CA ACF2™ and CA Top Secret® Part 1: The Road Leading to r16 and Capabilities added since r15

CAACF2™andCATopSecret®Part1:

TheRoadLeadingtor16Capabilitiesaddedsincer15

PaulRauchet– Director, SoftwareEngineeringJohnPinkowski – Senior Principal ProductManager

Mainframe

CATechnologiesMFX10E

2 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD

ForInformationalPurposesOnlyTermsofthisPresentation

©2015CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2015isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferences relatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.

CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreement orservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember18,2015,andissubjecttochangeorwithdrawalbyCAatanytimewithoutnotice.Thedevelopment,release andtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.

Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referenced inthispresentation,CAmaymakesuchrelease availabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.


Abstract

CAACF2™andCATopSecret®r15havebeenoutfor5years– whatenhancementshaveyoumissed?

Thissessionwillcoverther15enhancementsaddedtohelpeaseadministration, andtohelpsimplifycomplianceandaudittasks.

PaulRauchet–Sr.Director,Engineering

JohnPinkowski–ProductOwner

CAACF2™andCATopSecret®Part1


Agenda

ENHANCEMENTSELECTIONPROCESS(THENANDNOW)1

2

3

CAACF2&TOPSECRETR15POSTGACOMMONGROUND

CATOPSECRETR15POSTGASPECIFICENHANCEMENTS

CAACF2R15POSTGASPECIFICENHANCEMENTS

2

3

4

FINALQUESTIONS/RECAP5


40Trillionmobiletransactionsperdayby2025

TheMainframeSupportstheCustomerExperience

SOURCES:IBM,Gartner, Aberdeen Research,Enterprise SystemsMedia

IncreasingMobileApps&Devices

2/3transactionsself-serveby2017

25%ofusersabandonanappaftera3seconddelay

71%ofcorporatedatasitsonmainframesystems

RisingCustomerExpectations

DataforAnalytics&Apps


CATopSecret&ACF2r15ReleaseUpdates

Weneverstoppedinnovating….

Withyourinputandhelp…

Wouldn’t itbeniceif…


BeforeCACommunitiesIdeation… “HeyCA,What

happenedtomyDAR?”

CATopSecret&ACF2r15ReleaseUpdates

Notquitethisbad…


DAREnhancementsTransitionedOvertoIdeation- Dec,2014

ExistingEnhancementRequest

MultipleSitesrequested

TransitionedOvertoIdeation


OldDARSystemvsCACommunitiesIdeation

§ StoredinCAhomegrownapp.§ Notviewablebycustomersbeyond

requestingsite.§ Communication/discussion

betweensiteslimitedtoUserGroupmeetings,ActiveBetacustomercallsetc.

§ CAinternalDARreviewslimitedtolatestentries.

§ Enhancementsfulfilled chosenbyproduct teamsorafewsites.

OldDARSystem§ StoredinCACommunities site.

IdeasSystem

§ Viewablebyallcustomers.

§ Forumallcustomerscanleveragetoeasilyandanonymously discussenhancementswithCAaswellasotherCAsecuritycustomers.

§ CAreviewsallentriessubmittedandupdateswithcurrentreviewstatus.

§ Customervoting/input heavilyweightedinfulfillment decision.


CAMainframe SecurityCommunity Ideas(asof10/17/15)


CAACF2/CATopSecretr15– Transition HybridReleases

§ MajorityenhancementscompletedusingtheoldDARsystem

§ PrioritizedIBMchanges§ Lastfewintroducedenhancements:

§ LeveragedpopularIdeas/DARS§ Agilesprints§ Engagedmultiplecustomers

TSS ACF2

TimetodiveinandtakeapeakatthepostGAr15enhancements!!!


CATopSecretr15PostGAEnhancements

MirrorFeature.Createsamirrorofthesecurityfileforimmediaterestartincaseoffiledevice/channelfailure.EnforcesecurityadministratorstofollowNEWPWruleswhenissuing pswdrelatedTopSecretcommands.JES2/JES3 shutdown/restartimprovements.Performanceimprovements asaresultofreducedstorageobtains.Enhancedrestrictedpasswordlist.ExpansionofCOMPAREcommandtoincludeotherACIDtypes.RefinementofWHOHAScommand.AllTSSMODIFYcommands checkedasCASECAUTresources.FACILITYtrackingaddedtoCACleanup interface.UtilityimprovementstoTSSUTIL,LDAP,TSSAUDIT,TSSSIM.CHKCERTandCertificateUtilitydisplayPublic/Private keysizeandtype.ECCkeyscanbestoredandretrievedforICSF.Eliminateneedforsuperuserprivilegeforusermountandunmounts.


