Milestone 8: Configuring Xchange external security

This milestone contains tasks for configuring external security. If you are using an external security package (such as RACF, CA-ACF2®, or CA-TOP SECRET®) at your installation, you will need to configure Xchange with the package. 

The roles involved are: Xchange Installer Security Administrator.

Overview

Xchange makes external security calls to protect jobs, steps, and programs from unauthorized execution using date and time modification. External security is invoked by Xchange when the job designated in a pattern job request executes an SVC11 or other TIME services call — not when the request is created.

You can define a default action that is taken whenever a job selected by Xchange is not covered by a security access rule. You can specify that all such jobs are allowed either to run or to fail.

When you create the Xchange CMSC PARMLIB member, the following security options are available:

• SECUSE=NO does not activate external security checking. If you specify this parameter, the SECDFLT and SECADRSP parameters are ignored.
• SECUSE=YES activates external security checking. The following choices are then available for the SECDFLT and SECADRSP parameters:
  • SECDFLT=ALLOW sets the security default to allow jobs that are not covered by a security rule to have their dates and times changed by Xchange.
  • SECDFLT=DENY sets the security default to fail date and time change requests that are not covered by a security rule.
  • SECADRSP=NO secures Xchange requests by pseudo-data set name prefix.jobname.stepname.pgmname.
  • SECADRSP=YES secures Xchange requests by batch jobname, jobname of a started task, or TSO address space.

This section provides information about the following topics: