eTrust™CA-ACF2® Security for z/OS and OS/390 ... - SupportConnect

Computer Associates International, Inc.2400 Cabot DriveLisle, IL 60532-36521-630-505-6000FAX: 1-630-505-6097To:From:eTrust CA-ACF2® Security for z/OS and OS/390 ClientsThe Computer Associates eTrust CA-ACF2 Product GroupDate: February 11, 2003Subject: Release 6.5 of eTrust CA-ACF2 Security for z/OS and OS/390 General Availability (GA)Product Information Bulletin PIB# QI33613Dear Valued Client:Computer Associates International Inc. is pleased to present you with the General Availability (GA)product package for Release 6.5 of eTrust CA-ACF2 Security (eTrust CA-ACF2) for z/OS and OS/390,an integral component of the family of solutions we provide for the z/OS and OS/390 operating systems.We are dedicated to ensuring that your use of eTrust CA-ACF2 is successful and we want to thank youfor your continued support of Computer Associates. If you have any questions regarding this softwaresolution, contact your local eTrust CA-ACF2 Technical Support group. Also, visit our support web site athttp://support.ca.com.Software PrerequisitesYour IBM software must meet these minimum requirements to operate thisrelease of eTrust CA-ACF2:• OS/390 Version 2 Release 9 and above (including z/OS Version 1Release 4)• JES2 OS/390 Version 2 Release 8• JES3 OS/390 Version 2 Release 9• DFSMS 1.2.0 and above• ACF/VTAM 3.4.2 and above• PSF MVS 2.1.0 and above (required for eTrust CA-ACF2 MandatoryAccess Control [MAC]If you are running any of the following software, it must meet these requirementsto run concurrently with this release of eTrust CA-ACF2:• CICS/ESA Release 4.1 and aboveFebruary 2003eTrust CA-ACF2 Security for z/OS and OS/390

Summary of ChangesThe following section itemizes changes included in eTrust CA-ACF2 Release6.5. We recommend that you take time to read more about these changes in theRelease 6.5 eTrust CA-ACF2 Security for z/OS and OS/390 Release Guide andthe Release 6.5 eTrust CA-ACF2 Security for z/OS and OS/390 Getting Startedguide before proceeding with the installation.• LINUX PAM Support. PAM (Pluggable Authentication Modules) is aflexible, open-source architecture for user authentication and resourcechecking on Linux systems. PAM support allows eTrust CA-ACF2 toact as an authentication server for one or more Linux systems,eliminating the need for redundant security administration on a systemby-systembasis. PAM system features include: password verification,password changes, access authorization, session management and casesensitiveand long user names. The eTrust PAM Server runs as a daemonon z/OS and OS/390.Note: At the General Availability release of 6.5, the eTrust PAM Serverfor z/OS and OS/390 code is still in beta status. Contact your localComputer Associates Technical Support group for further information.• eTrust LDAP Directory Services (LDS). Release 6.5 enhances LDAPsupport by providing for automatic propagation of Logonid changes toLDAP directory servers. Similar in function to Command PropagationFacility (CPF), the transmission of changes to the connected LDAPnodes occurs after local Logonid update processing is performed. Newcontrol records are provided to define the connected LDAP directoryservers, the types of eligible Logonid updates (e.g. insert/change/delete),and the mapping of local Logonid fields to remote LDAP fields. Inaddition, a new Logonid control allows you to customize the specificLogonid records eligible for LDS processing. The connected LDAPdirectory servers can be connected to an eTrust Admin user directorygiving you the capability to automatically update and synchronize userdefinitions on all eTrust controlled systems in your enterprise fromeTrust CA-ACF2.Note: The Release 6.5 SP00 eTrust CA-ACF2 Security for z/OS andOS/390 Getting Started guide incorrectly states that LDS supports LDAPservers that employ Secure Sockets Layer (SSL) technology. Thisreference will be removed from the eTrust CA-ACF2 Security for z/OSand OS/390 Getting Started guide at the SP01 Service pack level.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

• $NORULELNG on Rules. A new rule control statement called$NORULELNG has been added. Like the NORULELONG COMPILEstatement option, it enhances rule compilation processing by allowing theuser to generate 4K rules even on a system where RULELONG supportis active. This is useful for installations that have a business need toimplement 32K rules for only a subset of their rules.• HFS Security Enhancements. A new operational control for CA SAFHFS (Hierarchical File System) initialization, HFSSEC, has been addedto the GSO UNIXOPTS record. In addition, new eTrust CA-ACF2operator commands allow you to alter or inquire about the status of CASAF HFS security, providing even greater flexibility, security, andauditability.• SHOW ACTIVE. Release 6.5 changes the display of any exit with noassociated exit module to display ‘*NONE*’ instead of ‘NONE’. Theasterisks denote that no module has been defined.• SHOW REALM. GSO REALM records were introduced in Release 6.4.Release 6.5 includes a new SHOW command to display the GSOREALM records. All fields in each REALM record are formatted exceptfor any password or encrypted fields.• SAF Callable Service. Release 6.5 provides support for SAF CallableService R_cacheserv cache hardening, restoring and deleting. Thefunctions to be supported are: Harden, Restore, Version Fetch andDelete.• Show Sysplex Enhancement. The show sysplex command has beenenhanced to include the XCF member name.• Logonid Expiration Warning. eTrust CA-ACF2 Release 6.5 supports aLogonid expiration warning message. A field, WRNDAYS, has beenadded to the GSO OPTS record. The new WRNDAYS GSO OPTS fieldcontrols the time period between the actual expiration of the Logonid andthe display of the warning messages. When a Logonid is accessed andthe expiration date is within the WRNDAYS time period, the user willreceive a warning message each time they access the system with thatLogonid.• Report Enhancements.NV Report - The Environment Report (ACFRPTNV) now includes theLogonid of the user issuing ACF operator console commands.SL Report - The date field arithmetic now spans year boundaries.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

RV Report – A summary index of access activity is provided in theACFRPTRV Resource Violation log report similar to the one provided inthe ACFRPTDS dataset report.RL and EL Report – A new parameter called CHANGES has beenadded that, when specified, reports on the entries deleted from or insertedinto a rule set.• NEXTKEY on Rule Decompiles. The DECOMPILE command fordata set and resource rules has been enhanced. When the new ALLkeyword is specified, both the target rule set and all associatedNEXTKEY rule sets found are decompiled.• Digital Certificate Administration. Release 6.5 provides the ability togenerate digital certificates and digital certificate requests. The ability toexport certificates with their private keys is also added. Otherenhancements include improving the display of certification information.• PDS Member-Level Protection Changes. Users of the PDS Member-Level Protection component prior to release 6.4 SP02 should note that achange has been made to the "bypass" check. A dataset validation ismade against a pseudo-dataset name called CAPDSSEC.BYPASS.classto determine whether member-level security is enforced for a user. Thecheck was formerly made for READ access to the pseudo-dsn, but it hasbeen changed to check for WRITE access. This was done toaccommodate users of the READALL privilege that also wantedmember-level security to be in effect. All users of member-level securitymust change their dataset rule for high-level qualifier CAPDSSEC fromREAD(ALLOW) to WRITE(ALLOW).• Profile Rule Record API. A new API called ACFCMPL3 has beenadded for compiled profile records. This API is similar to theACFCMPLR interface provided for Access and Generalized ResourceRule maintenance.• CPF Enhancement. The Command Propagation Facility (CPF) hasbeen enhanced to provide propagation of logonid status changes (i.e.SUSPEND) made via the ACTRM SVC-A call. AllF ACF2,RESET(logonid) operator modify commands will be propagatedas well.• New Password Controls. Six new password controls have been addedto provide the security administrator with greater control over the contentof passwords. The security administrator may, for example, forbid usersfrom entering passwords with recurring character sequences, may requirethat one or more vowels or numeric characters be specified, or mayrequire additional special characters to be used. Combined, thesecontrols can significantly strengthen your installation’s passwordcontrols.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

• ACF NEWMOD Enhancements. In eTrust CA-ACF2 Release 6.5, theF ACF2,NEWMOD(SAF) can dynamically reload all of the reloadableSAF modules without an IPL.• ACCESS Subcommand. The ACCESS subcommand has beenenhanced to streamline performance and provide additional information.An in-storage Logonid/UID cross-reference table eliminates Logoniddatabase I/O and the Logonid scoping restriction placed on commandissuers. The new display format lists keys, Nextkeys, prefixes, matchingrulelines and associated Logonids.• ACL Support. z/OS 1.3 introduces support for Access Control Lists(ACL) for the HFS file system. ACL’s provide more granular control ofaccess to the HFS files and directories when using native HFS security.eTrust CA-ACF2 supports the new R_setfacl callable service request tocreate, modify, and delete ACL’s, and checks ACL’s when access to afile or directory is requested.• Message and Panel Changes. Release 6.5 provides support for thecorporate-wide rebranding effort of the product name fromCA-ACF2 for OS/390 to eTrust CA-ACF2 Security for z/OS andOS/390. This rebranding changed many administrative and reportpanels, help panels, clists, report headings, messages, and alldocumentation.• Started Task (STC) GSO Record. The new STC GSO record can beused to assign a Logonid and optional Groupid based on the started taskID. Use of masking allows a single STC record to pertain to multiplestarted tasks.Prior to Release 6.5, a started task (STC) was assigned a Logonid basedon the following:o The user could explicitly request a Logonid via the USER= JCLparameter, or eTrust CA-ACF2 would use a Logonid equal to theSTC procedure nameo The appropriate default STC Logonid would be used.With Release 6.5 and the new GSO STC record, this processing isslightly altered.An internal table called the STC table is built during eTrustCA-ACF2 initialization or during REFRESH processing from theappropriate GSO STC records that are defined. This table is then used aspart of the process of determining what Logonid to assign to a particularSTC. This process can be summarized as follows:o The user could explicitly request a Logonid via the USER= JCLparameter, or eTrust CA-ACF2 would use a Logonid equal to theSTC procedure name.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