PostTSSr15GAEnhancementDetails

SecurityFileMirrorSupport

§ TSSControloption:MIRROR(ON)– Mirrorcopyofprimarysecurity filemaintained.

§ Providesup-to-the-minutealternatesecurityfile.§ AvailableonlywhenSHRFILE(NO)andMIRROR(ON)arebothset.

– Designed tohavenoimpactonprimarysecurityfileperformance.

Benefits:– Caneliminate theneedtoperformforwardrecoverprocessingwhenMirrorfileis

usedasprimaryfile.– UseemergencystartupPROCtorecycle TopSecretwiththeMirror fileasprimary

file– Note:TopSecretBackupprocessingcanbedoneonceperweek


TotalRecoverytime:MeasuredinHOURS!!!

CATopSecretforz/OS– MirrorSupportWithoutSecurityFileMirrorSupportActive…

CATopSecretPrimarySecurity

File

CATopSecretBackup Security

File

Backupfile– SnapshottakenfromlastTopSecretBackupprocessedcommand

I/OError

SecurityFilesuddenlyunavailable…

DeviceI/OErroror

ChannelCommunicationsFailure

1–RestartTSSonbackupfile2–RunForwardRecovery

Likely1,000’sofcommands….

Channel

Failure



File

CATopSecretBackup Security

File

Backupfile– SnapshottakenfromlastTopSecretBackupprocessedcommand

MirrorBenefits:Continuously synched…Uptotheminute copy…No performance impact…

CATopSecretforz/OS– MirrorSupportWithSecurityFileMirror SupportActive…



File

I/OError

1–RestartTSSonMirrorfile

2–NoneedtoRunForwardRecovery…

TotalRecoverytime:MeasuredinMINUTES!!!

CATop SecretBackup

SecurityFile

MirrorBenefits:Continuously synched…Uptotheminute copy…No performance impact…

Channel

Failure

CATopSecretforz/OS– MirrorSupportWithSecurityFileMirror SupportActive…


CATopSecretMirrorSupportdetails

TSSControlOption:MIRROR(ON)

• Mirrorcopyofprimarysecurityfilemaintained.• Providesup-to-the-minutealternatesecurityfile.

• AvailableonlywhenSHRFILE(NO)andMIRROR(ON)arebothset.

• Designed tohavenoimpactonprimarysecurityfileperformance.

Benefits:

•Caneliminate theneedtoperformsignificantforwardrecoverprocessingwhenMirrorfileisusedasprimaryfile.•EliminatepotentialMissioncritical workdelaystiedtorecoverycommands

•UseemergencystartupPROCtorecycleTopSecretwiththeMirrorfileasprimaryfile

•CATopSecretBackupprocessingcanbedoneonceperweek•MustmaintainproperlysizedRecoveryFile


CATopSecretMirrorSafeguards

• AtTSSstartup,acheckisissuedtovalidatetheMirrorandPrimarysecurityfilesarenotonthesamevolume.• Ifonsamevolume,amessageisissuedandTopSecretwillinitializewithoutthemirrorfileactive.

• AtTSSstartup,aSynchronizationmessagecompletemessage isissuedwhenPrimaryandMirrorsecurityfilehavebeensuccessfullysynchronizedforuse.• Ifsynchronizationdoesnotsuccessfullycomplete aTopSecretmessagewillbeissuedandTopSecretwillinitializewithoutthemirrorfileactive.

• AtTSSstartup,ifthemirrorfileandprimaryfilearethesame, aTSSmessage isissuedandTSSwillfailtostartup.

Safeguards


CATopSecretMirrorSupportRecap:

Benefits:• CaneliminatetheneedtoperformsignificantforwardrecoverprocessingwhenMirrorfileisusedasprimaryfile.• EliminatepotentialMissioncriticalworkdelaystiedtodelayedrecoverycommandexecution.

• UseemergencystartupPROCtorecycleTopSecretwiththeMirrorfileasprimaryfile.• CATopSecretBackupprocessingcanbedoneonceperweek.• LeverageautomationpackagetoissueFTSS,BACKUP• Backupfileisstillrequired.• MustmaintainproperlysizedRecoveryFile.



NEWPasswordAdminChangeRestrictions• TSSControloption:PWADMIN(YES)• Securityadministrators:• ForcedtofollowNEWPWrules• Berestrictedfromchangingthepasswordexpirationintervalforindividualusers.

Benefits:• Centralizedanddecentralizedadministratorscannolonger:• BypassNEWPWrequirements-OR-• ChangePSWDEXPIREintervalforindividualusers.


