Contents

Note: Unless otherwise instructed, read all references in this section to CA VM:Secure as CA VM:Secure or CA VM:Director.

The CA VM:Secure/CA VM:Tape interface provides two functions. These functions enable you to:

  • Add CA VM:Secure rules to control access to CA VM:Tape (CA VM:Secure only, not CA VM:Director)
  • Create a card image CP source directory for disaster recovery

Details on how each function works, any restrictions or requirements that apply, and instructions about how to implement each function are presented in the sections that follow.

Adding CA VM Secure Rules to Control Access to CA VM Tape

Note: This function applies to CA VM:Secure only, not CA VM:Director.

This CA VM:Secure/CA VM:Tape interface function enables CA VM:Secure rules to control access to CA VM:Tape. Access to tape volumes can be controlled on the basis of volume serial number or data set name. CA VM:Secure rules can also define who is allowed to list information about a user's tapes or issue the CA VM:Tape CATALOG command for another user's tapes.

To create CA VM:Tape rules in CA VM:Secure, change existing rules, and update the CA VM:Tape rules database, use the CA VM:Secure RULES command.

Note: For more information, see the CA VM:Secure Rules Facility Guide.

How the Interface Works

When a CA VM:Tape command that requires access checking (MOUNT, LIST, and CATALOG commands for other users' tapes) is issued by a user, CA VM:Tape passes the request to CA VM:Secure for validation. If the CA VM:Secure service virtual machine is unavailable, CA VM:Tape sends messages notifying the user and the operator that CA VM:Secure is unavailable. Further CA VM:Tape operation requiring access checking is suspended until CA VM:Secure is available to respond to the access check request. CA VM:Tape operations that do not go through CA VM:Secure access checking can still be performed if CA VM:Secure is unavailable. Operators can issue the QUERY command and users can issue MOUNT, CATALOG, and LIST commands for their own tape volumes.

CA VM:Secure access checking is performed before any CA VM:Tape user exits, except the CA VM:Tape security user exit (USERSECR), are called. The USERSECR exit is called first and its return code determines if CA VM:Secure access checking is bypassed or performed.

Rules for the CA VM Tape Service Virtual Machine

Under the CA VM:Secure/CA VM:Tape interface, the CA VM:Tape service virtual machine owns all SCRATCH and FOREIGN tape volumes. A VMTAPE MOUNT rule may be written for CA VM:Tape to control access to scratch and foreign tape volume mounts. Users or groups of users may be given or denied access to CA VM:Tape scratch and foreign tape volumes.

Rules for CA VM Tape Users

The following types of user rules are available in CA VM:Secure to control user access to tape volumes:

RuleControls who is allowed to:
VMTAPE MOUNTIssue CA VM:Tape MOUNT requests for your tape volumes. Access to tape volumes can be controlled on the basis of volume serial number or data set name.
VMTAPE CATALOGIssue CA VM:Tape CATALOG commands for your tape volumes.
VMTAPE LISTList information about your tapes.

Note: For more information about CA VM:Secure and writing CA VM:Tape rules in CA VM:Secure, see to the CA VM:Secure Rules Facility Guide.

Restrictions and Requirements

You must have the CA VM:Secure Rules Facility installed. For installation instructions, see the CA VM:Secure Rules Facility Guide.

Implementation

  1. Log on to VMTAPE.
  2. Enter the END command to shut down VMTAPE.
  3. Make sure that there is a PRODUCT VMSECURE vmsecure record in the VMTAPE CONFIG file. The PRODUCT configuration file record provides CA VM:Tape with the CA VM:Secure service virtual machine user ID. This record activates the CA VM:Tape side of the interface.
  4. Enter the PROFILE command to restart VMTAPE.
  5. Enter the #CP DISCONN command to leave VMTAPE running disconnected.
  6. Log on to VMANAGER.
  7. Enter the CA VM:Secure CONFIG PRODUCT command.
  8. Make sure that there is a PRODUCT VMTAPE VMTAPE record in the CA VM:Secure PRODUCT CONFIG file. This configuration file record provides CA VM:Secure with the CA VM:Tape service virtual machine user ID. This record activates the CA VM:Secure side of the interface.