o The STC table is searched for an entry matching the STCprocedure name. If found, the Logonid and optionally the groupis used from the appropriate STC table entry.o The appropriate default STC Logonid would be used.• High-Level Interface Enhancements. A new C language interface hasbeen added to HLI, which currently supports Assembler, Cobol, Fortran,and PL/I. This new feature permits you to implement the HLIsubfunctions using C applications.• Rule Cleanup Utility Enhancements. The ACFRULCU utilityidentifies rule lines that are no longer needed. These can be for Logonidsthat no longer exist or UIDs that are no longer valid. The ACFRULCUutility can be used for access rules, resource rules, and DB2 rules.Release 6.5 includes an enhancement to the ACFRULCU utility thatallows you to specify more than one TYPE to run the ACFRULCUagainst. You can also exclude certain TYPE values from being processedby the ACFRULCU through the new EXCLTYPE parameter.• Dynamic Compile Option. A new GSO RULEOPTS option,COMPDYN, simplifies rule administration when RULELONG is active.Rule compiles will be performed initially using the 4K rule compiler andthen, if the rule is greater than 4K, will be retried using the RULELONGcompiler.• CSI Zone Compare Utility. The CSI Zone Compare utility(SAFTAXRF) generates a report to indicate any sysmods present in aneTrust CA-ACF2 Release 6.4 target zone that are not present in thenewly installed Release 6.5 zone. This utility is optional. The targetzones specified must be an eTrust CA-ACF2 Release 6.4 target zone(OLD TZONE) and an eTrust CA-ACF2 Release 6.5 target zone (NEWTZONE). Specifying other target zones may produce incorrect results.The JCL and PROC required to run this report can be found in membersSAFTAXJC and SAFTAXRF in the CAI.ACF2.SAMPJCL library.Review these members and make any necessary changes prior toexecution. For additional information on this utility, see the Release 6.5eTrust CA-ACF2 Security for z/OS and OS/390 Report and UtilitiesGuide.• eTrust CA-ACF2 Security Enhancements for CICS.CICS Installation Enhancements – eTrust CA-ACF2 Security forCICS installation is simplified. The level-set PTF has been eliminated,which streamlines product packaging and client installation proceduresand also helps to eliminate some of the more common installation errors.New API Inquire call - A new ACFAEUCP API inquire call has beenadded. It allows the status of CICSKEY and USERKEY resources to bequeried, providing a subset of the information that the ACFM OD(option display) CICSKEY/USERKEY functions currently provide.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

CICS Startup Messages - To provide for greater auditability,informational WTO messages are issued for all CICS DFHSIT (SystemInitialization Table) values that are overridden by eTrust CA-ACF2CICS security controls.CICS Timeout Processing - All specific terminal sign-on instances thatare signed off by terminal timeout support are now recorded to theACF2LOG report.CICS Multi-Sign-ons - A new initialization control, SIGNONMULTSIGN, designates a Logonid privilege that, when specified, allowsselected users to establish multiple sign-on instances when sign-onenqueue controls (SIGNON ENQSCOPE) are active. This will be of useto technical personnel who have a legitimate business need to establishmultiple CICS sign-on sessions to concurrently use system products andfunctions such as CEMT, ACFM, Unicenter ® CA-SYSVIEW ® RealtimePerformance Management, and other functions.CICS Sign-on Failure Messages - The terminal ID is included in theACFAE145 message issued for sign-on failures. This message is issuedwhen sign-on enqueue controls are active and a user has alreadyestablished a sign-on session on a particular CICS region. The additionalinformation will be helpful for the user and/or the help desk.Demand Analysis Requests. At Computer Associates, customer feedback andsuggestions for product enhancements are very important to us. We value yourinput, not only as our customer, but more importantly, as our partner. Continuingwith our policy of constant product upgrades and improvements, we are pleasedto announce that Release 6.5 of eTrust CA-ACF2 Security for z/OS and OS/390addresses numerous Demand Analysis Requests (DARs) that were submitted byboth individual customer sites and user groups. We believe that theenhancements in Release 6.5 and in related eTrust solutions demonstrate CA’ssecurity leadership and commitment to customers and quality. As always, wewelcome your feedback and your suggestions for future product enhancements.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

