Contents

The CA VM:Backup/CA VM:Secure interface provides additional security to your CA VM:Backup system and ensures the integrity of CA VM:Secure data backed up by CA VM:Backup. By enabling this interface, you can use:

  • CA VM:Secure Rules Facility to control the minidisk linking capabilities of CA VM:Backup.
  • CA VM:Backup to back up or restore to minidisks whose passwords were encrypted by the CA VM:Secure Password Encryption Facility.

CA VM Secure Rules Facility

The CA VM:Secure Rules Facility provides a database of site-defined rules that controls access to virtual machines and minidisks, and controls the transfer of data between virtual machines. The Rules Facility also filters certain CP commands to determine whether a request should be accepted or rejected.

Installing the Rules Facility is optional.

Note: For more information, see the CA VM:Secure Rules Facility Guide. Based on rules defined in the database, the Rules Facility can be used to control CA VM:Backup minidisk linking during backup and restore job processing.

CA VM Secure Password Encryption Facility

The CA VM:Secure Password Encryption Facility (PEF) allows you to encrypt logon and minidisk passwords. CA VM:Secure maintains these passwords in encrypted form in the CP object directory and in the CA VM:Secure directory database. This feature is available only if the CA VM:Secure Rules Facility is installed.

Restrictions and Requirements

None.

Implementation

  1. Log on to VMANAGER.
  2. Enter the CA VM:Secure CONFIG PRODUCT command.
  3. Make sure that there is a PRODUCT VMBACKUP vmbackup record in the CA VM:Secure PRODUCT CONFIG file. This configuration file record provides CA VM:Secure with the CA VM:Backup service virtual machine user ID. This record activates the CA VM:Secure side of the interface and establishes CA VM:Secure QUIESCE and SURROGAT authorizations for CA VM:Backup.
  4. Enter the CA VM:Secure RULES SYSTEM command. The system puts you in XEDIT.
  5. Make sure that there is an ACCEPT vmbackup LINK * * (NOPASS rule in the CA VM:Secure system override rules file. This rule allows CA VM:Backup to link to a user's minidisks.
    Note: If the VMBACKUP CONFIG file contains the NODIAG84 record, the NOPASS option is required on the CA VM:Secure LINK rule. See the CA VM:Secure Rules Facility Guide for more information about the LINK rule. When running on a VM/ESA (ESA feature) system, the CA VM:Backup directory requires the OPTION LNKNOPAS statement.
  6. Make sure that there is an ACCEPT vmbackup SPOOL (HISTORY rule in the CA VM:Secure system override rules file. This rule allows CA VM:Backup to send files to the users' virtual reader or printer.
  7. If you are using the CA VM:Archiver/CA VM:Backup interface and the Surrogate Facility, make sure that there is an ACCEPT vmarch LINK * * (NOPASS rule in the CA VM:Secure system override rules file. This rule ensures that vmarch can link to all minidisks without specifying a minidisk password.
  8. Make sure that there is a CPACTION vmbackup ACCEPT record in the CA VM:Secure CP configuration file (VMXRPI CONFIG). This record allows CA VM:Backup to access your VM system when CA VM:Secure is not available. In a disaster recovery situation, it may be necessary for CA VM:Backup to continue to execute (and use CP LINK and SPOOL commands).
    If the CPACTION VMBACKUP ACCEPT record already exists, quit the file and go to Step 9.
    If this record does not exist, add it and save the file. You must then regenerate the CP product. Follow the instructions in the CA VM:Secure Rules Facility Guide for installing local replacement text decks, and perform a CP SYSGEN following the instructions appropriate for your system.
  9. Make sure that there are IUCV DUALPASS and IUCV ALLOW statements in the VMBACKUP directory entry.
    • The IUCV DUALPASS directory entry statement is required when the CA VM:Secure Password Encryption Facility is installed. Refer to the CA VM:Secure Rules Facility Guide for more information about the CA VM:Secure Password Encryption Facility and IUCV DUALPASS.
    • The IUCV ALLOW directory entry statement allows CA VM:Backup to communicate with other products and to perform its own authorization checking.