PostTSS/ACF2r15GAEnhancementDetailsz/OS2.1– Updates§ DefaultUSERnolongersupported

– USSaccessrequiresuniqueOECredentials.§ CHOWNURScontroloptionremoval

– UNIXPRIV(CHOWN.UNRESTRICTED)– PerACIDbasisasneeded.

§ JES2/3relatedfeatures– JES2&JES3tolerationsupport– Support zSeries2.1JOBCLASSauthorizations

§ Nowgrantauthorizationtouseaspecific jobclasstoOwnerorjobsubmitter:– PERMITforJOBCLASS.node.class.jobname intheJESJOBS class.– PERMITforIBMFACclassestoactivateJESJOBS/JOBCLASS checking:

§ JES.JOBCLASS.OWNER

§ JES.JOBCLASS.SUBMITTER– toactivatechecking



Support&ACIDVariableinMODLUSERHOMEField• HOMEdirectoryautoassignedusing&acid/&ACIDvariables• MODLUSERacidcontainsHOME(/u/&acid).Fred01logsonwithout OEcredentials.Fred’sACIDwillbeautoassigned: HOME(/u/fred01)

• EnhancedAUTOUIDandAUTOGID• UID(?)orGID(?)isspecifiedonaCATopSecretcommand:• RECOVERYfilecommandtoincludethelocalsystemautogeneratednumberinsteadofaquestionmark(?).

• CPFAUTOUIDandCPFAUTOGID(newlyadded)• CPFtransmitsaTSScommandwiththelocallyautoassignedUIDvalue(insteadofthequestionmark(?)value)whenyouareusingtheCommandPropagationFacility(CPF).



CertificateEnhancements•CertificateREPLACEcommandimproved:•Duplicatecertificatechecking• Labelsthesame• Labelnotspecified•PublicandPrivatekeychecking• Existingcertificatehasaprivatekeyandcertificatebeingaddedis notaduplicate.Thecertificatebeingaddedhasthesamepublic keyastheexistingcertificate.

• Theexistingcertificatedoesnothaveaprivatekey.•Displaycertificatechaininformation•ADD,LIST,EXPORTandCHKCERTcommands

•GENREQmodification•Retainprivatekeywhenoldcertificateisdeleted.



DatacomA/DsupportforCIAandCompliance

Manager

•AddedCADatacomA/DsupportforbothCIAandComplianceManager.

•DatacomA/DBlack-boxinstallswithbaseproducts

ExpandtheInterfacewithJES2

•Provideadditionalability toimproveshutdownprocess•CATopSecretcannowbetheverylasttaskshutdown

•Spoolfilesdynamicallyallocatedandde-allocated

•JES2/3monitoredfornormalorabnormalshutdown

ReducedStorageObtains

•Groupedstorageusage•Reducedthenumberofcalls

•ReducesCPUutilizationpereveryRACROUTEcall

• ImprovedperformanceofhighvolumeCPUboundcalls



EnhancedRPW(RestrictedPasswordList)• EnforceRPWforanypositioninnewpassword• RequiresnewcontroloptionNEWPW(RT)tobeset.

ExpandTSSCOMPARE• AllowsforotherACIDtypestobecomparedincludingtype: Zone,Division,DepartmentandProfiles

TSSWHOHASUpdates• Reflects onlythoseresourcesthatmatchaspecificownership• Removedanyduplicatesfromlist

TSSMODIFYControlbyCASECAUT• AllTSSModifycommandsnowunderCASECAUT• ConsoleBitcheckedfirst• Ifbitoffthendoresourcecheck

• PrefixingandmaskingNOT allowed.


PostTSSr15GAEnhancementDetailsFacilityUsageTrackedviaCACleanupforTopSecret• Allowsforcleanupofprofilesthatonly includeaFacility.

TrackingTRANIDBypassedTransactionsUsed• TSSUTILreportshowstransactionsleveragedintheTRANIDBypasslist.• TheResource(TYPE&NAME)willspecifya'+'followedby thetransactionid.

• AllowsforeasyidentificationofTRANIDbypassedtransactionusage.

CALDAPandTSSSIM• TSSSIMnowaservicetoCALDAP• AllowsforLoggingintheTSSSIMprocess• AllowsCALDAPtomakeexternalcallsandcreateloggedevents

TSSUTILUpdates• Allowforspecificnameonresource&Multi-linesupportoninput

TSSAUDITUpdates- SearchbyDateandTime(likeTSSUTIL)

INACTIVESupportExtended• INACTIVEcontroloptionmaxintervalextended from255daysto999days.


