ESP Workload Automation

 View Only

  • 1.  Securing CA-OPS Communication via GSS to CA-7

    Posted Sep 08, 2016 03:14 PM

    We are attempting to use the UID feature of CA-7 to secure the jobs that users can demand via CA-OPS (ADDRESS CA7 and OPSCA7() function). We know that each of these methods results in a different ID being sent to CA-7. The OPSCA7() function sends the user id of the CA-OPS task while the ADDRESS CA7 sends the user id of the GSS task. We have everything set up in RACF and CA-7, performed the requisite refreshes and recycles. We set up 3 jobs in CA-7, one with UID 255, one with UID 001 and one with UID 000. When we attempt to demand in each job via CA OPS/REXX using each method here are the results we get:

     

    JOB UID 255:

       GSS: Fails (Expected but perhaps a false positive based on the UID 001 results)

       OPS: Fails (Expected)

     

    JOB UID 001:

       GSS: Fails (Unexpected)

       OPS: Success (Expected)

     

    JOB UID 000:

       GSS: Success (Expected)

       OPS: Success (Expected)

     

    We looked in the CA-7 log and noticed that the GSS demand of the UID 001 job did receive a denial based on UID but if we have everything set up correctly, and we did double check and triple check everything, why does CA-7 not allow the job to run? GSS does have access to the demand command as well as is evidenced by it being able to demand the UID 000 job in and our own eye balls in RACF. My question is what else could we be missing?

     

    P.S. We do have a ticket open with CA regarding this issue but were wondering if any of the community had run into similar issues or had any ideas what rocks to look under.



  • 2.  Re:  Securing CA-OPS Communication via GSS to CA-7

    Posted Sep 13, 2016 12:32 PM

    We use UID security and OPSMVS via GSS here as well (albeit with Top Secret and not RACF). If the GSS ID is showing as the ID being used does that ID have panel resource U001 access defined to it? If not then I would think that CA7 report 30 would show you that is the issue. If you have panel resource U001 defined to the GSS ID than the next question would be is do you have the GSS ID defined with UID U001 in CA7 database you are interfacing to (defined via CA7 command /PROFS,ID=gssid,R=U001). As for GSS being able to demand the job defined with UID U000, that doesn't prove anything as UID U000 jobs do not use job uid security (that is by product design).



  • 3.  Re:  Securing CA-OPS Communication via GSS to CA-7
    Best Answer

    Posted Sep 13, 2016 01:17 PM

    First, thanks for your response. It does have a panel resource defined and it is defined to the database. I also appreciate the confirmation about the UID 000 jobs. I thought that was a false positive as well but since I am the CA-OPS guy and not the CA-7 guy I wasn't 100% sure.

     

    We have since determined the problem with some help from CA. It appears that when we moved from internal security to external security we forgot to clean up and the security statement was still pointing to our modified internal security module. this was overriding anything we set for the UID for the GSSID. Since our CA-OPS user ID wasn't in there (it changed, old one was in there but the new one wasn't), it ended up using the external security instead. So my assumption that we had everything set up correctly was flawed. At least this topic is now out here if someone else ever has a similar issue.