Section A – InstallationFollow the installation procedures documented in the Release 6.5 eTrustCA-ACF2 Security for OS/390 and z/OS Getting Started guide.Installation Changes1. The SMPMCS deck now contains DATA element types replacing'++MAC' element types where appropriate. The new DATA elementtypes include: ++MOD, ++SRC, ++PROC, ++PNL, ++CLIST,++MSG, ++SKL, ++HELP, and ++MSGENU. The main impact is thatDATA elements cannot be updated, only replaced.2. If you are installing MAC, the following High Level Assemblermessages can be ignored: ASMA301W, ASMA303W, and ASMA435I.Notes regarding eTrust CA-ACF2 Release 6.5 installation processing, JXB2APPAPPLY job:• You can expect to get a return code of four from the JXB2APP job. Youmay see error messages IEW2470E and IEW2468E for the CAIXJ815 loadmodule; these can be ignored.• You can expect to see IEW2454W warning messages for program objectbind processing to the CAI.SMPLTS dataset. These are normal and can beignored.Notes regarding eTrust CA-ACF2 Release 6.5 CICS installation processing,CX65APP APPLY job:• You can expect to get a return code of four from the CX65APP job. Youmay also see messages IEC141I and IEW2745S; these can be ignored.Important Note for JES3 Users:JES3 sites using program pathing will notice additional validations originatingfrom the JES3 address space. The validations specify PGM=IATINTKE and aLIB= value corresponding to your JES3 LINKLIB. If GSO LINKLIST recordsare inserted or changed to accommodate these validations anF ACF2,REFRESH(LINKLST) command must be issued to refresh theLINKLST, and the JES3 address space must be recycled to activate theLINKLST change in JES3.Important Note for IMS UsersAfter completing the eTrust CA-ACF2 Release 6.5 base maintenance you shouldapply PTF TT65658 to refresh the local copies of base processing modules in theeTrust CA-ACF2 Release 6.5 IMS interface. Refer to the IMSLVL member ofthe ACF2IMS.SAMPJCL data set to install this PTF.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

Important Note for eTrust CA-ACF2 Security for DB2 UsersUsers wishing to reinstall eTrust CA-ACF2 Security for DB2 for any reason onceeTrust CA-ACF2 Release 6.5 is installed must reinstall eTrust CA-ACF2Security for DB2, Release 1.1 at the SP06 Service pack level. In addition, userswishing to apply any maintenance to eTrust CA-ACF2 Security for DB2 onceeTrust CA-ACF2 Release 6.5 is installed will first need to reinstall eTrustCA-ACF2 Security for DB2 Release 1.1 at the SP06 Service pack level.Note to Users of EKC, Inc. ‘s ETF/A 1.6.0 ProductIf your installation uses EKC, Inc.’s ETF/A product at the V1.6.0 level, beadvised that EKC technical support has written ETF/A APAR LD16037(prerequisite APAR is LD16018) to provide support for eTrust CA-ACF2Release 6.5. Please contact your EKC, Inc. technical support representativedirectly for further information.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

Section B - CAIRIM and LMP KeysLicense Management Program (LMP)eTrust CA-ACF2 licensing is maintained by the CA License ManagementProgram (LMP). LMP provides a standardized, automated approach to licensemanagement and is designed to eliminate the difficulties inherent in tracking theaccurate licensed use of CA products.LMP runs as a component of CAIRIM. CAIRIM must be installed prior toinitializing eTrust CA-ACF2. If CAIRIM is not running, eTrust CA-ACF2issues message ACF79452. If CAIRIM is not started in 30 minutes, eTrustCA-ACF2 issues this message:ACF79457 CPU nnnnnn REQUIRES A LMP KEY TO RUN PROD(X1)eTrust CA-ACF2 MVSYou should already have received an LMP Product Key Certificate. If you do nothave a valid LMP KEY for the CPU on which you are running, CA CommonServices for z/OS and OS/390 message CAS9180E appears on your systemconsole. Once the appropriate key is entered and CAIRIM is restarted, enter thefollowing console command:F ACF2,LMPCHECKeTrust CA-ACF2 immediately verifies the new key. If it is still not valid,another message is generated to your console.If you have any questions about LMP and CAIRIM call the CA LicenseManagement Program Hotline at 1-800-338-6720 in North America (24 hours aday, 7 days a week). Outside of North America, contact your local ComputerAssociates Technical Support Center during local business hours.February 2003eTrust CA-ACF2 Security for z/OS and OS/390

END OF PIB PACKETFebruary 2003eTrust CA-ACF2 Security for z/OS and OS/390