Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "MULTIPLE SIGNON" is found. If the associated value is "YES", this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 MULTIPLE SIGNON IS NO." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.
When securing IDMS user IDs with an ESM, some preparation must be done in IDMS itself. Identify CA IDMS security domains (a set of DC systems and local mode applications sharing a single user catalog and SRTT). For a given security domain, logon to one DC system. Issue DCPROFIL. If there is nothing specified for "Security System" and therefore no external security system being used, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no TYPE=ENTRY with RESTYPE=SGON is found, this is a finding. If RESTYPE=SGON is secured internally, this is a finding. Interrogate the security office and verify the ESM has the appropriate entries to secure the RESTYPE of SGON. If not, this is a finding.
The SRTT module must be coded to enable the desired security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL , X EXTNAME=(RESNAME), X EXTCLS='CA@IDMS' The RESNAME will be derived from the SYSTEM ID name in SYSGEN. After making the above changes, ensure the ESM has the appropriate rules defined to give access to the desired users. For example, in a Top Secret environment where the SYSGEN SYSTEM ID is SYSO187: TSS PER(user-id) CA@IDMS(SYSO187) Also assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note that this requires PTFs SO07995 and SO09476. Look for a #SECRTT statement with the string "RESTYPE=SGON" and SECBY=EXTERNAL. If no "RESTYPE=SGON" is found or "SECBY=OFF" or "SECBY=INTERNAL" is specified, this is a finding. Execute an external security manager (ESM) resource access list for resource "SGON" for each CV on the system. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.
In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME. Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.your_extname) In ACF2: $KEY(SGON.your_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. In the SRTT, resources are protected by #SECRTT TYPE=ENTRY and TYPE=OCCURRENCE statements. Examine the SRTT to ensure that there are #SECRTT statements for the desired recourses that have "SECBY=EXTERNAL". If there are none, this is a finding.
Secure the desired resources by updating RHDCSRTT adding #SECRTT TYPE=ENTRY and TYPE=OCCURRENCE statements as needed. For example: #SECRTT TYPE=ENTRY, X RESTYPE=resource, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(your_extname) Before implementing changes, contact the security administrator and ensure that the external security manager (ESM) has the necessary rules for the EXTCLS and EXTNAME values that were chosen. These rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(your_extname) After making the above changes assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module "RHDCSRTT" by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested user-level tasks are secured in the SRTT (included, for example, in the roles of DCADMIN-, DBADMIN-, and DEVELOPER-level security). Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADS OCF OCFT OCFX OLP OLQ OLQNT OLQT OLQTNOTE If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review ESM for external class and external name format to verify the appropriate authorizations have been defined. If they have not, this is a finding.
The SRTT module must be coded to enable task-level security. When using an external security manager (ESM), this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADS): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADS' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) USER, for security class "CA@IDMS", where "task-name" is one of the user-level tasks listed. This grant must be repeated for each Task in the list. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADS) In ACF2: $KEY(TASK.ADS) TYPE(CA@IDMS) UID(user_id) ALLOW In RACF: PERMIT TASK.ADS CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested developer-level tasks are secured in the SRTT (included, for example, in the roles of DCADMIN, DBADMIN level security). Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADSA ADSAT ADSC ADSCT ADSK ADSL DEBUG IDDML IDDM IDDT LOOK MAPB MAPBT MAPC MAPCT PMAM PMIM QUED SCHEMA SCHEMAT SHOWMAP If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review ESM for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.
The SRTT module must be coded to enable task-level security. When using an external security manager (ESM), this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADSA): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADSA' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DEVELOPER, for security class "CA@IDMS", where "task-name" is one of the developer-level tasks listed. This grant must be repeated for each Task in the list. These rules should then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADSA) In ACF2: $KEY(TASK.ADSA) TYPE(CA@IDMS) UID(user_id) ALLOW In RACF: PERMIT TASK.ADSA CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing the command "DCMT DISPLAY SRTT" while signed on to the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested DBA-level tasks are secured in the SRTT (included, for example, in the role of DCADMIN-level security): Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADSM ADSOTATU IDD IDDM SSC SSCT If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review external security manager (ESM) for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.
The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADSM): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADSM' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DBADMIN, for security class "CA@IDMS", where "task-name" is one of the listed DBA-level tasks. These rules should then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADSM) In ACF2: $KEY(SGON.the_extname) TYPE(TASK.ADSM) UID(user_id) ALLOW In RACF RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE) PERMIT TASK.ADSM CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested DC-Administrator-level tasks are secured in the SRTT. If they are not secured, this is a finding. (Note that USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only). ASF CLOD DCMT OPER PMBILL PMRM SDEL SEND SYSGEN SYSGENT WEBC If "TASK" is not found as the resource type in any of the entries, this is a finding. IF "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured, and review the external security manager (ESM) for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.
The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more programs (in this case, to ASF): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ASF' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DCADMIN, for security class "CA@IDMS", where "task-name" is one of the DC-Administrator-level programs listed. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ASF) In ACF2: $KEY(SGON.the_extname) TYPE(TASK.ASF) UID(user_id) ALLOW In RACF: RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE) PERMIT TASK.ASF CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
The following are user-level batch programs that are executed using JCL rather than by the CV. As batch programs, they need to be secured by the external security manager (ESM) rather than through the SRTT. Validate the following suggested user-level programs are secured by the ESM: ADSBATCH ADSOBPLG CULPRIT IDMSBCF OLQBATCH OLQBNOTE Contact the security office to confirm that the programs in this list are secured. If the programs listed are not secured, this is a finding.
Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program listed must be secured.
The following are developer-level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured in the external security manager (ESM) rather than through the SRTT. Validate the following suggested developer-level programs are secured by the ESM. ADSOBCOM ADSORPTS IDMSDMLA IDMSDMLC IDMSDMLP IDMSLOOK IDMSRPTS RHDCMAP1 RHDCMPUT Contact the security office to confirm that the programs in this list are secured. If they are not, this is a finding.
Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.
The following are DBA-level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured for DBAs in the external security manager (ESM) (included in DCADMIN, DBADMIN level security) rather than through the SRTT. Validate the following suggested DBA-level programs are secured by the ESM. ADSOBSYS ADSOBTAT IDMSCHEM IDMSDBN1 IDMSDBN2 IDMSDDDL IDMSPASS IDMSRSTC IDMSUBSC RHDCOMVS Contact the security office to confirm that the programs in this list are secured. If not, this is a finding.
Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.
The following are DC-administrator level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured in the external security manager (ESM) rather than through the SRTT. Validate the following suggested DBA-level programs are secured by the ESM: IDMSDIRL RHDCSGEN RHDCTTBL If the suggested DC-Administrator-level programs are not secured in the SRTT and have not been authorized for DCADMINs in the ESM, this is a finding. (Note that USER, DEVELOPER, DBADMIN and DCADMIN are suggested categories only). Contact the security office if the programs in this list are not secured, for this is a finding.
Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.
Examine load module "RHDCSRTT" by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If the TYPE=INITIAL #SECRTT has DFLTSGN=YES specified, this is a finding. If DFLTUID is defined, this is a finding.
Set DFLTSGN=NO and remove the DFLTUID from the #SECRTT INITIAL macro that is input to the RHDCSRTT module, then reassemble and relink RHDCSRTT. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Log in to the CV and enter command DCPROFIL. Press "Enter" until the page titled "Named User Exits" appears. Find the entry for USRIDXIT. If the DEFINED column says YES, then a user-written exit has been linked with IDMSUXIT. If a user-written exit USRIDXIT has been linked with IDMSUXIT (for batch or TSO-front end use), UCFCICS (UCF access from a CICS transaction) or IDMSINTC (DML or SQL access form a CICS transaction server front-end) and the USRIDXIT changes the userid to a shared userid, this is a finding.
Remove code from USRIDXIT that changes the individual userid to a shared user or remove the exit entirely. After making the above changes, assemble and link IDMSUXIT. To implement the new IDMSUXIT either recycle any CVs that use it or issue these commands: DCMT VARY NUCLEUS MODULE IDMSUXIT NEW COPY DCMT VARY NUCLEUS RELOAD
Issue LOOK PROGRAM=RHDCUXIT. If there are non-zeros in the 12 bytes starting at X'200', exit 27 is being used. If there are non-zeros in the 12 bytes starting at X'20C', exit 28 is being used. Check exits for a change in userid and if there is a change to a shared user ID, this is a finding.
Remove code from exit 27 and/or exit 28 that changes the individual user id to a shared user or remove the exit entirely, then reassemble and relink RHDCUXIT. To implement the new RHDCUXIT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCUXIT NEW COPY DCMT VARY NUCLEUS RELOAD
If there are web-based applications to which individual users sign on, and a generic ID associated with the application is used to access back-end IDMS databases, this is a finding.
For web-based applications using generic IDs, set the individual user ID (external identity) to be recorded in the journal. For JDBC applications, use the "IdmsConnection setIdentity" method. For ODBC applications, use the "SQLSetConnectAttr" function with the IDMS_ATTR_EXTERNAL_IDENTITY attribute type. Run journal report "JREPORT 010" and" JREPORT 008" to audit the individual user ID.
On the IDMS CV system where CA IDMS Web Services executes, enter "WEBC" to check Web Services configuration. If "REQUIRE SIGNON = NO", this is a finding.
On the IDMS CV system where CA IDMS Web Services executes, enter "WEBC REQUIRE SIGNON=YES".
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If the ESM specification does not match the RHDCSRTT entry, this is a finding. Validate each of the following listed entries: Access Actions such as login - Resource type SGON Privileged system access - Resource types SYST, DB, DMCL, DBTB Privileged object access - Resource types SLOD, SACC, QUEU Privileged program access - Resource type TASK, SPGM If any are not secured externally, this is a finding.
If some of the resource types were not defined to the #SECRTT with SECBY=EXTERNAL, update the #SECRTT security module to include the appropriate definitions. Access Actions such as login - Resource type SGON Privileged system access - Resource types SYST, DB, DMCL, DBTB Privileged object access - Resource types SLOD, SACC, QUEU Privileged program access - Resource type TASK, SPGM To update the #SECRTT entries, change any invalid definitions of SECBY=INTERNAL to SECBY=EXTERNAL for the resources listed above. If any of the resource types are missing, add them. Once the updates are complete, recompile the RHDCSRTT module. Then confirm that the resource types are referenced appropriately by the external security manager.
Examine load module IDMSCTAB by executing CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. If there is execution of certain OCF/BCF commands that have not defined in the IDMSCTAB module using the #CTABGEN macro, this is a finding. If these task codes are defined to the IDMSCTAB module but have not been defined for the related activities to the RHDCSRTT module, this is a finding. If the execution of DCMT utility command codes is not defined in the IDMSUTAB module using the #UTABGEN macro, this is a finding. Examine load module IDMSUTAB using CA IDMS utility IDMSUTAD, or by issuing command 'DCMT DISPLAY UTAB' while signed onto the CV, and reviewing the output. Note: This requires PTF SO08527. If IDMSUTAB load module defined commands but has not defined the related activities to the RHDCSRTT module, this is a finding. If any of the above tasks are completed from local mode, utilize a custom EXIT 14 to trigger a security check that will go through the ESM. If an EXIT 14 is not configured for each situation, this is a finding.
If the IDMSUTAB load module needs to be updated to secure and audit the OCF/BCF commands, re-run the #UTABGEN macro to create an updated version. Here is an example of the syntax: #UTABGEN (FORMAT,14,PRINTPAGE,14) This syntax assigns the FORMAT and PRINTPAGE commands to activity 14, which can now be secured by the RHDCSRTT module. If the IDMSCTAB load module needs updated to secure and audit the DCMT commands, update the #CTABGEN macro to create an updated version. Here is an example of the syntax: #CTABGEN (B,2),(N022,B,N050,B) This syntax assigns security label B to activity #2, then it assigns the tasks DCMT VARY MEMORY and DCMT VARY LOADLIB to security label B. With this definition, secure activity #2 appropriately in the RHDCSRTT module.
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Examine the SRTT and verify that entries exist for all desired database resources. The database resources that may be secured are and their respective RESTYPEs are: Database - DB Area - AREA (1) Rununit - NRU (1) SQL Schema - QSCH (1) Non-SQL Schema - NSCH (1) Access Module - DACC (1) Table - TABL (1) DMCL - DMCL Database name table - DBTB Note: Securing RESTYPE=DB (Database) also secures for these resource types. SRTT TYPE=ENTRY statements with RESTYPEs of AREA, NRU, QSRCH, NSCH, DACC, and TABL do not turn security on or off for these RESTYPEs, but are used to build the EXTNAME and EXTCLAS to be passed to the external security manager (ESM). Interrogate the DBA(s) to determine which database objects may need secured. For SQL access, check that both the catalog and user database are secured in the SRTT. If not, this is a finding. If batch jobs are allowed to be run with access an IDMS database, check whether the access is covered by standard ESM dataset security and/or the user-written exit 14 (issues a security check when a BIND RUN-UNIT or READY AREA is being done). If not, this is a finding.
Before securing a database externally, it is VERY IMPORTANT to weigh the following considerations: - If adding an SRTT TYPE=ENTRY that secures the DB resource type externally, it automatically secures a group of database resource types externally for all databases. - If the SRTT contains one or more TYPE=OCCUR (occurrence overrides) that specify external security for resource type DB, also add an SRTT entry specifying external resource class and external resource name for each of the database resource types that are automatically secured externally for the database being secured in that TYPE=OCCUR statement. - The only database-related RESTYPE valid with TYPE=OCCUR is DB. See the IDMS Techdocs for more information on securing database resources. The SRTT module must have an entry coded to secure one or more database resources. For instance: #SECRTT TYPE=INITIAL, x ENVNAME=SYS001 #SECRTT TYPE=ENTRY, X RESTYPE=DB, X SECBY=OFF, X EXTNAME=(ENVIR,RESNAME,RESTYPE), X EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR, X RESTYPE=DB, X SECBY=EXTERNAL , X RESNAME='PROD' The above example could be used to secure external name of SYS001.PROD.DB. When securing SQL access, it is necessary to secure both the DBNAME containing the catalog segment (probably SYSSQL in APPLDICT) and the database being accessed. #SECRTT TYPE=OCCUR,SECBY=EXT,RESTYPE=DB, X RESNAME=APPLDICT' #SECRTT TYPE=OCCUR,SECBY=EXT,RESTYPE=DB, X RESNAME='USERDB' Because the above example also secures the DB subtypes, add SRTT entries to allow the ability to grant or deny access to them: #SECRTT TYPE=ENTRY,RESTYPE=AREA, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=NRU, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=QSCH, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=NSCH, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=DACC, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=TABL, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) Note that the TABL resource type represents base tables, functions, procedures, table procedures, and views. Ensure that the ESM has a corresponding entry to give access to the desired users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SYS001.PROD.DB) ACCESS(access_level) and assuming that the user wants to grant access to the area: TSS PER(user_id) CA@IDMS(SYS001.PROD.AREA) ACCESS(access_level)
Check the SRTT for the externally secured resource SYST which allows the SYSGEN to be modified and application program definitions to be added. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If "SYST" is not found as the resource type in any of the entries, this is a finding. IF "SYST' is not coded with SECBY=EXTERNAL, this is a finding. If "SYST" is found to be secured externally, ensure the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.
The SRTT module must be coded to secure the system. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR, X RESTYPE=TASK, X RESNAME='SYSGEN', X SECBY=EXT In the EXTNAME above, RESTYPE is changed to "TASK" and RESNAME is changed to "SYSGEN". Ensure the ESM has a corresponding entry to give access to the desired users. For instance, given a system named SYSO187, in Top Secret: ) TSS PER(user_id) CA@IDMS(TASK.SYSGEN) In ACF2: $KEY(TASK.SYSGEN) TYPE(CA@IDMS) UID(user_id) ALLOW RDEFINE CA@IDMS SYST UACC(NONE) PERMIT TASK.SYSGEN CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either cycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Check the SRTT for externally secured ACTI resource which can be used to secure DCMT VARY DYNAMIC PROGRAM, DCMT VARY DYNAMIC TASK and DCMT VARY MEMORY. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If "ACTI" is not found as the resource type in any of the entries, this is a finding. IF "ACTI" is found but has SECBY=INTERNAL, this is a finding. If no entry is securing VARY DYNAMIC and VARY MEMORY externally, this is a finding. If there is no IDMSCTAB load module into which the #CTABGEN has been generated that specifies the nodes names that correspond to the DCMT commands (DCMT VARY DYNAMIC - N046; DCMT VARY MEMORY - N033), this is a finding. Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV, and reviewing the output. Note that this requires PTF SO08199. If DCMT command codes N024, N025, and N033 are not defined, this is a finding.
The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB. This example #CTABGEN entry secures the DCMT VARY DYNAMIC and DCMT VARY MEMORY commands and assigns an activity number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,10), X (N033,A,N046,B) END The ACTIVITY passed to the external security manager (ESM) will be the first up to five bytes of the application name followed by the three-byte activity number or, using the above example, DCMT010 for a DCMT VARY DYNAMIC or a DMCT VARY MEMORY command. After making the above changes, IDMSCTAB and RHDCSRTT must then be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also verify that the ESM gives access to the appropriate people. Here are some Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001) ACCESS(READ) TSS PER(user_id) CA@IDMS(TEST001.DCMT010) ACCESS(READ)
All database objects to be secured must be specified to the CA IDMS centralized security in the security resource type table (SRTT) as being secured externally. Log on to a DC system in the security domain. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check each entry in the SRTT. If the resource type is DB, AREA, NRU, QSCH, NSCH, TABL, DACC, SACC, DMCL, or DBTB, the resource type is a database object. If it contains SECBY=INTERNAL, this is a finding. If any of the database types are not found in the SRTT, this is a finding. For SQL access, check that both the catalog and user database are secured in the SRTT. If not, this is a finding. If batch jobs are allowed to be run which access an IDMS database, check whether the access is covered by standard ESM dataset security and/or the user-written exit 14 (issues a security check at BIND/READY time). If not, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.
Secure database object resources not found in SECRTT or found to be secured internally, through the ESM chosen by the organization (e.g., TSS, ACF 2, RACF). Users, groups, roles, etc., are defined to the ESM, and it is here where the authorization for ownership is determined. Once externally secured, create or modify the #SECRTT entries specify TYPE=ENTRY and TYPE=OCCURRENCE for the database resource type with the parameter of SECBY=EXTERNAL. Use the RESTYPE DB which implicitly includes the subtypes AREA, NRU, QSCH, NSCH, TABL, DACC, and SACC. For each subtype, an entry must be added. The restypes for database tables and DMCLs are DBTB and DMCL, respectively. For SQL access, include #SECRTT RESTYPE=DB for both the catalog and user database through all dbname and segment names that can access the catalog and database. For batch jobs that access database objects, use the ESM standard dataset security and/or the user-written exit 14 to secure the database objects. Create the corresponding entry in the ESM and give appropriate permissions to role(s)/ group(s) to allow database changes by appropriate users (usually DBAs).
Check the SRTT for externally secured ACTI which can be used to secure utility functions that can impact database structure, e.g., CONVERTCATALOG, CONVERTPAGE, EXPANDPAGE, MAINTAININDEX, REORG, RESTRUCTURE and TUNEINDEX. For a full list, see the UTABGEN UTILITY COMMAND CODES table in the Administrating Security for IDMS manual. Examine load module IDMSUTAB using CA IDMS utility IDMSUTAD, or by issuing command "DCMT DISPLAY UTAB" while signed onto the CV, and reviewing the output. Note: This requires PTF SO08527. If there is no IDMSUTAB load module into which the #UTABGEN has been generated that specifies the nodes names that correspond to the UTILITY statements, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. If "ACTI" is not found as the resource type in any of the entries, this is a finding. IF "ACTI" is found to be secured internally, this is a finding. If "ACTI" is found to be secured externally, ensure that the ESM contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding. Note: There are alternative ways to secure utilities by using RESTYPE=DB and corresponding ESM definitions can give authorization to appropriate role(s)/group(s).
Create an entry in the SRTT and compile into the module RHDCSRTT for the security domain that defined the resource type of ACTI. The external class and external name construction rules must be specified. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(RESNAME,ACTIVITY) Compile IDMSUTAB into the custom loadlib, specifying the activity number associated with the utility statement on the #UTABGEN macro. For example, #UTABGEN (A,3),(OCF,EXPANDPAGE,I). The ACTIVITY passed to the ESM will be the first up to five bytes of the application name followed by the three-byte activity number. Using the activity number "3" in the #UTABGEN, the ACTIVITY sent to the ESM would be OCF003. Create the corresponding entry in the ESM and give appropriate permissions to roles(s)/group(s) for the ACTIVITY (e.g., OCF003 which would secure the EXPANDPAGE utility statement).
Examine the load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured ACTI where the task name is DBUG. If none is found, this is a finding. If the entry is secured internally, this is a finding. If an ACTI statement for DBUG that secures DBUG externally is found, verify the program IDMSGTAB resides in the CV's CMDSLIB concatenation. If not, this is a finding. If IDMSGTAB is found, perform a DUMPT of IDMSGTAB using AMASPZAP. The last 28 bytes are a table of 14 halfwords, one for each security category that can be secured by the #GTABGEN macro. Examine this table in the DUMPT. If all halfwords are zero, and no debugger functions are secure, and this is a finding. If any halfword is non-zero, then the first byte will be x'01' and the second byte will contain the activity number assigned to that function in hexadecimal. The order of the security-categories in the table is: UPGMR UPGMU USTGR USTGU SHSTGR SHSTGU AUPGMR AUPGMU ASYSTGR ASYSTGU ASYSPGR ASYSPGU ALLR ALLU If the debug activity is found to be secured externally, confer with the security office to ensure that the external security manager (ESM) contains the correct definition using the external resource class name the external name construction rules. If it is not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.
Create, or modify as needed, an entry in the SRTT to secure the DEBUG categories and compile into module RHDCSRTT. The external class and external name construction rules must be specified. The following example shows a TYPE=ENTRY #SECRTT macro defining the EXTNAME format for RESTYPE=ACTI and an occurrence override defining the information for a specific occurrence for the DBUG activity. #SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=OFF, EXTNAME=(ENVIR,ACTI) ,EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=ACTI,RESNAME='DBUG',SECBY=EXT After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Review the IDMSGTAB module and make changes to the #GTABGEN macro as needed. Here is an example that secures all possible DEBUG categories: #GTABGEN (A,01,B,02,C,03,D,04,E,05,F,06,G,07,H,08,I,09,J,10, X K,11,L,12,M,13,N,14), X (UPGMR,A,UPGMU,B,USTGR,C,USTGU,D,SHSTGR,E,SHSTGU,F, X AUPGMR,G,AUPGMU,H,ASYSTGR,I,ASYSTGU,J, X ASYSPGR,K,ASYSPGU,L,ALLR,M,ALLU,N) END Assume the TYPE=INITIAL #SECRTT macro specified ENVNAME=TEST0001 and the particular debug activity was UPGMR (allow the user to retrieve user programs, schemas, maps, and tables). In that case, the external resource name would be TEST0001.DBUG001. Using this information, a Top Secret example to grant access could be: TSS PER(user_1) CA@IDMS(TEST0001.DBUG001) Confer with the security office to ensure that the correct entries are in the ESM to give access to the appropriate role(s)/group(s) permissions for the desired DEBUG categories.
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured RESTYPE=SYSA. If none is found, this is a finding. If the entry is secured internally, this is a finding.
The SRTT module must be coded to secure SYSADMIN. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SYSA, X SECBY=EXTERNAL , X EXTNAME=(ENVIR,RESTYPE), X EXTCLS='CA@IDMS' Using the above example and supposing that was specified ENVNAME=TESTSYS on the INITIAL SRTT entry, the external resource name would be TESTSYS.SYSA. To give access using to a user in Top Secret the command would be: TSS PER(user_id) CA@IDMS(TESTSYS.SYSA) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
If a CAISAG base installation completed with EMPDEMO=YES and/or SQLDEMO=YES, or if a base installation completed with CSM and CREATE_DB_DEMO and/or CREATE_SQL_DEMO selected, this is a finding. In OCF/BCF, DISPLAY DMCL <dmclname>. If segments EMPDEMO, SQLDEMO, and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY DBTABLE <dbtbname>. If segments EMPDEMO, SQLDEMO, and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY SCHEMA DEMOEMPL and DISPLAY SCHEMA DEMOPROJ. If either or both exist, this is a finding. If schema EMPSCHM exists, this is a finding. If any of the following load modules are in load libs used by the installation, this is a finding: EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, EMPINQ If any of the following files are found to be used by the installation, this is a finding: <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO
In OCF/BCF, ALTER DMCL <dmclname> and EXCLUDE SEGMENT EMPDEMO, SQLDEMO and/or PROJDEMO. Generate, punch, and relink dmcl. Do the same for DBTABLE <dbtbname>. Remove load modules EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, and EMPINQ from installation load libraries. Remove files <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO from installation and installation JCL. Remove database demo objects from application dictionaries including EMPSCHM record elements and records, EMPSS01, and schemas DEMOEMPL and DEMOPROJ, dropping all the tables in theses schemas. For future base installs, specify EMPDEMO=NO and SQLDEMO=NO for CAISAG installs and do not select CREATE_DB_DEMO and CREATE_SQL_DEMO fields on CSM installs. Note that specified names are default names. Use modified names if they were changed during base installation.
If a CAISAG base installation done with EMPDEMO=YES and/or SQLDEMO=YES, or if a base installation done with CSM and CREATE_DB_DEMO and/or CREATE_SQL_DEMO selected, this is a finding. In OCF/BCF, DISPLAY DMCL <dmclname>. If segments EMPDEMO, SQLDEMO and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY DBTABLE <dbtbname>. If segments EMPDEMO, SQLDEMO and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY SCHEMA DEMOEMPL and DISPLAY SCHEMA DEMOPROJ. If either or both exist, this is a finding. If schema EMPSCHM exists, this is a finding. If any of the following load modules are in load libs used by the installation, this is a finding. EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, EMPINQ If any of the following files are found to be used by the installation, this is a finding. <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO
In OCF/BCF, ALTER DMCL <dmclname> and EXCLUDE SEGMENT EMPDEMO, SQLDEMO and/or PROJDEMO. Generate, punch, and relink dmcl. Do the same for DBTABLE <dbtbname>. Remove load modules EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, and EMPINQ from installation load libraries. Remove files <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO from installation and installation jcl. Remove database demo objects from application dictionaries including EMPSCHM and all the record elements and records, EMPSS01, schemas DEMOEMPL, and DEMOPROJ, dropping all the tables in theses schemas. For future base installations, specify EMPDEMO=NO and SQLDEMO=NO for CAISAG installs and do not select CREATE_DB_DEMO and CREATE_SQL_DEMO fields on CSM installs. Note that specified names are default names. Use modified names if they were changed during base installation.
Log on to IDMS DC system and issue DCPROFIL. Scroll to the Product Intent Status screen. If any unused product has a status of "YES", this is a finding.
Edit RHDCPINT source and remove or comment out products identified as unused. Reassemble, relink, and implement changes by either recycling any affected CV or by issuing the following commands in any affected CV: DCMT VARY NUCLEUS MODULE RHDCPINT NEW COPY DCMT VARY NUCLEUS RELOAD
For each load area, run a CREPORT 43 to check the nodes and access types for each node. For each node, issue DCMT D LINE. For each LINE type with a status of InSrv, inspect the access type for potential unauthorized connection types. For TCP/IP, any line with access type SOCKET, issue DCMT D LINE <tcp-line-id>. If any terminals are of type LIST and status InSrv, check port number for a valid port. If the port number is unacceptable as defined in the PPSM CAL, this is a finding. For each terminal with the type of LIST and InSrv, issue DCMT D PTE <pterm-id>. For each task and (possible PARM STRING which could pass a task) identified in the PTE display, issue DCMT D TASK <task-id>. If the task is IDMSJSRV and the associated program is not RHDCNP3J, this is a finding. If the task/program has not been authorized, this is a finding. If other access types (e.g., VTAM, SVC, CCI) have been deemed nonsecure in the PPSM CAL, this is a finding.
For any pterm found to have nonsecure attributes (task, program, or port), disable by issuing DCMT V PTE <pterm-id> OFF. Using SYSGEN, remove offending lines, pterms, lterms, and/or port numbers, then validate and regenerate the system.
For each CA IDMS system, verify the resource module RHDCSRTT for the security domain in which the CA IDMS system exists has an entry for sign-on. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no SGON entry exists (sign-on not secured), this is a finding. If found and the entry is not secured externally, this is a finding. Ensure the external security manager (ESM) entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" resource. The external name must match the format of the external name construction tokens found in the SRTT entry. If not, this is a finding. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.
In the source for RHDCSRTT, add a #SECRTT entry to secure the sign-on process using the ESM such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name, sign in to SYSGEN in the CV. Then, issue the commands "SIGNON DICT SYST" and "DISP SYS nnn" (where nnn is the CV number). Look for "SYSTEM ID IS" to find the system name used as RESNAME. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Before implementing changes, contact the security administrator and verify the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD For local batch jobs, use OS-level security for job submission or secure database files using ESM dataset-level security.
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Find the entry for RESTYPE=SGON. If no SGON entry exists, this is a finding. If found, verify that the entry has SECBY=EXTERNAL. If it does not, this is a finding. Verify that the ESM entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" SRTT entry. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.
The SRTT module must be coded to secure the system. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' EXTCLS maps the CA IDMS resource type to the resource class defined in the ESM. The EXTNAME defines the format of the resource name defined to the ESM. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Ensure the ESM has a corresponding entry to give access to the desired users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
When using ODBC (with the CCI communications protocol) or a JDBC type 2 driver, if SSL encryption is not being used with CAICCI r2.1 and above, this is a finding. When using ODBC (with the IDMS communications protocol), if SSL encryption is not being used as indicated on the "Server" tab of the Data Source definition, this is a finding. When using a JDBC type 4 driver, if SSL is not being used as indicated by the connection URL, this is a finding.
If using ODBC (with the CCI communications protocol) or a JDBC type 2 driver, SSL encryption can be enabled using CAICCI r2.1 and above. Select the SSL option in the CAICCI properties panel and configure and start the CCISSL task on the mainframe. If using ODBC (with the IDMS communications protocol), SSL encryption can be enabled by selecting the "SSL" check-box on the "Server" tab of the Data Source definition, and providing the certificate name(s) on the "SSL" tab within the CA IDMS ODBC Administrator. If using a JDBC type 4 driver, SSL encryption can be enabled by using the SSL parameter on the JDBC connection URL. Setup is described in informational APAR QI83006 on CA Support Online.
Check that sign-on has been secured. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Find the entry for sign-on by examining the entries. If no SGON entry exists (sign-on not secured), this is a finding. If found, but the entry is not secured externally, this is a finding. Verify the ESM entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" resource in the SRTT. If not, this is a finding. If users, groups, and roles have not been appropriately defined to the external security manager (ESM), this is a finding. Interrogate the security administrator and verify that only authorized users have permission through the ESM to access IDMS. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.
In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process using the ESM such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign on is the CV system name as defined in SYSGEN. To find the system name, sign in to SYSGEN in the CV. Then, issue commands "SIGNON DICT SYST" and "DISP SYS nnn" (where nnn is the CV number). Look for "SYSTEM ID IS" to find the system name used as RESNAME. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Before implementing the changes, contact the security administrator and verify the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD For local batch jobs, use OS-level security for job submission or secure database files using ESM dataset-level security.
Check that the job or prior job contains a step to vary the areas offline to the CV and takes a backup. If not there, it is a finding. Perform a second check to verify there is a restore step or JCL that can be used when the job fails.
