In addition to the TEC docs already published by CA has anyone got any other tips on how you made your installation go smoothly?
Adding Links to the TEC docs for TSS and z/OSMF for those that may have not seen them:
Basic TSS commands: What Are the Top-Secret Commands to secure Z/OSMF?
TSS commands for SSL certificates: Implementing z/OSMF Security Looks Unclear About Digital Certification And Keyring Definition.
Question to CA if you are keeping track here, you might want to reconsider the title of the document referenced in the second link?
I will update this thread with more comments once we get it working but if you have it up and running at your shop under z/OS 2.1 I would appreciate hearing back on any gotchas you encountered and how you resolved them.
Has anyone gone further with their z/OSMF implementation and hit upon users needing access to OPCMD(LOGON)?
OPCMDS preceded OPERCMDS. Here is some information:
Under ESA 3.1.3, IBM decided to start using OPERCMDS instead of OPCMDS.
If you didn't have security setup for OPERCMDS, then IBM would check for
OPCMDs. This allowed user to transition from OPCMDS to OPERCMDS slowly.
If IBM ever decides in a future release of z/OS to stop checking OPCMDS
because OPERCMDS security was not setup, your users with OPCMD permission
will start to receive security violations for those operator commands.
So if you have a mix of OPERCMDS and OPCMDs PERMITs in place, OPERCMDs are
checked first by IBM. If not present, then OPCMDs security checks will be
issued by IBM. Please note, the newer operator commands post ESA 3.1.3 may
not check OPCMDS, since it was being phased out.
The OPCMD(LOGON) is specific to TSO.
Are you receiving CAS9320E messages?
If so, I found some information about ENF that may be helpful:
CAS9320E messages are usually related to leaving out any of the steps in holdaction for RO54507, which was PEed and corrected by RO62370 and is part of CCS 14.1 S1401. RI69562 is also pointing to this holddata from RO54507.
Have a nice day!
Eileen K. Becht
Top Secret Level 1 Support
We have OPCMD(LOGON) permitted and want to convert it to OPERCMDS.
How do I find the OPERCMDS for LOGON?
I checked our problem tracking system to see if we had anything regarding your questions. Unfortunately, no one has asked your specific question before.
It is IBM's responsibility to document the conversion of OPCMD to OPERCMDS. I did some quick google searches and could find anything quickly.
More time will be required to research this questions. Please open an ticket with support.
Joseph Porto - CA Level 1 Support