VMSERVER servername
- servernameSpecifies the name of the product server virtual machine.
- Add one or more options to the Server Startup Command tag, in any order. The options are listed in the following section.
- File the changes with PF6. Press PF3 to exit the VMSERVER command.
For more information about changing startup options, see the
CA Mainframe VM Product Manager Reference.
- AUDINVIncludes invalid passwords in the audit records. OnCA VM:Secure, this option is not supported if you are using long password phrases.
- ALTVOLvaddr volumeWrites the CP object directory on an alternate volume. The variablesvaddrandvolumeoverride the values that are specified on the DIRECT record in the PRODUCT CONFIG file. The CP object directory to be built on the specified device.CA VM:Secureterminates operation after initializing the directory on the alternate volume.
- SAVEDIRCausesCA VM:Secureto do a source start and save the directory entries back to the product DRCT minidisk to reflect any changes to the entries. Use this option when a DEVTYPE record in the DASD CONFIG file has changed and you want to have the source directory entries reflect what is being placed in the object directory.
- SOURCEUses the source directory database to rewrite the CP object directory at startup, even if no changes are detected in the source directory database. If you do not add the SOURCE option to the Server Startup Command tag, you can still use the option by entering SOURCE when the prompt appears.
Copyright Screen Display
A copyright screen appears the first-time you use
CA VM:Securein any one logon session. The screen remains on your terminal screen for 15 seconds or until you press Enter.
When you have seen and cleared the copyright screen, you can prevent it from displaying again by renaming the
VMSECURECOPYRGHT file located on the public minidisk.
Stopping the Product
CA VM:Securethis way:
Use this command:
After active processes complete
Immediately, without waiting for active processes to complete
- As with allCA VM:Securecommands, you must prefix commands withVMSECUREif you issue them from a user ID other than theCA VM:Secureservice virtual machine.
You can also end the product by using the z/VM CP SIGNAL SHUTDOWN command. To enable SIGNAL SHUTDOWN support, see the PRODUCT CONFIG file SIGNALSH Record. To allow for customized logic during end processing, see the END?User Exit. The END user exit is called for both the END command and SIGNAL SHUTDOWN.
Checking Activity Before Stopping
Before you stop
CA VM:Secure, see who is using the system by entering the QPCB command.
This command lists the currently active processes and the commands they are executing.
Occasionally a user ID has an active process that prevents either a graceful shutdown of
CA VM:Secure, or a shutdown within a reasonable amount of time. When
CA VM:Securetakes longer to stop than you think is reasonable after you enter the END command, check which user ID has a lock on an object. Object locks indicate that something is still processing.
You can check for activity by entering the QLOCK command.
This command lists all commands that are holding locks, the kinds of locks they are holding, and the objects on which they are holding locks. To correlate these commands with the user IDs that are running them, enter the QPCB command described earlier and match the commands with the currently active processes they are executing.
Effects of Forcing an Immediate Stop
When you force an immediate shutdown of
CA VM:Securewithout waiting for current processes to complete, you may cause errors in
CA VM:Secure. For example, if a process that is modifying a minidisk definition is forced to terminate without completing, that minidisk may be incorrectly mapped. If this occurs, you can clear up these minidisks by reinitializing
CA VM:Securewith the SOURCE startup option.
Effects of Stopping Abnormally
If you use the ABEND command to abnormally end
CA VM:Secure, it terminates with an ABN001 abend. Following the abend, control returns to CMS with a return code of 200.
CA VM:Secureproduces a dump according to your specifications on the DUMP record in the PRODUCT CONFIG file.
CA VM:Secureabends on its own if it encounters a severe operational error. Technical Support can often debug errors in the
CA VM:Securesystem by analyzing a dump from your product system. In some cases, however, an error occurs that is not severe enough to trigger an automatic abnormal termination, but is severe enough that a dump may be necessary to analyze the problem. In these cases, Technical Support may ask you to create a dump by terminating the product abnormally using the ABEND command.
Do not use this ABEND command to terminate to create a dump unless a critically unusual situation occurs and you need a dump of the
CA VM:Securesystem. For normal termination of
CA VM:Secureoperation, use the END command.
Recommendations for Releasing to Users
As a system administrator, you are responsible for designating directory managers. (You can also designate other system administrators, but doing so is not recommended.) You also define directory manager and user authorizations.
- Designate the CA Mainframe VM Product Manager user ID, VMANAGER, as the system administrator. Do so by giving VMANAGER authorization for all commands, utilities, and user exits. In the AUTHORIZ CONFIG file, add this record:GRANT * OVER *ALL TO VMANAGER
- You are the technical contact between your site and CA.
- Depending on the size and structure of your organization, designate one or more directory managers.CA VM:Secureallows you to define a directory manager for each group of users on the system.Directory managers can perform routine functions such as defining minidisks, authorizing resource sharing, and managing disk space. They must be familiar with skeleton files and subpools and with the user IDs they manage. Inform the directory managers to contact you when problems arise.Directory managers need access to parts of theAdministratorsdocumentation, along with theDirectory Managers,Reference, andMessagesdocumentation.
- If you are using SFS, designate SFS managers. SFS managers must be directory managers whose user IDs are using SFS. Any directory manager that manages user IDs that need SFS must also be an SFS manager.SFS managers need the same documentation as directory managers; they need no additional documentation.
- Provide general users with authorizations to theCA VM:Securecommands they use. Be sure that they know the names and user IDs of their directory managers.
- If theCA VM:SecureRules Facility is installed, direct users to theRules Facility.
- For more information about creating authorizations, see Authorizations.