Top Secret

 View Only
  • 1.  z/OSMF Security and Top Secret

    Posted Jan 30, 2015 02:24 PM

    In addition to the TEC docs already published by CA has anyone got any other tips on how you made your installation go smoothly?

  • 2.  Re: z/OSMF Security and Top Secret

    Posted Feb 03, 2015 12:31 PM

    Adding Links to the TEC docs for TSS and z/OSMF for those that may have not seen them:


    Basic TSS commands: What Are the Top-Secret Commands to secure Z/OSMF?


    TSS commands for SSL certificates: Implementing z/OSMF Security Looks Unclear About Digital Certification And Keyring Definition.


    Question to CA if you are keeping track here, you might want to reconsider the title of the document referenced in the second link?


    I will update this thread with more comments once we get it working but if you have it up and running at your shop under z/OS 2.1 I would appreciate hearing back on any gotchas you encountered and how you resolved them.

  • 3.  Re: z/OSMF Security and Top Secret

    Posted Jul 07, 2015 07:16 PM

    Has anyone gone further with their z/OSMF implementation and hit upon users needing access to OPCMD(LOGON)?

  • 4.  Re: z/OSMF Security and Top Secret

    Broadcom Employee
    Posted Jul 08, 2015 09:05 AM

    Hi Paul,


    OPCMDS preceded OPERCMDS. Here is some information:

    Under ESA 3.1.3, IBM decided to start using OPERCMDS instead of OPCMDS.


    If you didn't have security setup for OPERCMDS, then IBM would check for

    OPCMDs. This allowed  user to transition from OPCMDS to OPERCMDS slowly.


    If IBM ever decides in a future release of z/OS to stop checking OPCMDS

    because OPERCMDS security was not setup, your users with OPCMD permission

    will start to receive security violations for those operator commands.


    So if you have a mix of OPERCMDS and OPCMDs PERMITs in place, OPERCMDs are

    checked first by IBM. If not present, then OPCMDs security checks will be

    issued by IBM. Please note, the newer operator commands post ESA 3.1.3 may

    not check OPCMDS, since it was being phased out.


    The OPCMD(LOGON) is specific to TSO.


    Are you receiving CAS9320E messages?

    If so, I found some information about ENF that may be helpful:

    CAS9320E messages are usually related to leaving out any of the steps in holdaction for RO54507, which was PEed and corrected by RO62370 and is part of CCS 14.1 S1401. RI69562 is also pointing to this holddata from RO54507.


    Have a nice day!

    Eileen K. Becht

    Top Secret Level 1 Support

  • 5.  Re: z/OSMF Security and Top Secret

    Posted Mar 29, 2017 02:42 PM

    We have OPCMD(LOGON) permitted and want to convert it to OPERCMDS.


    How do I find the OPERCMDS for LOGON?

  • 6.  Re: z/OSMF Security and Top Secret

    Broadcom Employee
    Posted Mar 29, 2017 05:25 PM



    I checked our problem tracking system to see if we had anything regarding your questions. Unfortunately, no one has asked your specific question before.


    It is IBM's responsibility to document the conversion of OPCMD to OPERCMDS. I did some quick google searches and could find anything quickly.


    More time will be required to research this questions. Please open an ticket with  support.




    Joseph Porto - CA Level 1 Support