Add a backup step/job if needed and create a restore step/job if needed.
Identify CA IDMS security domains (a set of DC systems and local mode applications sharing a single user catalog and SRTT). For a given security domain, log on to one DC system. Issue DCPROFIL. If there is nothing specified for "Security System" and therefore no external security system being used, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If any entries have SECBY=INTERNAL, this is a finding. For local batch jobs (i.e., those jobs that access database files without going through the CA IDMS system), dataset-level security should be defined in the external security manager (ESM) with authorizations according the site security plan. If it is not, this is a finding. Check those resources that are secured externally to make sure the mapping to the ESM is correct. Check that the ESM entry for the externally secured resource is correctly configured for the external resource class and the external name of the resource being secured. The external name must match the format of the external name construction tokens found in the entry. If the ESM specification does not match the RHDCSRTT entry, this is a finding.
In the internally secured entries that are to be changed to external security, change the #SECRTT parms SECBY=INTERNAL to SECBY=EXTERNAL. Add the parameters EXTCLS and EXTNAME to the entry using the resource class and name defined in the ESM. For instance: #SECRTT TYPE=ENTRY,SECBY=EXTERNAL, X RESTYPE=restype,EXTCLS=CA@IDMS, X EXTNAME=(extname_definition) Secure the resources through the ESM chosen by the organization (e.g., TSS, ACF 2, RACF) using the EXTCLS and the EXTNAME defined in the SRTT on the entry for the resource type. EXTCLS maps the CA IDMS resource type to the resource class defined in the external security system. The EXTNAME defines the format of the resource name defined to the ESM. Interrogate the security office regarding current and needed rules and definitions in the ESM. Define the users, groups, roles access to the resource in the ESM. For local batch jobs that access database files, define appropriate dataset-level security through the ESM. For example, in Top Secret: TSS ADDTO(restype) CA@IDMS(SYST) TSS PER(user_id) CA@IDMS(restype.the_extname) In ACF2: $KEY(restype.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW RDEFINE CA@IDMS restype UACC(NONE) PERMIT restype.the_extname CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Log on to IDMS DC system and issue "DCPROFIL". If PRIMARY STORAGE PROTECT KEY is the same as the ALTERNATE STORAGE KEY, this is a finding. If SYSTEM STORAGE PROTECTED is "NO", this is a finding. Issue command "DCMT DISP PROG xxxxxxxx" and "DCMT DISP DYN PROG xxxxxxxx" replacing [xxxxxxxx] with the names of user programs and look for Storage Prot. If any are "NO", then this is a finding. Issue command "DCMT DISP BUFFER". If any of the buffers do not have OPSYS in the Getstg column, this is a finding.
Do the following to place buffers into storage acquired from the operating system rather than from IDMS. Use the following system generation parameters to enable the use of OPSYS storage for the buffers: Set STORAGE KEY parameter of the SYSGEN SYSTEM statement to a value different from the ALTERNATE STORAGE KEY. Set PROTECT/NOPROTECT parameter of the SYSGEN SYSTEM statement to PROTECT. Set PROTECT/NOPROTECT parameter of the SYSGEN PROGRAM statement to PROTECT for user programs. Using the #CTABGEN macro, secure DCMT commands: - VARY BUFFER (code N010) - VARY DYNAMIC PROGRAM (code N046001) - VARY PROGRAM (code N025) Here is an example where all three commands are assigned task code 3: #CTABGEN (A,3), X (N010,A,N025,N046001,A) Using the above example, and assuming the SYSTEM ID of this IDMS system specified in SYSGEN is TEST001 the SRTT entry could be: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, - SECBY=EXTERNAL, - EXTCLS='CA@IDMS', - EXTNAME=(SYST,ACTI) The DCMT commands could be assigned to users in Top Secret: TSS PER(user_id) CA@IDMS(TEST001.DCMT003) ACCESS(READ) Reassemble the SRTT and/or module IDMSCTAB and issue commands: DCMT VARY NUC MODULE IDMSCTAB NEW COPY -for IDMSCTAB DCMT VARY NUC MODULE RHDCSRTT NEW COPY - for RHDCSRTT then for either or both: DCMT VARY NUCLEUS RELOAD To set buffers to OPSYS storage: Access OCF or BCF and connect to the applicable dictionary. Enter "DISPLAY BUFFER nnnnnnnn AS SYNTAX VERB ALTER" where [nnnnnnnn] is the name of the buffer. Change the DC STORAGE parameter to "OPSYS STORAGE". After changing all needed buffers, GENERATE the DMCL. Punch and link the DMCL module. Cycle the CV or issue "DCMT VARY DMCL NEW COPY". Note: If specifying OPSYS storage for buffers, IDMS will attempt to allocate the buffer storage in operating system storage rather than in IDMS storage. Should the allocation attempt fail, IDMS will attempt to allocate the buffer in IDMS storage, and messages DC205032 and DC205029 will be issued indicating this.
Validate SQL-defined tables, DISPLAY TABLE <schema-name>.<table-name> . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. Validate network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
Check the SRTT for externally secured resource TASK for command facility task codes (e.g., OCF or organization-defined task codes that invokes program IDMSOCF or IDMSBCF). Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Review the output looking for those statements that secure RESTYPE=TASK and RESNAMEs OCF or any organization-defined task codes that invoke programs IDMSOCF or IDMSBCF. If none are found for OCF, this is a finding. BCF may not be defined as a task. If it is, this is a finding. The program invoked by installation-defined task codes can be determined by issuing command "DCMT DISP TASK" task-name. Issue command "DCMT DISP TASK" and look for organization-defined tasks, then issue the "DCMT DISP TASK" task-name to determine the program being invoked. Review the code to determine if any of these execute dynamic code. If any do, this is a finding. If command facility tasks are found to be secured externally, ensure the external security manager (ESM) contains the correct definition using the external resource class name and the external resource name construction rules in the #SECRTT. If it is not defined or not defined correctly, this is a finding.
Create, or modify as needed, entries in the SRTT and then reassemble and relink the module RHDCSRTT for the security domain. An example of the external class and external name construction rules to secure OCF is: #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='OCF', SECBY=EXT Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
If EXECUTE IMMEDIATE, PREPARE, and EXECUTE statements are found while reviewing source code in applications, procedures, and exits in code that does not require it, this is a finding.
Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.
Check the SRTT for externally secured resource TASK for IDMS Server task codes IDMSJSRV and CASERVER. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no TASK entry is found for either IDJSJSRV or CASERVER, this is a finding. If either is not secured external, this is a finding. If tasks IDMSJSRV and CASERVER are found to be secured externally, ensure that the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.
Create or modify as needed entries in the SRTT, then reassemble and relink module RHDCSRTT for the security domain. The external class and external name construction rules must be specified. The following is an example of how IDMSJSRV and CASERVER may be secured externally. #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF,EXTNAME=(RESTYPE,RESNAME), EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='IDMSJSRV', SECBY=EXT #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='CASERVER', SECBY=EXT Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
If dynamic code execution is used and identified user input is not validity checked user input, this is a finding. If SQL-defined tables, DISPLAY TABLE <schema-name>.<table-name> . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
Log on to IDMS DC system and issue "DCPROFIL". Scroll to the OPTION FLAGS screen. If "OPT00051" is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding.
Reassemble, relink, and reload (V NC) RHDCOPTF with #DEFOPTF OPT00051 (for messages sent to user) and optional #DEFOPTF OPT00226 (for messages sent to IDMS log).
Check custom database code to verify that error messages do not contain information beyond what is needed for troubleshooting the issue. If database errors contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.
Configure custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages.
