Administrators

Procedures for system administrators to manage and use this product
vmx32besp
This section provides an overview of the tasks of system administrators in 
CA VM:Secure
. These tasks include :
  • Ensuring that software requirements are met.
  • Starting and stopping 
    CA VM:Secure
    , including setting up startup options.
  • General system security 
  • Interfacing with other VM:Manager Suite products.
  • Managing directories and disk spaces. However, this responsibility is usually delegated to designated directory managers...
  • Releasing 
    CA VM:Secure
     to directory managers and general users.
 
Contents:
 
 
 
CA VM:Secure Directory and Disk Space Management
 
CA VM:Secure
 provides the following features for managing minidisks and directories:
  • DASD Management
    CA VM:Secure
     offers several commands and user exits to help manage DASD. You can easily accomplish common DASD management tasks, such as mapping volumes, defragmenting volumes, migrating volumes, and protecting minidisks from being scratched accidentally.
  • Shared File Space Management
    CA VM:Secure
     offers several commands and special comments to help manage shared file space. You can easily identify to 
    CA VM:Secure
     the file pools and user storage groups you want it to manage; specify which directory managers can control allocations of shared file space; and then accomplish common SFS management tasks, such as enrolling user IDs in SFS, allocating space to user IDs, and migrating data from minidisks to SFS.
  • Auditing 
    CA VM:Secure
     provides auditing for all its functions. If the Rules Facility is installed, auditing is provided for all CP activity that the Rules Facility processes. Chronological reports by CP commands are available, showing the reason for the rejection where appropriate. Additional reports display all directory maintenance activity. You can tailor these reports to display information in a format that suits your needs or that includes only the kinds of information you require.
  • Configurable Authorizations
    CA VM:Secure
     lets you authorize user IDs to use commands or parts of commands. For instance, you can authorize a user ID to use a command with only some of its options. You can also group user IDs or commands into lists. By using lists, you can use a single authorization record to give a set of command authorizations to multiple user IDs.
  • Disaster Recovery
    CA VM:Secure
     provides three utilities for disaster recovery of your directory from disk.
  • Directory Profiles
    You can easily change directory profiles with one 
    CA VM:Secure
     command. You can also expand directory entries that contain directory profiles and edit the working directory entry.
  • Access Control
    CA VM:Secure
     monitors all access and attempted access to your system and tracks repeated invalid logon attempts to user IDs and terminal addresses. When a threshold (that you specify to suit your system security needs) of invalid logon attempts to either a particular user ID or a particular terminal address is reached, 
    CA VM:Secure
     prevents further attempts at access through that user ID or terminal.
General System Security
 
CA VM:Secure
 provides basic security features to sites that are not running the 
CA VM:Secure
 Rules Facility. These features include:
  • Password verification with other security systems
    CA VM:Secure
     can examine the source directory to verify logon passwords that users enter while executing 
    CA VM:Secure
     commands. If the password is managed by a separate External Security Manager product like RACF, then the command processor can call the CHKPASS User Exit, which could ask the ESM to verify the password.
  • Directory link statement verification
    CA VM:Secure
     can verify a directory link to a virtual machine. You can also prevent users from defining directory links to sensitive or privileged user IDs, such as MAINT or OPERATOR.
  • Minidisk link mode and password verification
    CA VM:Secure
     can secure sensitive minidisks from harm by verifying changes made to a minidisk’s access mode and link passwords.
  • Logon password checking
    CA VM:Secure
     lets you define standards for how many characters a password can have and which characters are allowed. The product can also force users to change their passwords on a regular schedule and prevent reuse of recently used passwords.
CA VM:Secure System and Resource Management
The CA VM:Secure rules facility provides additional security for managing access to your system and its resources:
  • Rules Facility
    The Rules Facility provides complete rule-based security control. For more information, see the 
    Rules Facility
    .
  • Logon access control
    With the Rules Facility, CA VM:Secure monitors invalid logon attempts and records them by user ID and terminal address. When a threshold you specify for invalid attempts is reached, the user or terminal is denied system access.
  • Multiple layers of access control
    CA VM:Secure verifies logon passwords, but prevents a user ID or a terminal address from logging on if it has made too many invalid attempts at logging on. Even after a user ID is logged on, CA VM:Secure checks passwords before it processes most CA VM:Secure commands that user IDs can enter. Combined, these features provide several levels of control to your system.
    You determine the thresholds for access. For instance, you decide how many is 
    too many
     invalid logon attempts for your system security needs. Additionally, you decide whether CA VM:Secure needs to check passwords before it processes commands that can affect your system resources.
  • Password management and standardization
    With CA VM:Secure, you can set systemwide standards that require users to change their system passwords on a set frequency. You can also set a minimum password length to make passwords more difficult to decipher, and deny password reuse so that old passwords are of no consequence should they become known to other users.
    User IDs with expired passwords must enter new passwords before they can complete a system logon. You can also configure CA VM:Secure so that users with expired passwords must have their directory managers reactivate their user IDs. This feature lets you easily spot inactive user IDs or user IDs that do not use the system often.
  • Delegated minidisk access control
    If you have installed the Rules Facility , users can specify who can link to their minidisks. CA VM:Secure can force users to enter their passwords to link to a minidisk owned by another user, or you can selectively allow links to occur without passwords.
  • Tape volume access control
    The CA VM:Secure interface to the CA VM:Tape product allows users to restrict who can access their tape volumes. You can add another level of tape security by configuring CA VM:Secure to require that users enter a password when they access a tape.
Terminal Addresses
With the Rules Facility, CA VM:Secure monitors invalid logon attempts and records them by user ID and terminal address. Terminal addresses can identify logical devices (LDEV), TCP/IP IPv4 and IPv6 addresses, network IDs (NETID), or real terminals.
For TN3270 connected terminals, the IPv4 dotted decimal IP address or IPv6 colon hexadecimal IP address can be used to control access to the system.
Interface with 
CA VM:Account
 