PostTSSr15GAEnhancementDetailsDepartmentACIDMaximumSizeIncreased• Supportedsizeincreasedto1024

DB2V11Support• Support forDB2v11added.

IMS13.1Support• Support forIMS13.1added.

UserDefinedFieldsEnhancedtoSupport• ComplianceInformationAnalysis(CIA)component• batchloadandreal-timeprocesses.

FSACCESSControlOption• Performanceimprovement- NewlyaddedcontroloptionsettingallowscustomerstodisablesecuritycallsrelatedtoFSACCESSchecks.

CTS4.2Support– CTS4.2Support


PostACF2r15GAEnhancementRecapRoleBasedSecurityRefinements.

ImprovedResourceUtilization.

ImprovedUsability.

Additional IMSEnhancements.

NewACFAESAGEUnloadUtility.

Additional SHOWCommandOptions.

NewPassphraseSupport forCTS.

z/OS1.13Support•ECCKeyscanbestoredandretrievedforICSF.•UserMountandUNMountgranularity

z/OS2.1Support.•BPX.DEFAULT.USERnolongervalid.•Controlling AccesstoJobClass•POSIXCHOWNUnrestricted


PostACF2r15GAEnhancementDetails

RoleBasedSecurityUpdates• EnhancedModelandArchivecommands• Rolerecordsnowincluded• BuildsACFcommandstogenerateamodeleduser• BuildsACFcommandstore-addanArchivedusertorolerecords

• Clean-upX-ROLRolerecordswhenauseraccountisdeleted• RoleInclude/Excludefieldsupdatedfornon-maskedvalues• IncorporateRolerulesetsinCAACFACCESScommand



RoleBasedSecurityUpdates• PreventionofchangingRolerecordtype• X(ROL)recordsdefinedas‘role’or‘group’recordtype

• RoleBasedAPIEnhanced(ACF00RBS)• NewSYSIDparametertoreportonallrolerecordtypesdefinedonthesecuritydatabase.

• Returnslistofusersforagiverole.



ACFVSAMReserveEnqueueName• AllowstheminornameforACFVSAMENQ/RESERVEnametobeassociatedwithadatasetnameinsteadoftheDDBNAME.

• Bettergranularityforuserswithmultiple securityfilesinsameSysplex.

• ReducescontentiononACF2VSAMusage.

ImprovedCSAStorageUtilization• ProfileDirectoriesMovedto64-BitCSAStorage• CertificateTablesMovedto64-BitCSAStorage• ResultsinimprovedREFRESHprocessing.



CrossReferenceRecordExpansion• x(ROL),x(RGP)andx(SGP)recordsincreasefor4Kto16K

GSOINFORDIRExpanded•Nowabletosupport double theamountofentries,512.

SymbolicSubstitutioninDatasetRules•Reducesruleadministrationbyallowing&LIDasasubstitution string• The&LIDisusedontherulelineduringadjudication.

OptionalUseofCancelledLIDforRACROUTEEXTRACTS•EquivalentsupportforalESM’s•Reducesamountofpotentialdowntime.



LogonidExclusionfromPassword/PassphraseViolations• Passwordviolationswillnotbeincrementedforspecialuseuserids.• Preventsapplicationoutagesduetoviolations.

DatacomA/DSupportforCIAandComplianceEventManager• AddedCADatacomA/Dsupport forbothCIAandComplianceManager.

• DatacomA/DBlack-boxinstallswithbaseproducts



IMSforz/OSEnhancements• SecurityfortheIMSDBCTLenvironment.• SecurityforPSBsandAOIcommands.• /ACFcommandnowavailableinOMenvironment.• RemovalofCAACF2IMSrequirementtousetheIMSSecurityMacro.

NewACFESAGEUtility• SimilartoCAACF2TSSCFILEgivingafixedformattedversionoftheCAACF2database.

