Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Infrastructure 7.1 .

Task 5: Activating security

Security for BMC AMI Ops products that run in full-screen mode is controlled by a member called BBSEC in your parameter library.

This member contains security parameters in the form of control statements. BBSEC must reside in SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation.

Related topic

Implementing-full-screen-mode-security

Tip

  • If BBSEC is in SYS1.PARMLIB or the logical PARMLIB concatenation, all BBI-SS PASs can share the same security parameters.
  • If BBSEC is in the BBIPARM concatenation (including BBPARM and UBBPARM) for one or more BBI-SS PASs, the security parameters are specific to those PASs.

To create a BBSEC member

  1. Create a PDS member called BBSEC in a working data set.

    Important

    Do not add BBSEC to SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation until you are ready to activate security.

  2. Copy BBSAMP member BBSEC to the member you just created.

  3. Add a TYPE statement to BBSEC for each product to identify the products that you want to secure.

    You can add as many TYPE statements as necessary to define security for your products.

  4. Save the updated BBSEC member.

    When you are ready to activate security, see Adding BBSEC to a parameter library.

    Important

    To protect the BBSEC member from unauthorized modification:

    1. Specify Universal Access NONE for any BBSEC member that resides in SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation.
    2. Grant selected users WRITE access to the BBSEC members.

BBSEC TYPE statements

The format of the BBSEC TYPE statement varies depending on the product or products that you want to secure.

Syntax for common resources

This variation of the TYPE statement is used for BBI-SS PAS resources that are common to the following products:

  • BMC AMI Ops Automation
  • BMC AMI Ops Monitor for CICS
  • BMC AMI Ops Monitor for Db2
  • BMC AMI Ops Monitor for DBCTL
  • BMC AMI Ops Monitor for IMS Online
  • BMC AMI Ops Monitor for MQ
TYPE=<product>,SS=<ssid>[,PREFIX=<prefix>][,CLASS=<name>]

Syntax for BMC AMI Ops Automation advanced security and BMC AMI Ops Monitor for Db2 command-level security

This variation of the TYPE statement is used to activate security for additional BMC AMI Ops Automation and BMC AMI Ops Monitor for Db2 features.

TYPE=[AAO|DB2],SS=<ssid>,FEATURE=(<feature>,...)

Syntax rules

Observe the following syntax rules when creating or updating a BBSEC member:

  • Each TYPE statement and its parameters can be specified in positions 1 to 72 on one or more lines.
  • To continue a TYPE statement on the next line, put a comma at the end of the line to be continued.
  • Do not break multi-value keywords across lines. For example, FEATURE=(CMD,APPL,EXEC) must appear on a single line.
  • Specify comments on separate lines with an asterisk (*) in column 1. Comments are not supported on the same line as a TYPE statement.
  • BMC supports the use of system symbols. For example, you can use SS=AO&SYSCLONE where the SSID is consists of AO followed by the resolved value of &SYSCLONE.
    • When using a symbol name within a TYPE statement, end the symbol name with a period. For example, TYPE=BBI,SSID=JO8D,PREFIX=JA&SYSCLONE.,FEATURE=(BBIDISP,CONSCMD)
    • PROCESS LIST=YES can be used as the first statement in the BBSEC member. When the BBI-SS PAS processes the BBSEC member and a PROCESS statement is found, the BBI-PAS issues WTOs listing the lines as they are read, showing the resolved system symbols. Valid values for LIST are YES or NO. NO is the default.

TYPE statement parameters

The following table describes the BBSEC TYPE statement parameters:

Parameter

Description

TYPE

Activates security for the specified product or group of products

You can specify as many TYPE statements as needed in a BBSEC member. Specify one of the following products on each TYPE statement:

SS or SSID

One- to four-character subsystem ID of the BBI-SS PAS where the specified resources are to be protected

The SSID is part of the resource name that defines resources to your ESM.

Each SSID that is used in a resource name must be specified on a separate TYPE statement in BBSEC.

SS= or SSID= can use wildcards for the ssid

  • An asterisk matches any or no characters. For example, SS=* would match all PAS SSIDs.
  • A plus sign, represents any one character. For example, SS=AO+ would match any SSID that starts with AO and is three characters in length. The third character can be any character.

SS=AO* would match any SSID that starts with AO and can be two to four characters in length. The third and fourth character can exist or not, and if they exist they can be any character. 

PREFIX

(Optional) One- to eight-character prefix for all BMC AMI Ops product resource names

The default is BBM.

CLASS

(Optional) One- to eight-character security class name that is used to identify BMC AMI Ops product resources

The default is $BOOLE.

FEATURE

Specify one or more keywords.

