Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Infrastructure 7.1.

Setting up CA ACF2

If CA ACF2 is your primary ESM, you must perform the following procedures to support the Security interface:

  • Associate ACF2 STC LOGONIDs with the CAS and PAS started task procedures.
  • Update the authorized command processor table.
  • Add support for a custom SAF resource CLASS.

For complete information about administering CA ACF2, refer to your CA ACF2 documentation.

To associate ACF2 STC LOGONIDs with the CAS and PAS started task procedures

  1. Define LOGONIDs for the CAS and PAS started tasks by using ACF2 commands, such as:

    ACF
    SET LID
    INSERT USING(ACFSTCID) BBMCAS NAME(MAINVIEW CAS) +
           STC SOURCE(STCINRDR) NOTSO
    INSERT USING(ACFSTCID) BBMPAS NAME(MAINVIEW PAS) +
           STC SOURCE(STCINRDR) NOTSO
    END

    Note

    The ACF2 STC LOGONIDs used for MainView CAS and PAS address spaces must:

    • Be able to execute as a started task
    • Have access to all data sets and UNIX System Services data that are referenced by the address spaces for MainView Infrastructure and MainView users

  2. Associate the LOGONIDs with the CAS and PAS started task procedure names.
    A LOGONID can be associated with an address space by:

    • Having an exact match between the started task name and the LOGONID
    • Using the CA ACF2 started task control installation exit (STCXIT) to establish correspondence between the started task and its associated LOGONID

    For information about the STCXIT installation exit, refer to your CA ACF2 documentation.

To update the authorized command processor table

Some sites have a security package (such as IBM RACF or PCF or Computer Associates CA ACF2 or CA TOP SECRET) that defines an authorized command processor table to restrict TSO command processor execution.

If your security package defines this type of table, you might need to add the following programs and commands to the table:

  • AOEXEC
  • BALCMSG
  • BBM3API
  • BBM9TC21
  • BBM9TC22
  • BBM9TC24
  • BBVJSETP
  • BMILI0
  • DOMDMAIN
  • EMTMPW
  • LGCOMAIN
  • SMLOAD
  • TSLOAD

To support a custom SAF resource CLASS

Notes

  • If you are using the SAF resource CLASS FACILITY, you can skip this step.
  • If you want to use a SAF resource CLASS other than FACILITY (as described in Identifying-the-security-class), you must define the generalized resource rule type to be used for that SAF resource CLASS.
  1. Determine the generalized resource rule TYPE to be used in compiling the rules to control access to product resources.

  2. Update the CLASMAP records by using ACF2 commands, such as:

    ACF
    SET Control(GSO)
    INSERT CLASMAP.class RESOURCE(class)+
          RSRCTYPE(type) ENTITYLN(39)
    END
  3. Refresh the in-storage copy of the CLASMAP table by issuing the following MODIFY command:F ACF2, REFRESH(CLASMAP)

  4. (Optional) To make the rules for the selected resource rule TYPE resident, perform the following tasks:

    1. Add the resource rule TYPE to the INFODIR GSO record by using ACF2 commands, such as:ACF

      SET Control(GSO)

      CHANGE INFODIR ADD TYPES(R-Rtype)

      END

    2. Refresh the in-storage INFODIR data by issuing the following system MODIFY command:F ACF2, REFRESH(INFODIR)

    3. Rebuild the in-storage directory for a resource rule type by issuing the following MODIFY command:
      F ACF2, REBUILD(type)

    Note

    MainView enhanced security does not support nonresident-general-resource rules that contain masked rule KEYs. If you compile such rules, they must be made globally resident by instructing ACF2 to construct a resident rule directory (as described in Step 4).

Related topic

How-to-set-up-your-ESM-for-windows-mode

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*