Contents

Note: Unless otherwise instructed, read all references in this section to CA VM:Secure as CA VM:Secure or CA VM:Director.

The CA VM:Schedule/CA VM:Secure interface provides four functions. These functions enable you to:

  • Force users to periodically change their logon passwords
  • Extract data from the CA VM:Secure audit file
  • Schedule regular backups of the CA VM:Secure database
  • Add CA VM:Secure rules for CA VM:Schedule (CA VM:Secure only, not CA VM:Director)

Details on how each function works, any restrictions or requirements that apply, and instructions about how to implement each function are presented in the sections that follow.

Forcing Periodic Change of Logon Passwords

Logon passwords that remain in use for extended periods of time pose a security risk for your site. However, manual directory procedures make changing logon passwords for all the user IDs on your system and then notifying each user of his new logon password a very time-consuming process. You could use the CA VM:Secure Rules Facility to reduce the amount of time spent on this directory maintenance procedure by requiring users to periodically change their logon passwords.

As an alternative, the CA VM:Secure system administrator can use the CA VM:Schedule/CA VM:Secure interface to schedule regular execution of an EXEC that expires all outdated passwords.

Restrictions and Requirements

None.

Implementation

To force periodic change of logon passwords:

  1. Log on to VMANAGER.
  2. Create an EXEC that expires all logon passwords that have been in use for a specified length of time. (A sample, called PASSEXP EXEC, is shown below.) You can use two CA VM:Secure commands in the EXEC:
    • QUERY
      Determines which user IDs have an outdated logon password. User IDs without a *PW= (password history) special comment in their directory entry are excluded. You can keep service virtual machine passwords from being expired by removing the *PW= special comment from the directory entry of the service virtual machine.
    • EXPIRE
      Expires logon passwords for all users found by the QUERY command.

You can enter the following CA VM:Schedule command to schedule the PASSEXP EXEC to run at a specified time. This example schedules the EXEC to run at the month's end. The name of the scheduled request is EXPIRE.

VMSCHED SCHEDULE EXPIRE PASSEXP (AT 6:00 WITHIN 1 FROM 12/08/10 AGAIN MONTHEND

When a user's logon password expires, he is prompted at the next logon for a new logon password. CA VM:Secure updates the CP directory to recognize the new logon password.

/******************************************************
*                    PASSEXP EXEC                     *
*                                                     *
* This EXEC expires logon passwords that have not     *
*   been changed in the past 30 days. The EXEC will   *
*   log the VMANAGER userid after it has completed    *
*   if VMANAGER is running disconnected.              *
*                                                     *
* Requires:  GRANT QUERY TO VMANAGER record in the    *
*         CA VM:Secure AUTHORIZ CONFIG file.          *
*            GRANT EXPIRE TO VMANAGER record in the   *
*         CA VM:Secure AUTHORIZ CONFIG file.          *
*            GRANT NOPASS TO VMANAGER record in the   *
*         CA VM:Secure AUTHORIZ CONFIG file.          *
*                                                     *
******************************************************/
address 'COMMAND'
'CP SPOOL CONSOLE * START'
'VMSECURE QUERY PASSWORD 30 ( MANAGER * EXEC'
If rc = 0 Then      Do
       $reason = 'COMPLETED'
       'EXEC CMS VMSECURE EXPIRE'
     End
Else        $reason = 'FAILED'
'CP MSG * VMSECURE PASSWORD EXPIRE EXEC' $reason
'CP LOGOFF'

Extracting Data From the CA VM Secure Audit File

CA VM:Secure enables auditors to monitor the activity taking place on the CA VM:Secure service virtual machine. An audit record is written to the CA VM:Secure audit file on the audit (AUDT) minidisk each time one of these is executed:

  • A CA VM:Secure command
  • A CP command that goes through the Access Control Interface and the CA VM:Secure Rules Facility is installed (This applies to CA VM:Secure only, not CA VM:Director.)