If you use the CA resource accounting product, 
CA VM:Account
CA VM:Secure
 performs the following accounting functions:
  • Passing all account number changes to CA VM:Account for validation. 
    CA VM:Secure
     prevents users from charging resources consumed to invalid account numbers.
  • When user IDs exceed the CA VM:Account budget limits, 
    CA VM:Secure
     can change the logon password to NOLOG in the CP source and object directory.
For more information about how 
CA VM:Secure
 works with CA VM:Account to validate account number changes, see the 
CA Mainframe VM Product Manager Product Interface Guide
. For more information about how account numbers work with 
CA VM:Secure
, see Assigning Account Numbers to User IDs 
.
 
Starting and Stopping the Product
You can start 
CA VM:Secure
 automatically at each system initialization or manually after your system is running.
top
Starting the Product Automatically
 
To have 
CA VM:Secure
 start automatically when you initialize your z/VM system, include an XAUTOLOG command for the 
CA VM:Secure
 server virtual machine in the PROFILE EXEC of your AUTOLOG1 user ID.
For more information about installing and starting 
CA VM:Secure
, see 
Installing
.
Starting the Product Manually
 
Follow these steps to start 
CA VM:Secure
 manually (after your system is IPLed and is already running):
  1. Enter the following command on the 
    CA VM:Secure
     server console:
    IPL CMS
    You will see a prompt asking if you want to start 
    CA VM:Secure
    .
  2. Respond to the prompt by entering 
    yes
    .
    When 
    CA VM:Secure
     completes initialization, with or without prompting of Steps 1 and 2, it displays the following message:
    CA VM:Secure
    INITIALIZATION COMPLETE ON
    mm
    /
    dd
    /
    yy
  3. Disconnect 
    CA VM:Secure
    :
    #cp disconn
Changing the Startup Options
 
Startup options control how 
CA VM:Secure
 operates. You can change the options at any time. The 
CA VM:Secure
 service virtual machine implements the changes when it next gets autologged.
To change startup options, use the VMSERVER command to update the definition in the VMSERVER NAMES file, as follows:
  1. Log on to VMANAGER.
  2. Issue this command:
    VMSERVER servername
    • servername
       
      Specifies the name of the product server virtual machine.
  3. Add one or more options to the Server Startup Command tag, in any order. The options are listed in the following section.
  4. File the changes with PF6. Press PF3 to exit the VMSERVER command.
For more information about changing startup options, see the 
CA Mainframe VM Product Manager Reference
.
Startup Options
 
  • AUDINV
    Includes invalid passwords in the audit records. On 
    CA VM:Secure
    , this option is not supported if you are using long password phrases.
  • ALTVOL 
    vaddr volume
     
    Writes the CP object directory on an alternate volume. The variables 
    vaddr
     and 
    volume
     override the values that are specified on the DIRECT record in the PRODUCT CONFIG file. The CP object directory to be built on the specified device. 
    CA VM:Secure
     terminates operation after initializing the directory on the alternate volume.
  • SAVEDIR
    Causes 
    CA VM:Secure
     to do a source start and save the directory entries back to the product DRCT minidisk to reflect any changes to the entries. Use this option when a DEVTYPE record in the DASD CONFIG file has changed and you want to have the source directory entries reflect what is being placed in the object directory.
     For information about the DEVTYPE record, see DEVTYPE Record (MANAGERS File) in 
    Reference.
     
