CA Endevor

PDS Monitor of CA Compliance Event Manager for CA Endevor SCM Customers

By Ekaterina Tumanova posted 12-21-2017 06:30 AM

  

The CA Product Management team is pleased to announce that starting in December 2017 all CA Endevor SCM customers can get enhanced security with the PDS Monitor feature of CA Compliance Event Manager, which they can acquire at no additional cost.

 

The CA Compliance Event Manager can be used to monitor any changes to CA Endevor SCM-managed data sets and identify changes that were made outside of CA Endevor SCM. When a privileged mainframe user tries to directly modify data sets in CA Endevor SCM inventory, CA Compliance Event Manager will track these alterations. CA Compliance Event Manager can also help you to identify any cases of incorrect setup of CA Endevor SCM security features.

 

Any changes that were introduced outside of CA Endevor SCM will be recorded in CA Compliance Event Manager’s repository and will be available for reporting. Optionally, alerts can be sent to the appropriate personnel when these types of updates occur. For example, a user can configure CA Compliance Event Manager to generate an email alert or an entry written to the system log (via WTO). 

 

CA Compliance Event Manager PDS Monitor can help to provide that data set security rules and CA Endevor SCM Alternate ID configuration are properly defined and that any privileged user modifications to CA Endevor SCM data sets are monitored. This can help you to identify and act on cases of stolen identities or administrative access misuse.

 

Entitlement is limited to the PDS Monitor functionality of CA Compliance Event Manager, and only for the purpose of monitoring updates to CA Endevor SCM-managed data sets. Should customers wish to benefit from the CA Compliance Event Manager functions outside of CA Endevor SCM or from other functions of CA Compliance Event Manager, an easy upgrade path is available to bring CA Compliance Event Manager’s benefits to the entire Mainframe.

 

CA Compliance Event Manager 6.0 Incremental Release is now available for installation in the download area of CA Endevor SCM version 18.

 

Please look for the CA Compliance Event Manager component in the CA Endevor SCM v18 download area. To get your free license key for CA Compliance Event Manager, follow the instructions in the file called "IMPORTANT INFORMATION ABOUT OBTAINING YOUR LICENSE KEY" or "PRODUCTKEYS2017.pdf", which is located in the CA Endevor SCM v18 Product Download.

 

Detailed instructions for CA Endevor SCM customers on how to install, deploy, and configure CA Compliance Event Manager are available in our documentation:

 

https://docops.ca.com/ca-endevor-SCM/18-0/en/securing/monitor-data-sets

 

Please also check out our new video on how to configure CA Compliance Event Manager to use it with CA Endevor SCM

 

https://www.youtube.com/watch?v=v5Xlo5y1JuE

11 comments
0 views

Comments

01-30-2018 03:04 PM

It depends.  If the remote LPARS are licensed for CA Endevor SCM, then yes, you have the ability to leverage the free CA Compliance Event Manager PDS Monitor feature for the CA Endevor SCM Managed PDS datasets that exist on those LPARS.  If the remote LPARS are not licensed for CA Endevor SCM, there is no associated CA Compliance Event Manager PDS Monitor feature available so a full license for CA CEM would be recommended.  Alternatively, we recommend extending your site security data set monitoring and alert policies to any/all libraries that contain executables on production sysplexes (i.e. Package Ship target locations).  If any customer wishes to explore upgrading to the full license for CA Compliance Event Manager, please email me at Vaughn.Marshall@ca.com and we can arrange further discussions.

01-10-2018 10:54 PM

Hi Mitch

 

Thx for that, but here's 1 or 2 things I'm still not clear on.

 

Please can I get clarification on

 

1 - For -  " CA is providing at no charge the ability to use CA CEM to monitor any Endevor related dataset "  -  is there any definition of what " an Endevor related dataset  " is ?  Or is it down to a user site to show/prove that any dataset included for monitoring IS an "Endevor related dataset" ? 

 

2 - For  - "If I have full CA CEM, can I define all necessary Dataset Qualifiers in CA Compliance Event Manager ?  YES "

Q ? - What if we only have CA CEM PDS Monitor (just for Endevor)

 

What I'm trying to get here is clarity on whether we can use CA CEM PDS Monitor (just for Endevor)  for all PDS datasets that a user site decides is Endevor related, including on remote LPARs which are the target for Package Ship

 

thanks

 

Melvyn

01-10-2018 01:44 PM

There have been several questions about the CA Compliance Event Manager (CEM) product and capabilities.  Let me try to answer them.

 

Q: What can the CA CEM product monitor?

A: CA CEM PDS Monitor component uses IBM documented OS APIs to monitor changes to PDS and/or PDSE datasets.

 

Q: Where do I run the PDS Monitor?

A: Since the IBM APIs are not routable, the PDS Monitor (and supporting Router STC) need to be running on each LPAR that needs to monitor activity.

 

Q: How does the PDS Monitor determine which datasets to monitor)?

A: CA CEM uses what’s called Policy to configure which datasets to monitor.  You can set policy to monitor specific, fully qualified, dataset names, or you can use prefixing to monitor something like ENDV.PROD.SRC.*.

 

Q: What information does CA CEM PDS Monitor capture?

A: Using the IBM APIs, CA CEM ‘sees’ the before and after images of the PDS or PDSE member and logs the delta of the two images so you can see exactly what was changed.  For PDS members, you can see lines being added, modified or removed.  For PDSE you can see things like AC=1 was enabled/disabled.

