Hi Bob,
First, in case you are not already aware, CA Top Secret r16 is GA. It went GA in November 2015.
*** For the upgrade to TSS r15, the following documentation should be reviewed:
1) The CA Top Secret r15 GA Cover Letter, which is RI20813.
2) The CA Top Secret r15 Release Guide.
3) The CA Top Secret r15 Installation Guide.
4) Product Error Alert: RI44831 - FSACCESS SUPPORT CAUSING CML LOCK CONTENTION
5) Product Error Alert RI71112 - POSSIBLE TSS LOCKOUT AT Z/OS 2.1
When you say the site is upgrading to MVS 2.2, I assume you mean to z/OS 2.2. Since this is a release above z/OS 1.13, the following documentation should be reviewed:
Technical document TEC601436 - Preparation for removal of Default OMVSUSR and OMVSGRP
The compatibility information for TSS r15 and z/OS 2.2 as well as links to TEC601436 and a presentation given on December 5, 2013 regarding this are at the bottom of this update.
*** Here is a list of some common things clients have run into when upgrading to CA Top Secret r15:
1) The VSAM security file extension is required in TSS r15. The VSAM security file extension is used with the BDAM security file. If you are not currently using the VSAM security file in TSS r14, see Appendix A of the TSS r15 Installation Guide, section 'Convert SDT Records to VSAM' for information on converting to the VSAM security file extension.
2) In TSS r15 and above, we use a subsystem at startup time, and the default name of the subsystem is TSS. With MVS, if a started task proc name is the same as the name of a subsystem, the started task will run under SUB=MSTR.
So, if you are not starting TSS as a subsystem in r14 and your procname is TSS, in r15 TSS is now starting as a subsystem (before JES). There are 2 ways to get around this.
a) Change the name of the proc to something other than TSS, such as TSS150.
b) It is also possible to change the name of the subsystem to anything of the form TSx or TSxx, but that is somewhat more complicated than just changing the name of the proc. While this is documented in the Installation Guide, the method as described there is not entirely clear. Essentially, you will need 2 members in SYS1.PARMLIB.
CAISEC00 will contain the line:
TSS(01 NOSTART)
CAITSS01 will contain:
SUBSYS(TSxx)
where TSxx is the changed subsystem name. As long as you actually have a START TSS command, either in COMMNDxx or elsewhere in the IPL procedure, you can ignore the 'Important!' warning about needing a proc with the same name as the subsystem. This is only needed if you are depending on the subsystem starting TSS (which is entirely optional).
If you do change the name of the TSS proc, the modify and stop commands used with TSS will still be F TSS and P TSS.
3) After TSS r15 fix RO21793, an SCA will need update access to
TSSCMD.USER.REPLACE.MSCAPW in the CASECAUT resource class in order to
change the MSCA's password.
TSS ADD(dept) CASECAUT(TSSCMD.) (if not already done)
TSS PER(scaacid) CASECAUT(TSSCMD.USER.REPLACE.MSCAPW)
TSS REFRESH(scaacid) JOBNAME(*)
Also, after fix RO17452, all administrator acids except the MSCA will need UPDATE access to CASECAUT(TSSCMD.USER.cmd.NOPW) in order to give an acid NOPW, where 'cmd' is the command (ie CREATE, REPLACE).
4) FSACCESS checks in z/OS 1.12 (after IBM APARS OA35970/OA35974) and z/OS 1.13.
The following TSS r15 maintenance is related to FSACCESS.
RO45811
RO45458 CORRECTED BY: RO53985
RO40277
RO38634
RO37807 CORRECTED BY: RO38634
RO36198 CORRECTED BY: RO37807 RO38292 RO40277 RO40741 RO41881
RO41132 RO46233 RO49393
RO35644 CORRECTED BY: RO40277 RO38292 RO37807
See Product Error Alert RI44831 for more information.
5) Are you going to install all the TSS r15 maintenance in addition to the GA level? If not, here is a current list of TSS r15 hypers above the GA level:
RO82779: INVALID EXTRACT FOR OPERPARM FIELDS
RO82607: OVERLAY OF CSA AFTER RO80847
RO76973: PERMIT W/ACC(NONE) INCORRECTLY SELECTED AFTER RO68148
RO78265: LOADING CAS4MSG RETURNS BAD EP ADDRESS AFTER TSS IS RECYCLED
RO75732: EXTRACTN CALLS MAY RETURN UIDS ALONG WITH GIDS
RO76550: ARCHIVE FILE REMAINS ALLOCATED TO TSS AFTER ABEND
RO73379: ACID RECORD DEGRADATION POSSIBLE W/ SIGNON PSWD CHANGES
RO72026: FRR STACK CORRUPTION WITH PDS/M AND RO59808
RO72677: TSS MAY LOOP WHEN PROCESSING RECOVERY CMD WITH AES
RO72050: SP-252 KEY-0 DEADMAIN STORAGE SAFCR712 A/RO63740
RI71112: POSSIBLE TSS LOCKOUT AT Z/OS 2.1
RO68393: AT TIMES THE DFLTGRP NOT ADDED TO THE GROUP LIST
RO69065: OVERLAY OF CSA WITH PKISERV AND OPTION(32) ACTIVE
RO68361: AUTOUID IMPROPERLY SENT TO PASSWORD-ONLY NODES
RO67810: AUTOUID/UNIQUSER NOT WORKING IF TCBSENV POPULATED
RO67514: GETUMAP RETURN '*MSCA*' EVEN IF ACEE HAS UID=0
RO66636: S0C4 IN TSSKEXT6 SCANNING FOR RESOURCE OWNERSHIP
RO66833: STORAGE OVERLAY TSS CMD W/ UNIQUSER OR UID(?) OR GID(?)