The audit file should be processed periodically to ensure uninterrupted CA VM:Secure processing. When the audit file becomes full, CA VM:Secure activity is suspended until an authorized user ID issues the AUDITEXT command to extract the data from the audit file. The size of the audit minidisk and the frequency of CA VM:Secure use (as well as the use of the CP commands that can be intercepted by the Rules Facility) determine how often the AUDITEXT command should be issued.

You can use CA VM:Schedule to schedule periodic execution of the CA VM:Secure AUDITEXT command. Schedule execution of the AUDITEXT command immediately before your system backup job.

Restrictions and Requirements

The user ID issuing the AUDITEXT command must have authorization in the CA VM:Secure AUTHORIZ CONFIG file and must have a read/write A-disk large enough to hold the audit extract file.

Implementation

To extract data from the CA VM:Secure audit file:

  1. Log on to VMANAGER.
  2. Create an EXEC that extracts data from the CA VM:Secure audit file. (A sample, called EXTRACT EXEC, is shown below.)
    /********************************************************
    *                   EXTRACT EXEC                        *
    *                                                       *
    * This EXEC extracts data from the VMSECURE AUDIT       *
    *     file and logs off the VMANAGER userid if          *
    *     VMANAGER is running disconnected.                 *
    *                                                       *
    * Requires:  GRANT AUDITEXT TO VMANAGER record in the   *
    *            CA VM:Secure AUTHORIZ CONFIG file.         *
    *            GRANT NOPASS AUDITEXT TO VMANAGER record   *
    *            in the CA VM:Secure AUTHORIZ CONFIG file.  *
    *                                                       *
    ********************************************************/
    address COMMAND
    'CP SPOOL CONSOLE * START'
    'VMSECURE AUDITEXT'
    If rc <> 0 Then   Do       $reason = 'FAILED'
          Call exit
      End
    Else       $reason = 'COMPLETED'
    $date = substr(date(u),1,2) ||,         substr(date(u),4,2) ||,         substr(date(u),7,2)
    'RENAME AUDIT EXTRACT A ' $date 'EXTRACT A'
    exit:
      'CP MSG * VMSECURE EXTRACT' $reason
      'CP LOGOFF'

You can enter the following CA VM:Schedule command to schedule the EXTRACT EXEC to run at a specified time. This example schedules the EXEC to run daily. The name of the scheduled request is AUDIT.

VMSCHED SCHEDULE AUDIT EXTRACT (AT 18:00 WITHIN 3 AGAIN DAILY FROM 12/08/10

This command causes the audit data to be extracted from the CA VM:Secure audit minidisk every day at 6:00 p.m. and stored on the auditor's minidisk in a file with a filename of 120810.

If the user ID is logged on at 6:00 p.m., CA VM:Schedule will retry the autolog for three hours (WITHIN time).

Scheduling CA VM Secure Database Backups

You should back up the CA VM:Secure database (DRCT) minidisk daily because it contains the individual directory entry files CA VM:Secure uses to manage the CP directory. The CA VM:Schedule/CA VM:Secure interface can automate this daily backup procedure, ensuring that you always have a current backup copy of your DRCT minidisk available. If you have a hardware failure of the DRCT minidisk pack, you have a backup copy immediately available on another disk pack.

The VMXBKP03 EXEC you loaded from the distribution tape copies the directory files from the DRCT minidisk to another minidisk. The backup copies of the CA VM:Secure directory entry files are placed on the 192 minidisk (unless otherwise specified) of the user ID that invokes the VMXBKP03 utility. This process backs up the CA VM:Secure directory (DRCT) database and clears the CA VM:Secure backup (BKUP) minidisk.

Adding CA VM Secure Rules for CA VM Schedule

Note: This function applies to CA VM:Secure only, not CA VM:Director.

CA VM:Secure supports three rules specifically designed to enhance data security with CA VM:Schedule. These rules control CANCEL, QUERY, and SCHEDULE command requests and give users a facility from which they can control their resources, security, and scheduling privileges.

In addition, security is provided for the COPY and CHANGE functions available in full-screen mode and the WHEN command. The COPY function and the WHEN command use the rule specified for QUERY. Similarly, the CHANGE function uses the rule specified for SCHEDULE.