Check that security messages from external security managers (ESMs) are sent only to the log which can be secured. Log on to IDMS DC system and issue "DCPROFIL". Scroll to the "OPTION FLAGS" screen. If OPT00051 is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding. Contact the security office and verify that the user, groups, and roles are defined to the ESM so that DC log can only be viewed by Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
In the source for RHDCOPTF, add lines: #DEFOPT OPT00051 <-for messages sent to user #DEFOPT OPT00226 <-for messages sent to IDMS log Then, reassemble and relink RHDCOPTF. Reload RHDCOPTF in the CV by issuing the following commands: DCMT VARY NUCLEUS MODULE RHDCOPTF NEW COPY DCMT VARY NUCLEUS RELOAD Contact the security office to ensure that ADSOBPLG, the ADS print log utility, is secured via the ESM and assigned to the appropriate users, and that the ADS log file is secured from being read by others than ISSO, ISSM, SA, and DBA, also via the ESM.
Check custom database code to determine if detailed error messages are ever displayed to unauthorized individuals. If detailed error messages are displayed to individuals not authorized to view them, this is a finding.
Configure custom database code and associated application code not to display detailed error messages to those not authorized to view them.
Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "RESOURCE TIMEOUT INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 RESOURCE TIMEOUT INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE. The change will become effective the next time the CV is stopped and started. Note: The system RESOURCE TIMEOUT INTERVAL can be overridden with the TASK RESOURCE TIMEOUT INTERVAL for individual tasks.
Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "CHKUSER TASK" is found. If the associated value is not the organization-defined number of subtasks that detect abnormally terminated batch external request units, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 CHKUSER TASK is <the organization-defined number of subtasks> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.
Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "EXTERNAL WAIT" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 EXTERNAL WAIT is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system EXTERNAL WAIT and can be overridden with the EXTERNAL WAIT parameter of the TASK statement. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.
Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "INACTIVE INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding. Scroll through the returned text until "RUNAWAY INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 INACTIVE INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "MODIFY SYSTEM 123 RUNAWAY INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system INACTIVE INTERVAL can be overridden with the INACTIVE INTERVAL TASK parameters, e.g., for task RHDCNP3S which services external tasks/sessions. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "RESOURCE TIMEOUT INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 RESOURCE TIMEOUT INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system RESOURCE TIMEOUT INTERVAL can be overridden with the TASK RESOURCE TIMEOUT INTERVAL for individual tasks.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "INACTIVE INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding. Scroll through the returned text until "RUNAWAY INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 INACTIVE INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "MODIFY SYSTEM 123 RUNAWAY INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system INACTIVE INTERVAL can be overridden with the INACTIVE INTERVAL TASK parameters, e.g., for task RHDCNP3S which services external tasks/sessions. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "EXTERNAL WAIT" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 EXTERNAL WAIT is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system EXTERNAL WAIT and can be overridden with the EXTERNAL WAIT parameter of the TASK statement. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "CHKUSER TASK" is found. If the associated value is not the organization-defined number of subtasks that detect abnormally terminated batch external request units, this is a finding.
Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 CHKUSER TASK is <the organization-defined number of subtasks> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.
The following steps apply to "Online" and "Batch to CV" access to IDMS. If CAGJMAC and AAGJMAC libraries with external security manager (ESM) dataset level security are not secured, this is a finding. If the functions to be protected within the RHDCSRTT, IDMSCTAB, or IDMSUTAB modules are not defined, this is a finding. Note: The recommended method of securing the IDMS environment is through the ESM. The RHDCSRTT module allows users to define the different functions and applications as type EXTERNAL to make them visible to the ESM so that they can be secured. These load modules are used by the IDMS Central Version to understand how access to the IDMS environment is to be controlled. Again, it is not sufficient to merely define what should be secured via the RHDCSRTT module, these functions must be secured through the ESM. The security of the assembler macros and the security load modules must be upheld to protect the environment. Use the ESM to enact Dataset Level Security on the CAGJMAC macro library where the IDMS assembler macros reside. This is to protect unauthorized users from creating their own versions of the security load modules. Also, protect the CUSTLOAD load library or wherever the generated security load modules used by the IDMS environment are stored. By defining the functions to be protected in the RHDCSRTT module and then protecting those functions via the ESM, users are able to protect the DBMS environment. By taking these steps, unauthorized users are prevented from performing privileged functions when executing jobs in either a "Batch to Central Version" or "Online Central Version" environment. If accessing CA IDMS in "Batch Local" mode, access control is performed at the dataset level using the ESM. It is necessary to restrict users from accessing the CA IDMS Database files in Local Mode. If the CA IDMS Database files are not secured using the ESM, this is a finding. If limited access is allowed to database files in a batch to local scenario, consider utilizing a custom EXIT 14. If a user wishes to granularly protect specific DBMS verbs and have not implemented an EXIT 14, this is a finding.
1. Define the functions to secure using the #SECRTT, #CTABGEN, and #UTABGEN macros. See the IDMS documentation for information on how use these macros to secure the CA IDMS environment. 2. Protect the IDMS macro libraries with the ESM's dataset level security (see the ESM's documentation to restrict access except for the administrators). 3. Protect the IDMS custom load library containing the RHDCUXIT, RHDCSRTT, IDMSCTAB, or IDMSUTAB modules. See the ESM's documentation to restrict access except for the IDMS Central Version, administrators, and any other users who require access. 4. If access must be restricted to the CA IDMS Database files in Local Mode, and the CA IDMS Database files are not properly secured using an ESM, then do so. All pertinent CA IDMS software load libraries and customization load libraries should also be secured. Only allow access to these files by the IDMS Central Version or specific administrator IDs as specified by the ESM. This protects the system from unauthorized users utilizing alternative load libraries or security settings to access database files, and also prevents them from directly accessing the database files. 5. If granularly controlling user access in batch to local mode is required and EXIT 14 is not set up in the RHDCUXIT module, see the IDMS documentation. Use EXIT 14 to decide which database verbs to protect. Access is protected by associating the verbs with a security resource in the RHDCSRTT, which is protected by the ESM. This is an exit that must be compiled into the RHDCUXIT load module. This exit is called at the time of a database verb being called and allows users to define which verbs are secured and how they are secured by issued Security Checks based on the user making the calls. This allows a user to choose which verbs are privileged and who is able to access them. As before, the verbs are secured by associating them with a defined access type in the RHDCSRTT, module which then needs to be secured by the ESM. By using the ESM's dataset level security and Exit 14, access is restricted to functions that should be protected.
Verify that the following DCMT commands are protected for use by the appropriate users: DCMT DISPLAY MEMORY DCMT VARY DYNAMIC PROGRAM DCMT VARY DYNAMIC TASK DCMT VARY LOADLIB DCMT VARY MEMORY DCMT VARY NUCLEUS DCMT VARY PROGRAM DCMT VARY RUN UNIT DCMT VARY SYSGEN Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. If the command codes for the commands listed above are not present in the output, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Review the output to determine if there are ACTI entries to secure the above commands. Activity numbers are assigned in IDMSCTAB and used in the SRTT formats for the external resource name. Contact the security office if the resource access is not restricted to only users authorized in the site security plan. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.
The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB as needed. This example #CTABGEN entry secures the DCMT commands listed in the check and assigns a task number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,2,C,3,D,4,E,5,F,6,G,7,H,8,I,9), X (N022,A), DCMT DISPLAY MEMORY X (N046001,B), DCMT VARY DYNAMIC PROGRAM X (N046002,C), DCMT VARY DYNAMIC TASK X (N050,D), DCMT VARY LOADLIB X (N033,E), DCMT VARY MEMORY X (N063,F), DCMT VARY NUCLEUS X (N025,G), DCMT VARY PROGRAM X (N073,H), DCMT VARY RUN UNIT X (N095,I) DCMT VARY SYSGEN END The ACTIVITY passed to the ESM will be the first up to five bytes of the application name followed by the three-byte activity number or, using the above example, DCMT009 for a DCMT VARY SYSGEN command. After making the above changes, IDMSCTAB and RHDCSRTT must be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also verify the ESM gives access to the appropriate users. Here are Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001)
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Confirm that the #SECRTT macro contains entries for the following resource names: UPRF for User Profile, SYSTEM for System Dictionary, SYSMSG for System Messages, and CATSYS for the User Catalog. If all of these resource names are not defined to external security, this is a finding.