RO63187: TSS9123A ON AUDIT FILE, SYSTEM HANGS SHARING SECURITY FILE
RO66585: DFHUS0002 ERROR (CODE X'030C') DURING SIGNOFF
RO65397: S0C4 ABEND IN TSSDSSRV+4A4 AFTER RO58367
RO54884: POSSIBLE STORAGE OVERLAY WITH ACEE REFRESH DURING FASTAUTH
RO63845: EXTRACT FOR UID FIELD MAY RETURN RC=0 WHEN NO OMVS SEGMENT
RO63847: HIGH CPU/LOOP - TASK CIARTLGR
RO63150 :AUTO UID/GID ENHANCEMENTS
RO63134: ABEND S0C4 IN TSSCPF +00E26A
RO63014: FILE MANAGER MAY HANG WHEN PROCESSING MODIFY COMMANDS
RO61247: COMPARE COMMAND LOOPS PROCESSOR
RO60729: ABEND S0C4 IN TSSI120L AFTER PTF RO48677
RO59783: S0C4 TSSKERNL+1E04E-3B GETPWENT/GETGRENT
RO59061: IBMGROUP NOT FOUND IN ALL RECORD
RO58889: CICS DFHUS0002/030C W/INVALID USERID CHARS
RO58585: S0C4 SAFOEGES+464 AFTER RO55678
RO55678: CA TOP SECRET R15.0 INTERIM ENHANCEMENTS
RO54619: CPF RECOVERY RECORDS NOT REMOVED FOR GENERIC SYSPLEX NODE
RO53985: S0C4 ABEND WHILE PROCESSING RACINIT
RO50024: ACID RECORD DEGRADATION POSSIBLE ON SIGNON PASSWORD CHANGES
RO50196: DEADMAIN STORGE WITH TSS CONTROL OPTION OPTIONS(38) SET
RO48398: OVERLAY OF CICS CACHE BOX
RO46233: PASSWORD CHANGES NOT RECORDED IN RECOVERY FILE
RO45566: IN-STORAGE TABLES NOT BUILT PROPERLY
RO45458: FSACCESS SUPPORT CAUSING CML LOCK CONTENTION
RO44141: TSSCPF S0C4 ABEND RESULTS FROM CPF LINK RETRY PROCESS
RI44831: FSACCESS SUPPORT CAUSING CML LOCK CONTENTION
RO43303: LOSS OF STORAGE AFTER CPF(REFRESH)
RO41132: TSSAUTHA ABEND S0C4 OFFSET X'194'
RO40757: POSSIBLE S0C4 ABEND IF 2-BYTE RESCODE RESOURCE AUDITED
RO40741: MOVE CMD IGNORES TYPE KEYWORD WITH RO36198
RO36844: U751 (2EF) ABEND IN CICS AFTER CTS 4.2 SUPPORT
RO38634: CK_ACCESS FAILS IF FSACCESS RESOURCE NOT PROTECTED
All hyper fixes applicable to your environment should be applied.
*** Here is the compatibility information for TSS r15 and z/OS 2.2:
CA Technologies provides FIXCAT HOLDDATA to aid in identifying maintenance required to support a particular hardware device, software or function. Refer to the link for details on using FIXCAT HOLDDATA to apply the required maintenance.
Go to https://support.ca.com/phpdocs/0/8319/mainframe20_support.html then click on the FIXCAT Holds for CA products link.
********************** Compatibilty support ******************************
CA Top Secret r15 (toleration support for z/OS 2.1 features and below):
RO77780, RO82533
********************** Exploitation support *******************************
z/OS 2.2 newly introduced security related features are supported at CA Top Secret r16 with the following solutions:
Base r16 release only. No additional PTFs at this time.
IMPORTANT:
In z/OS 2.1 and above, IBM is no longer supporting BPX.DEFAULT.USER. which means the TSS OMVSUSR and OMVSGRP control options will no longer work. We have published technical document TEC601436 which details the preparation for removal of default OMVSUSR and OMVSGRP. Here is the link:
https://comm.support.ca.com/?legacyid=TEC601436
There was also a presentation given on December 5, 2013 regarding this. The link to the recording and the slides is:
December 5 Replay: CA Top Secret preparation for OMVS defaults removal
Best regards,
Bob Boerum