  • The FEATURE parameter and its keywords must be specified on a single line.
  • Separate multiple keywords by a comma and enclose all keywords in parentheses.
  • For BMC AMI Ops Monitor for Db2 (TYPE=DB2), specify CMD for Db2 command-level security.
  • For BMC AMI Ops Automation (TYPE=AAO), specify one or more of the following values:
    • CMD for command and transaction security.
    • APPL for application security.
    • EXEC for EXEC security.
    • ALRTEXEC for ALERT follow-up EXEC security.
    • ALRT for ALERTs security.
    • PARM for parameter member security.
    • IMSGEN for IMS generic commands security (requires CMD).

BBSEC examples

To turn on security for four BBI-SS PASs with the default prefix of BBM and the default security class of $BOOLE, BBSEC might contain the following statements:

* The following turns on security for BBI-SS PAS SYS1,
* SYS2, SYS3, and SYS4 to security class $BOOLE
*
TYPE=BBI,SS=SYS1
TYPE=BBI,SS=SYS2
TYPE=BBI,SS=SYS3
TYPE=BBI,SS=SYS4

To use a prefix of CHARLIE and a security class of SECURE for the same BBI-SS PASs, BBSEC might contain the following statements:

* The following turns on security for BBI-SS PAS SYS1,
* SYS2, SYS3, and SYS4 to security class SECURE
*
TYPE=BBI,SS=SYS1,PREFIX=CHARLIE,CLASS=SECURE
TYPE=BBI,SS=SYS2,PREFIX=CHARLIE,CLASS=SECURE
TYPE=BBI,SS=SYS3,PREFIX=CHARLIE,CLASS=SECURE
TYPE=BBI,SS=SYS4,PREFIX=CHARLIE,CLASS=SECURE

To secure the CMD and APPL features of BMC AMI Ops Automation, define them as follows:

* The following turns on security for BBI-SS PAS SYS1,
* to security class $BOOLE
*
TYPE=BBI,SS=SYS1
*
* The following turns on security for the CMD and
* APPL features of AutoOPERATOR advanced security
*
TYPE=AAO,SSID=SYS1,FEATURE=(CMD,APPL)

The following example secures the BMC AMI Ops Automation CMD feature for multiple BBI-SS PASs with different SSIDs:

* The following turns on security for BBI-SS PAS SYS1,
* SYS2, SYS3, and SYS4
*
TYPE=BBI,SS=SYS1
TYPE=BBI,SS=SYS2
TYPE=BBI,SS=SYS3
TYPE=BBI,SS=SYS4
*
* The following turns on security for the CMD feature of
* AutoOPERATOR advanced security for BBI-SS PASs SYS1,
* SYS2, SYS3, and SYS4
*
TYPE=AAO,SS=SYS1,FEATURE=(CMD)
TYPE=AAO,SS=SYS2,FEATURE=(CMD)
TYPE=AAO,SS=SYS3,FEATURE=(CMD)
TYPE=AAO,SS=SYS4,FEATURE=(CMD)

The following example secures Db2 SQL host variable data in BMC AMI Ops Monitor for Db2 views and the RECTRACE report:

* The following protects the display of host
* variable data in BMC AMI Ops Monitor for Db2 views and the
* RECTRACE report using default values
*
TYPE=DB2HVAR
*
* The following protects the display of host
* variable data in BMC AMI Ops Monitor for Db2 views and the
* RECTRACE report defining values for prefix and class
*
TYPE=DB2HVAR,PREFIX=CHARLIE,CLASS=SECURE 

For more information about securing host variable data, see Additional resources for BMC AMI Ops Monitor for Db2.

To add BBSEC to a parameter library

You can activate security by adding BBSEC to SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation.

  1. Test your security parameters at the BBI-SS PAS level by performing the following tasks:
    1. Copy BBSEC into the BBPARM data set for a BBI-SS PAS.
    2. Warm start the BBI-SS PAS to read the new BBSEC member.
    3. Test product access at the BBI-SS PAS level to make sure that it provides the security that you want.
  2. When you are satisfied with the way that security is working at the BBI-SS PAS level, copy (or move) BBSEC to SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation for other PASs.The BBSEC member in SYS1.PARMLIB, the logical PARMLIB concatenation, or the BBIPARM concatenation overrides any BBSEC members in specific BBPARM data sets.

Disabling security (full-screen mode)

Disabling security for products that run in full-screen mode involves modifying the BBSEC member.

To disable security for one or more specific products

  1. In the BBSEC member in both the logical PARMLIB concatenation and the BBIPARM concatenation, change the TYPE statements for the appropriate products to comments by typing an asterisk (*) in column one.
  2. Warm start each affected BBI-SS PAS.

To disable security for all products

  1. Perform one of the following tasks:
    • Remove the BBSEC member from both the logical PARMLIB concatenation and the BBIPARM concatenation.
    • Rename all BBSEC members to a different name.
  2. Warm start each affected BBI-SS PAS.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*