Secure database object resources not found in SECRTT or found to be secured internally, through the external security manager (ESM) chosen by the organization (e.g., TSS, ACF 2, RACF). Users, groups, roles, etc., are defined to the ESM, and it is here where the authorization for ownership is determined. Once externally secured, create or modify the #SECRTT entries specify TYPE=ENTRY and TYPE=OCCURRENCE for the database resource type with the parameter of SECBY=EXTERNAL. Use the RESTYPE DB which implicitly includes the subtypes AREA, NRU, QSCH, NSCH, TABL, DACC, and SACC. For each subtype, an entry must be added. The restypes for database tables and DMCLs are DBTB and DMCL, respectively. Update the #SECRTT macro to contain the following entries: #SECRTT TYPE=ENTRY, RESTYPE=UPRF, X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESNAME='SYSUSER', X RESTYPE=DB, X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='SYSTEM', X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='SYSMSG', X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='CATSYS', X SECBY=EXTERNAL, X Additional parameters required For batch jobs that access database objects, use the ESM standard dataset security and/or the user-written exit 14 to secure the database objects.
Review the system documentation, database, and DBMS security configuration (in SRTT and ESM), source code for DBMS internal logic, source code of external modules invoked by the DBMS, and source code of the application(s) using the database. If elevation of DBMS privileges is utilized but not documented, this is a finding. If elevation of DBMS privileges is documented, but not implemented as described in the documentation, this is a finding. If the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.
Determine where, when, how, and by what principals/subjects elevated privilege is needed. Modify the database and DBMS security configuration (in SRTT and external security manager [ESM]), DBMS internal logic, external modules invoked by the DBMS, and the application(s) using the database, to ensure privilege elevation is used only as required.
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured resource SYST which allows the SYSGEN to be modified and application program definitions added. If "SYST" is not found as the resource type in any of the entries, this is a finding. If "SYST" is secured internally, this is a finding. If "SYST" is found to be secured externally, ensure that the ESM contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.
Create an entry in the SRTT and compile into the module RHDCSRTT for the security domain that defined the resource type of SYST. The external class and external name construction rules must be specified. For instance: #SECRTT TYPE=ENTRY,RESTYPE=SYST, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(RESNAME) Create the corresponding entry in the external security manager (ESM) and authorize appropriate users, groups, etc., to allow access to system generation including program definition.
For each load area, run a CREPORT 43 to check the nodes and access types for each node. For each node, issue DCMT D LINE. For each LINE type with a status of InSrv, inspect the access type for potential unauthorized connection types. For TCP/IP, any line with access type SOCKET, issue DCMT D LINE <tcp-line-id>. If any terminals are of type LIST and status InSrv, check port number for a valid port. If the port number is unacceptable as defined in the PPSM CAL, this is a finding. For each terminal with the type of LIST and InSrv, issue DCMT D PTE <pterm-id>. For each task and (possible PARM STRING which could pass a task) identified in the PTE display, issue DCMT D TASK <task-id>. If the task is IDMSJSRV and the associated program is RHDCNP3J, this is not a finding. If the task/program has not been authorized, this is a finding. If other access types (e.g., VTAM, SVC, CCI) have been deemed nonsecure in the PPSM CAL, this is a finding.
For any pterm found to have nonsecure attributes (task, program, port), disable by issuing DCMT V PTE <pterm-id> OFF. Using SYSGEN, remove offending lines, pterms, lterms, and/or port numbers and regenerate the system.
Log on to IDMS DC system and issue DCPROFIL. If HPSPO ENABLED: display is "NO", this is a finding.
Use the following system generation parameters to enable the use of high performance storage protection: Set STORAGE KEY parameter of the SYSTEM statement to "9". Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for PROGRAMS required to run with the alternate protect key (i.e., 9). DCMT DISPLAY ALL STORAGE POOLS can be used to take note of what pools support any type of user storage, that is, user, user-kept, shared, shared-kept, or ALL, in preparation for the next step. If necessary, redefine storage pools in such a manner that all forms of user-oriented storage (user, user-kept, shared, and shared-kept) are segregated from the system storage (database, terminal). For example: ADD STORAGE POOL 1 CONTAINS TYPES ( SHARED SHARED-KEPT USER USER-KEPT ) ADD XA STORAGE POOL 128 CONTAINS TYPES ( USER USER-KEPT ) ADD XA STORAGE POOL 129 CONTAINS TYPES ( SHARED SHARED-KEPT ) ADD XA STORAGE POOL 130 CONTAINS TYPES ( TERMINAL DATABASE ) Generate and start the system. The storage pool definitions have been set up correctly if the message DC004001 HPSPO HAS BEEN DISABLED DUE TO INCORRECT STORAGE POOL DEFINITIONS is not issued at startup.
Log on to IDMS DC system and issue "DCPROFIL". If SYSTEM STORAGE PROTECTED: display is "NO", this is a finding. Issue DCMT D PROGRAM pgmname where pgmname is ADSOMAIN, ADSORUN1, and user programs. If "Storage Prot" is "NO", this is a finding.
Use the following system generation parameters to enable the use of standard storage protection: Set STORAGE KEY parameter of the SYSTEM statement to a value that is not" 9". (The value other than 9 is dependent on how the z/OS parm AllowUserKeyCSA is set). Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for ADSOMAIN, ADSORUN1, and user programs. Generate and restart the system.
Log on to IDMS DC system. Issue DCMT D MEM SVC+6D0 to get address of SVC options (svcopt-addr). Issue DCMT D MEM svcopt-addr. With all lengths of 1, at offset 1 is the SVC number, offset 3 contains CVKEY number, offset x' D' contains a flag byte where a setting of X'20' indicates AUTHREQ=YES. If there is no valid number for CVKEY and the flag byte of X'20' is not set, this is a finding. Note: Offsets are subject to change.
Set #SVCOPT parameters CVKEY to the chosen key for startup modules and AUTHREQ=YES to create a secured SVC. Assemble, relink and install SVC. Create an entry in the Z/OS PPT for the startup module in the chosen key. All IDMS CV startup modules must reside in an authorized library and must be linked as authorized (SETCODE AC(1)). The IBM Z/OS parameter AllowUserKeyCsa should also be checked since the setting may impact the CVKEY choice (see TEC574934 for details).
Log on to IDMS DC system and issue DCPROFIL. If HPSPO ENABLED: display is "NO", this is a finding.
Use the following system generation parameters to enable the use of high performance storage protection: Set STORAGE KEY parameter of the SYSTEM statement to "9". Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for PROGRAMS required to run with the alternate protect key (i.e., 9). DCMT DISPLAY ALL STORAGE POOLS can be used to take note of what pools support any type of user storage; that is, user, user-kept, shared, shared-kept, or ALL, in preparation for the next step. If necessary, redefine storage pools so all forms of user-oriented storage (user, user-kept, shared, and shared-kept) are segregated from the system storage (database, terminal). For example: ADD STORAGE POOL 1 CONTAINS TYPES ( SHARED SHARED-KEPT USER USER-KEPT ) ADD XA STORAGE POOL 128 CONTAINS TYPES ( USER USER-KEPT ) ADD XA STORAGE POOL 129 CONTAINS TYPES ( SHARED SHARED-KEPT ) ADD XA STORAGE POOL 130 CONTAINS TYPES ( TERMINAL DATABASE ) Generate and start the system. The storage pool definitions have been set up correctly if the message "DC004001 HPSPO HAS BEEN DISABLED DUE TO INCORRECT STORAGE POOL DEFINITIONS" is not issued at startup.
For CA IDMS CV, issue "SELECT * FROM SYSCA.DSCCACHEOPT". If rows are returned, caching is on. For local, if no statement, SQL_CACHE_ENTRIES=0 exists in the SYSIDMS specification, caching is on. Examine RHDCSRTT in security domain for security on table procedures and views of DSCCACHE table; those supplied at installation (SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) or those created by organization. If no security is found for these table procedures and views, this is a finding.