  • SOURCE
    Uses the source directory database to rewrite the CP object directory at startup, even if no changes are detected in the source directory database. If you do not add the SOURCE option to the Server Startup Command tag, you can still use the option by entering SOURCE when the prompt appears.
Copyright Screen Display
 
A copyright screen appears the first-time you use 
CA VM:Secure
 in any one logon session. The screen remains on your terminal screen for 15 seconds or until you press Enter.
When you have seen and cleared the copyright screen, you can prevent it from displaying again by renaming the 
VMSECURE
 COPYRGHT file located on the public minidisk.
Stopping the Product
 
Stop 
CA VM:Secure
:
To stop 
CA VM:Secure
 this way:
 
Use this command:
 
Abnormally
ABEND
After active processes complete
END
Immediately, without waiting for active processes to complete
END FORCE
  • As with all 
    CA VM:Secure
     commands, you must prefix commands with 
    VMSECURE
     if you issue them from a user ID other than the 
    CA VM:Secure
     service virtual machine.
You can also end the product by using the z/VM CP SIGNAL SHUTDOWN command. To enable SIGNAL SHUTDOWN support, see the PRODUCT CONFIG file SIGNALSH Record. To allow for customized logic during end processing, see the END?User Exit.  The END user exit is called for both the END command and SIGNAL SHUTDOWN.
Checking Activity Before Stopping
 
Before you stop 
CA VM:Secure
, see who is using the system by entering the QPCB command.
vmsecure qpcb
This command lists the currently active processes and the commands they are executing.
Occasionally a user ID has an active process that prevents either a graceful shutdown of 
CA VM:Secure
, or a shutdown within a reasonable amount of time. When 
CA VM:Secure
 takes longer to stop than you think is reasonable after you enter the END command, check which user ID has a lock on an object. Object locks indicate that something is still processing.
You can check for activity by entering the QLOCK command.
vmsecure qlock
This command lists all commands that are holding locks, the kinds of locks they are holding, and the objects on which they are holding locks. To correlate these commands with the user IDs that are running them, enter the QPCB command described earlier and match the commands with the currently active processes they are executing.
Effects of Forcing an Immediate Stop
 
When you force an immediate shutdown of 
CA VM:Secure
 without waiting for current processes to complete, you may cause errors in 
CA VM:Secure
. For example, if a process that is modifying a minidisk definition is forced to terminate without completing, that minidisk may be incorrectly mapped. If this occurs, you can clear up these minidisks by reinitializing 
CA VM:Secure
 with the SOURCE startup option.
Effects of Stopping Abnormally
 
If you use the ABEND command to abnormally end 
CA VM:Secure
, it terminates with an ABN001 abend. Following the abend, control returns to CMS with a return code of 200. 
CA VM:Secure
 produces a dump according to your specifications on the DUMP record in the PRODUCT CONFIG file.
CA VM:Secure
 abends on its own if it encounters a severe operational error. Technical Support can often debug errors in the 
CA VM:Secure
 system by analyzing a dump from your product system. In some cases, however, an error occurs that is not severe enough to trigger an automatic abnormal termination, but is severe enough that a dump may be necessary to analyze the problem. In these cases, Technical Support may ask you to create a dump by terminating the product abnormally using the ABEND command.
Do not use this ABEND command to terminate to create a dump unless a critically unusual situation occurs and you need a dump of the 
CA VM:Secure
 system. For normal termination of 
CA VM:Secure
 operation, use the END command.
Recommendations for Releasing to Users
As a system administrator, you are responsible for designating directory managers. (You can also designate other system administrators, but doing so is not recommended.) You also define directory manager and user authorizations.
  • Designate the CA Mainframe VM Product Manager user ID, VMANAGER, as the system administrator. Do so by giving VMANAGER authorization for all commands, utilities, and user exits. In the AUTHORIZ CONFIG file, add this record:
    GRANT * OVER *ALL TO VMANAGER
  • You are the technical contact between your site and CA.
  • Depending on the size and structure of your organization, designate one or more directory managers. 
    CA VM:Secure
     allows you to define a directory manager for each group of users on the system.
    Directory managers can perform routine functions such as defining minidisks, authorizing resource sharing, and managing disk space. They must be familiar with skeleton files and subpools and with the user IDs they manage. Inform the directory managers to contact you when problems arise.
    Directory managers need access to parts of the 
    Administrators 
    documentation, along with the 
    Directory Managers
    Reference
    , and 
    Messages
     documentation.
  • If you are using SFS, designate SFS managers. SFS managers must be directory managers whose user IDs are using SFS. Any directory manager that manages user IDs that need SFS must also be an SFS manager.
    SFS managers need the same documentation as directory managers; they need no additional documentation.
  • Provide general users with authorizations to the 
    CA VM:Secure
     commands they use. Be sure that they know the names and user IDs of their directory managers.
  • If the 
    CA VM:Secure
     Rules Facility is installed, direct users to the 
    Rules Facility.
     
  • For more information about creating authorizations, see Authorizations.