CA Top Secret

View Only

DOING PROTECTION on a resource the class of which has no DEFPROT

Necmettin ILGIN posted 04-21-2021 03:59 AM

Hello,

I want to ask a question, We consider to do a protection on a resource. And we will give an update permission to the profile of CICS users on this resource. But the users require a refresh after the permission. what if we give permission and refresh the users on just one lpar at a time, Can it cause an outage on the system once the users are not refreshed on the other lpars?

Thanks...

Joe Denison @ Necmettin ILGIN posted 04-21-2021 11:10 AM

Hi Necmettin

I started a reply but there are so many variations of scenarios that I didn't want to try to over-explain to cover them all. Knowing more specifics about what you are doing would help to minimize the complexity of the response. Can you share what resource class and/or resource name that you are wanting to protect? Also, is this a resource that is currently being actively accessed by CICS users in a live production environment (where access is allowed only due to it not currently being owned/protected?) ...in other words, can you verify that the resclass/resname combination is not currently defined to TSS ("owned"), and doing that is what you are considering?

Necmettin ILGIN @ Necmettin ILGIN posted 04-22-2021 02:45 AM

Hello Joe,

I should give more information about my question. The resource class is IBMFAC and the resource which we want to protect or want to be owned by the system is CSVLLA. We are warned by Ironsphere's High severity exception checks being not define this resource to the Top Secret. We added an audit to this resource and saw that just the CICS users are accessing. Because of IBMFAC has not DEFPROT attribute, everyone has access to this resource for now. But once we protect this resource and give permission to the CICSUERS by TSS ADD (SYSTEM) IBMFAC (CSVLLA.) And TSS PER (CICSUSER) IBMFAC (CSVLLA.) ACC (UPDATE), at the time we start to refresh on one lpar, are other lpars affected from this by causing an outage? I mean I am asking for the time interval when we don't refresh the users on other 15 lpars?

Thanks ..

Joe Denison @ Necmettin ILGIN posted 04-22-2021 08:29 PM

Necmettin,

The IBMFAC(CSVLLA) resource becomes secured immediately after you perform the TSS ADD command to own/secure it.

For CICS, the CICS region ACID will need permission for accessing this resource (and unlikely that any other users will need it for CICS application access). Keep in mind that the need to access the IBMFAC(CSVLLA) resource is not a resource limited to CICS region processing, so once protected, any other need outside of CICS will need to be accommodated with a permission as well.

Whether or not this immediately affects securing of this resource and user access capabilities on other LPARs depends on whether or not you are sharing your TSS SECFILE with other LPARs, or if you are using CPF to sync the SECFILE across your LPARs. If sharing the SECFILE, or if CPF routes and processes the TSS ADD command on other LPARs, then YES, those other LPARs would be impacted by this change.

In my experience with cases of "1st time ownership of a resource", if I'm not 100% certain of the extent of use, especially in a production environment that is already live and running and where an outage is very likely to be problematic and costly, I always assume and prepare for the worst-case scenario (in other words: assume that protecting the resource without having adequate permissions deployed could/would cause an outage).

To minimize the risk of an outage, consider these ideas:

Perform the TSS ADD and permissions during an off-peak time, preferably in a scheduled outage window that will allow time for your to back-out your changes with minimal system/user impact should that become immediately apparent.

Consider using the ALL record as a temporary safety net and a means to discover access needs. Permitting the IBMFAC(CSVLLA) resource to the ALL record ensures immediate access to the all users without the need to perform a TSS REFRESH. The permission to the ALL record should be performed IMMEDIATELY after you "TSS ADD" the resource to secure it. But even with using the ALL record ... there is a time lapse between the time that the TSS ADD command runs and the TSS PERMIT command to the ALL record ... albeit a short time lapse, possibly even just a second or two ... where a security violation may occur.

The permission in the ALL record will also help to facilitate a discovery process -- to enable you to track, collect, summarize, and monitor access to the resource, so that you know exactly which users need the access, and the access levels that they are requesting/using. You can accommodate this discovery by including the ACTION(AUDIT) keyword on the permission, and then reporting use of this resource over time by running the TSSUTIL report against the audited events over some period of time. Then, you can deploy permissions to other profiles/users as needed, and at some point you can then safely revoke the permission from the ALL record once you determine that you have adequately permitted the resource elsewhere.

In these types of endeavors I've had clients initially express concerns about permitting to the ALL record (it's usually against policy and poor security practice when done indiscriminately), but in the context that it is just temporary, for the purpose of preventing an outage and discovering usage, that has always alleviated those concerns. (Permitting to the ALL record doesn't provide any additional access capabilities to what was already allowed via the not-owned resource, but it adds the benefit of being able to track and discover use).

I hope this information is helpful to you.

Necmettin ILGIN @ Necmettin ILGIN posted 04-24-2021 06:44 PM

Hello Joe,

Sorry for the latency. I was out of office for some day and I was unable to access via my computer. Thanks for your answer :).

First of all, CPF is inactive in our production system and we are sharing our security file across the other production lpars. As you said, we are considering to perform the TSS ADD and TSS PER commands during an off-peak time.

I will discuss your solution which is giving permission to the ALL record with action AUDIT with my teammates. And it seems effective solution to our requirements. If we protect the resource and give the permission to the ALL record in a batch job at the same time, we would overcome for any latency probability. And it is very good that it does not need a refresh when we give the permission to the ALL record. As I understand, you can confirm me whether I am right or not, when we give the permission to the ALL record, any user who needs access to the IBMFAC(CSVLLA.) resource will have the required access. But as security requirements, after we audit the users who gain access to the resource, we should give the permission to them by revoking the permission from ALL record. Thanks for the information...

Kind regards,
Necmettin.

Broadcom Employee Joseph Porto @ Necmettin ILGIN posted 05-03-2021 02:07 PM

Necmettin,

Regarding your question about if the ALL record needs to be TSS REFRESHed after PERMITing something to it. A TSS REFRESH is not required to the the ALL record after issuing a TSS PERMIT for it. The PERMITs for the ALL records are updated dynamically, so you dont have to worry about doing a TSS REFRESH for the ALL record.

On a side note, if you will be submitting batch jobs and CPF is down, make sure your CPF recovery file is large enough to hold those commands. The CPF Recovery File is the wrap around file. Once it becomes full, TSS will start writing to the beginning of the file and overwriting the older records. You will get messages when the CPF Recovery File is about the wrap. If it wraps often, you might want to consider increasing the size.

Regards,
Joseph Porto - Broadcom Level 1 Support

Terminator @ Necmettin ILGIN posted 05-04-2021 02:45 AM

Hello, are your cics libs lla managed? If not consider using llacopy=no ? Then Cics will not ask. We use llacopy no, cics has csvlla permission, but does not use it

https://www.ibm.com/docs/en/cics-ts/5.6?topic=summary-llacopy

T.

Terminator @ Necmettin ILGIN posted 05-04-2021 02:53 AM

i have also used a trick in the past using *all* permissions. ibmfac is a nomask resource, so to permit all you use *all* syntax (maskable equivalent is ** or *****)

tss add(asdf) ibmfac(*all*) does not immediatly protect all ibmfac. it only allows to permit *all* permissions. but this is not without pitfalls. in the uss area it may be a problem if you have too much permissions eg. ibmfac(*all*). there is a knowlegdebase entry dedicated to this.

there are many other issues in a 24/7 environment. eg changing servauth from nomask to mask is far from trivial....

T.

Terminator @ Necmettin ILGIN posted 05-04-2021 02:58 AM

and depending on your auth parm and usage of restricted attribute and using ** or *all* permissions in other profiles / users an all record entry may be useless for some acids.

Necmettin ILGIN @ Necmettin ILGIN posted 05-04-2021 03:39 AM

Hello Joseph,
We will consider to give permission to ALL record . CPF is active only on our TEST lpars. And I checked the CPFrecf it seem it has space to use its memory.
Thanks for your advices.

Hello Terminator,

As we know our cics are using CSVLLA. But I will discuss your advice about LLACOPY=No with our cics team. And we don't consider to protect ALL resource under IBMFAC class. We consider to give permission to ALL record under IBMFAC(CSVLLA.) as I understand from the scope of this conversation.

Thanks for your comments :).