Either turn off use of SQL cache or secure SQL cache tables. Turn off SQL cache use in local using SYSIDMS parameter SQL_CACHE_ENTRIES=0. Turn off SQL cache use in IDMS CV and modify sysgen with statement DELETE SQL CACHE. To secure SQL cache tables add RESTYPE DB entry and RESTYPE TABL occurrences for SQL cache tables (table procedures and views) SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) and any other views of SYSCA.DSCCACHE created by the organization. For example: #SECRTT TYPE=ENTRY,RESTYPE=DB,EXTCLS='CA@IDMS', EXTNAME=(RESTYPE,ENVI,RESNAME),SECBY=OFF #SECRTT TYPE=ENTRY,RESTYPE=TABL,EXTCLS='CA@IDMS', EXTNAME=(ENVI,RESTYPE,SCHEMA,RESNAME),SECBY=EXTERNAL ... (other DB-covered ENTRYs e.g., NRU, DACC. etc.) #SECRTT TYPE=OCCUR,RESNAME='<db/segment to secure>',RESTYPE=DB,SECBY=EXTERNAL Secure SQL cache tables in external security manager (ESM) using the corresponding chosen external name (e.g., PROD.TABL.SYSCA.DSCCACHE).
Log on to IDMS DC system and issue "DCPROFIL". If SYSTEM STORAGE PROTECTED: display is "NO", this is a finding. Issue DCMT D PROGRAM RHDCWSSP. If Storage Prot is "NO", this is a finding.
Use the following system generation parameters to enable the use of standard storage protection: Set STORAGE KEY parameter of the SYSTEM statement to a value that is not "9". (The value other than 9 is dependent on how the z/OS parm AllowUserKeyCSA is set). Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for RHDCWSSP. Generate and restart the system.
Check the SRTT for externally secured ACTI which can be used to secure DCMT DISPLAY MEMORY and DCMT VARY MEMORY. Examine load module RHDCSRTT using CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If RESTYPE=ACTI is not found as the resource type in any of the entries, this is a finding. If RESTYPE=ACTI is found but the entry is secured internally, this is a finding. Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. Verify that these DCMT command codes are present: N022 - DISPLAY MEMORY N033 - VARY MEMORY If they are not present, this is a finding.
The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB. This example #CTABGEN entry secures the DCMT DISPLAY MEMORY and DCMT VARY MEMORY commands and assigns an activity number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,11), X (N033,A, VARY MEMORY - TASK 1 X N022,B) DISPLAY MEMORY - TASK 11 END The ACTIVITY passed to the ESM will be the first up to 5 bytes of the application name followed by the 3 byte activity number or, using the above example, DCMT011 for a DCMT DISPLAY MEMORY. After making the above changes, IDMSCTAB and RHDCSRTT must be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also, verify the ESM gives access to the appropriate people. Here are some Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001) TSS PER(user_id) CA@IDMS(TEST001.DCMT011)
If data inputs are specifically identified by the organization as exempt from validity checks, this is not applicable. If SQL-defined tables, DISPLAY TABLE <schema-name>.<table-name> . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. Review the source code for checks, procedures, and edits to identify how the system responds to invalid input. If it does not implement the documented behavior, this is a finding.
Revise and deploy source code changes for checks, procedures, and edits to implement the documented behavior. For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.
Determining which PTFs have been applied, a query can be done to an SMP/E CSI using the IBM SMP/E utility. New and existing PTFs must be reviewed using CA CARS or CSO in a timeframe determined by an authoritative source. If not, this is a finding.
Institute and adhere to policies and procedures to ensure that patches are consistently applied to the IDMS within the time allowed.
Consult the system DBA and review system procedures for measures that establish a dataset to be used as a lock file. If there is no such procedure, this is a finding.
Require users to use specific JCL that includes exclusive access to a dataset used as a lock file. This would prevent more than one job from running at a time. This would not allow multiple users to have one session active at a time, this would be one active session, no matter how many individual users are attempting to run the batch jobs. The CA IDMS DBA must develop a Journal Analyzer procedure for authorized users to capture, record, and log all content related to a user.
Consult the system DBA and review system procedures for WTO exits that modify IDMS messages that go to non-privileged users. If there is no procedure, this is a finding.
Develop an IDMS user exit WTOEXIT to review, alter, redirect and suppress text of IDMS messages written to the operator's console. (Note that some system messages are written to the DC/UCF log as they are originally issued. Some system messages are written only to the console, regardless of how they are defined in the message dictionary).
If this CA IDMS has no requirement for confidentiality and integrity of all information at rest in accordance with the data owners requirements, this not applicable. If required files are not defined as a VSAM dataset this is a finding. Perform the following for the VSAM dataset 1. LISTC ENT('dsn') ALL" Where "dsn" is the DSNAME of the cluster; review the ATTRIBUTES section of the output to ensure that the database is defined as NONINEXED (the cluster is an ESDS). If not, this is a finding. 2. In the IDCAMS LISTC output, look for the SMSDATA section. If none is found this is a finding. Otherwise, find the "DATACLASS" name and query the systems programmer to ensure that the SMS data class specifies "Extended Format" but does not specify "Extended Addressing". If not, this is a finding. 3. In the IDCAMS LISTC output: Find the "STORAGECLASS" and query the systems programmer to ensure it supports extended format VSAM dataset. If not, this is a finding. 4. Confirm that the database(s) have a data set key label. Places to check for a data set key label: a. In the SMS data class definition by reviewing the entry for the appropriate data class in ISMF b. In the output of an IDCAMS LISTC in the ENCRYPTIONDATA section. If "DATA SET ENCRYPTION" is "YES", then the label will be displayed after "DATA SET KEY LABEL". c. The key label may be assigned through the ESM. Query the security team to determine if this is the case. 5. The database(s) must be defined in the DMCL as "VSAM". Run "IDMSLOOK" to print the contents of the DMCL and look for the desired database(s). If the TYPE column is not "VSAM", this is a finding.
Enable pervasive encryption to protect data at rest: 1. Query system programmers, DBAs, and security team members as needed to determine SMS data and storage classes and data set key labels to use 2. Convert the desired database to a VSAM cluster. a. If necessary, expand the page size of the area(s) current files. The optimal page size is eight bytes less than the VSAM control interval size. b. Alter the file definition to change its access method and then generate, punch, and link all DMCLs in which the file's segment is included. Optionally, specify a new database name or other location information c. Allocate the new database file(s). 3. Modify the CV and batch JCL to reference the new VSAM data set(s). 4. Using the appropriate OS utility, copy the original database file(s) to the new, VSAM database file(s). Note that the actual data encryption takes place when the database is written to or read from.
If the site system plan does not require security labels, this requirement is Not Applicable. Consult the system DBA and review system procedures for an application that maintains security label processing. If there is no label application procedure, this is a finding.
Update an application DB to include label fields in each database record and to maintain the status through the application.
Verify that connection to IDMS is FIPS-compliant. 1. For ODBC and JDBC Type 2 connections: a. Configure the Data Source to enable the DTS-JCLI logging option. b. Perform a connection test using the "Test" function on the administrator. c. View the generated log entries to determine the TLS version, cipher algorithm, and certificate employed. 2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) successful! 2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) connection attempts: 1 2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) TLS version TLSv1.2 2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) cipher TLS_RSA_WITH_AES_256_CBC_SHA256 (this should be one or more of the accepted ciphers) Cipher Specifications 3DES_SHA AES_256_SHA AES_128_SHA If connection is not verified this is a finding. 2. For all connection types: IBM provides configuration options for multiple SSL components, to force FIPS-140 compliance. a. System SSL: The environment variable GSK_FIPS_STATE specifies GSK_FIPS_STATE_ON in the envar file in the GSKSRVR home directory or message "GSK01057I SSL server starting in FIPS mode" is in the JES log. b. ICFS: Review the JES log for the ICSF region for the following message is issued on startup CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL. If either of the above is true this is not a finding. If none of the above is true this is a finding.
Contact the appropriate system administrators to make the needed changes to allow the use of AT-TLS and the associated software. See Broadcom Techdocs for further information: - Configure Secure Sockets See IBM's z/OS Communications Server bookshelf for information on: - Configuring AT-TLS See IBM's z/OS Cryptographic Services System bookshelf for information on - Algorithms and key sizes - System SSL - ICSF Services