 

Q: What type of alerts can CA CEM produces?

A: Alerts in CA CEM are also policy based.  Today, CA CEM supports writing WTO’s, sending emails via CSSMTP or a network based SMTP server, writing information to a SYSPRINT DD, and/or sending information to Splunk.

 

Q: What exactly can be monitored with the CA Endevor license?

A: As part of the CA Endevor license, CA is providing at no charge the ability to use CA CEM to monitor any Endevor related dataset.  This does not include monitoring other datasets such as SYS1.PARMLIB.  For the ability to monitor any/all PDS/PDSE datasets, you need a full CA CEM license.

 

Q: Is it correct to say that If you don't already have CA Compliance Event Manager, it is free to use with the the PDS Monitor feature ?

A: Correct, it is no charge to use the PDS Monitor feature

 

Q: If I have full CA CEM, can I define all necessary Dataset Qualifiers in CA Compliance Event Manager ?

A: Yes

 

Q: How is the entitlement mentioned enforced/accomplished ?

A: CA LMP keys are used for enforcement.  A CA Endevor LMP key will allow PDS Monitor to run, but not the other components. Customer is acknowledging to use PDS monitor for the only purpose of monitoring Endevor datasets by agreeing with the CA Endevor incremental release EULA at support.ca.com and checking the content of the “IMPORTANT INFORMATION ABOUT OBTAINING YOUR LICENSE KEY” file in the product download area.

 

 

If you have any additional questions or would like to setup a call to discuss in more detail specific to your environment, please contact the CA Endevor or CA Security support group to get it scheduled.

 

Thank you,

Mitchell Rozonkiewiecz

Sr Principal Architect

MF Security / CA Compliance Event Manager

Mitchell.Rozonkiewiecz@ca.com

01-10-2018 12:28 PM

Thanks for your question, Elaine. Although CEM is available with version 18 of Endevor, there's no restriction to download CEM component of v18 and use it with Endevor v17. Note, that CEM 6.0 as well as Endevor v18 is an incremental release and you have to acknowledge conditions in incremental release agreement at support.ca.com when downloading it.

01-05-2018 06:32 PM

I interpret the statement that PDS Monitor is a component of ENDEVOR SCM to imply that any virtual machine (LPAR) on which someone can install ENDEVOR SCM under the terms of their current license is a virtual machine on which PDS Monitor can also be installed.


My question is how do the capabilities of PDS Monitor stack up against Vanguard Activity Alert #15? The documentation on the capabilities of the latter that I have found so far is limited.


01-03-2018 07:25 PM

Looks a very good & useful addition to Endevor
For clarification


1/

We have

 

  • The PDS Monitor feature of CA Compliance Event Manager
  • CA Compliance Event Manager itself

 

Q ? - Is it correct to say that If you don't already have CA Compliance Event Manager, it is free to use with the The PDS Monitor feature ?

 

2/
What exactly can/can't be monitored - either "in actuality" or by (license) restriction" ? There is mention of "Endevor Data sets", and
"Entitlement is limited to the PDS Monitor functionality . . . only for the purpose of monitoring updates to CA Endevor SCM-managed data sets."
The video shows manual definition of a high level qualifier - the video did not seem to differentiate between Endevor datasets & non-Endevor datasets except by this manual definition.

Endevor (PDS/E) datasets can include

 

  • Base
  • Delta
  • Source Output
  • Processor Output
  • CCID file


and remote datasets on other Lpars populated by Package Ship and other Endevor based processes.
At my shop, this will be more than one High Level Qualifier, and covers more than 1 LPAR.

 

Q ? - Can I define all necessary Dataset Qualifiers in CA Compliance Event Manager ?

 

Q ? - How is the entitlement mentioned enforced/accomplished ?

 

thanks

01-03-2018 02:01 PM

Do you have to be on version 18 of CA Endevor to take advantage of the CEM component?

12-27-2017 06:02 AM

Thanks for the response, I look forward to hearing more. 

12-24-2017 02:49 PM

Great questions, Edward! Replies below:

  1. PDS monitor of Compliance Event Manager is a new component of CA Endevor SCM product and the main purpose of this component is to help provide that no priviledged user can manipulate Endevor data sets on the machine, where Endevor is installed, and that Endevor security is properly configured. The executables at remote locations do not necessarily come from Endevor only, they may be additionally managed by custom scripts and other software, therefore at the moment we do not provide CEM PDS monitoring for the remote libraries.
    However, this is a great question. CA Compliance Event Manager has a lot of functions and we will discuss with CEM product team, what recommendations and opportunities we can share for the use case you mentioned. This will probably happen later in January due to Christmas period and unavailability of some key players.
  2. PDS monitor alerts may be sent in a form of:
    1. Emails
    2. Write-To-Operator messages, which can be part of automated workflow:
      Please check the detailed description of the “Subcomponent Alerts” on this page https://docops.ca.com/ca-compliance-event-manager/6-0/en/getting-started/component-overview/change-monitor-component-overview#ChangeMonitorComponentOverview-PDSMonitor

Merry Christmas!

12-21-2017 11:20 AM

Couple of questions:

 

  1. Can I use this product to monitor 'Endevor Controlled' remote libraries deployed to via ship? We have an automated process that will move and ship code into live after a certain stage of the lifecycle. 
  2. What form do the alerts take, dashboard, email etc.? 

12-21-2017 10:35 AM

Looks like a cool feature!