AdditionalSHOWCommands• SHOWALLnowcontainsoutput fromSHOWRSRCTYPE.• SHOWAUTOERASEdisplayserase-on-scratchoptions ineffect.



z/OS1.13CompatibilityandNewFunctionality• NewR_usermapfunctiontoreturnUseridfromDNorRealmname• PasswordPhrasesupport• CESLtransactionsupportssign-onwithpasswordorpasswordphrase• ACFMULfunctionupdated• Idletime-outs(locktime)



z/OS1.13CompatibilityandNewFunctionality• CertificateKeydisplaychanges• CHKCERTcommandnowdisplaysPublic/Privatekeysizeandtype• CertificateUtility(SAFCRRPT)displayskeysizeandtypeinheader

• ECC(EllipticCurveCryptography)KeysandICSF• CertificatecommandsallowforECCkeytobestoredandretrievedfromICSF

• Kerberosaddresschecking• NewCHKADDRSfieldinREALMrecord• AllowsticketaddresscheckinginKerberosserver

• Usermountandunmount• Privilegecheckingaccomplishedbyresourcechecks• Noneedforalluserstohavesuperuserprivilege


PostACF2r15GAEnhancementDetailsz/OS2.1CompatibilityandNewFunctionality

§ TYPEENF71NotificationEvent(ENF)– CACF2will sendanENFsignaltoCICSwhenaSecurityAdministrator– SuspendsorCancelsasigned-onremoteuser– Deletes thelogonid forasigned-onremoteuser

§ ControllingAccesstoJobClass– NewSAFcall forJES2andJES3controllinguseofJOBCLASS– AuthorizationChecking isactivated ifthenewFACILITYprofilesexist

§ BPX.DEFAULT.USERnolongervalid– AssignUID/GIDvaluesusingGSOAUTOIDOMrecord– Callable Serviced forUID/GIDarenowCPFeligible– Newtrace facilitytoidentifyworkloadscurrentlyusingdefaultvalues



z/OS2.1CompatibilityandNewFunctionality• SymbolicinOMVSSegment• Thehomefieldcannowuse‘&LID’torepresenttheuser’sLOGONIDvalue

• UsefulwhenusingtheMODELrecord• POSIXCHOWNUnrestricted• Newrestrictionsonnon-superusersmodifyingownershipoftheirfiles


PostACF2r15GAEnhancementDetailsz/OS2.1CompatibilityandNewFunctionality• CertificateProtectionafterGENREQ• GENREQcommandusedtocreateaCertificateRequestbasedonexistingcertificate.• AftercertificateisgeneratedandsignedbyCA,itisreinsertedovertheoldcertificate.• CAACF2willnotallowtheprivatekeybeforethere-insert.• IncreasedprotectionforROLLOVERprocess

• CertificateCHAINSupportonCHKCERT• Eachcertificateinthechain’scontentisnowdisplayed.• Newsummarydisplayingthenumberofcertificatesinthechain.• Keyringsthecertificateshaveincommon.• Indicatorifthechaincontainsexpiredoruntrusted certificates.


Recap

CAACF2&TopSecretr15PostGAEnhancements

• Vastmajorityofupdatesoriginatedfromcustomerenhancementrequests.

• Manyoftheenhancementsprovidedtoaddresssitespecificand/orfederalregulatedcompliancerequirements.

HowtogetTheseEnhancements?

• Obtainrelatedr15solutionsfromCA’sCustomerSupportsite.

• UpgradetoCAACF2orCATopSecretr16• Allenhancementsdiscuss inthissessionincludedattheCAACF2&TopSecretr16baseinstalls.

• Noadditionalmaintenancerequired.• Fullyregressiontested.• Stagedforthenextnewreleaseofz/OS.


SummaryAFewWords toReview

RememberYouareonly assecureasyourleastsecurevendor(none aretoosmalltoconsider)

Implementingasecondlayerofauthenticationcanprotectyoufromthingsoccurringoutside ofyournetwork

DoBeawareofrecentbreachesandensureyouraisethebarforattackers

Provideuserswithflexibilityandaneasywaytodotherightthing

Don’tBeconvincedthatyouaresecurebecauseyourinfrastructurehasadvancedmonitoringandprotection

Cripple thebusiness withcumbersomeprocessestheywillfindawaytocircumvent


Q&A


HowdoIdeliveraflawlessexperienceeverytimeanapplicationtouchesthemainframe?

Intheapplicationeconomyit’sallaboutyourcustomers.Youneedtothinkaboutyourmainframereframed.

Connectmobile-to-mainframeapplications

Createmainframeinfrastructureflexibility

forthefuture

Unleashthepowerofdataonthemainframe



TheCostofBeingNon-Compliant

“TheRisingCostsofNon-Compliance:FromtheEndofaCareertotheendofaFirm,”ThompsonReutersAccelus,November2014


RecommendedSessionsSESSION# TITLE DATE/TIME

MainframeTheater CastleWallsUnderDigitalSiege:Risk-basedSecurity

11/18– 1:00pm

MainframeTheater

MFX25S LocatingUnmanagedbutRegulatedDataonSystemz11/18– 3:00pm

BreakersI

MainframeTheater

PanelDiscussion: IsComplacency AroundMainframeSecurityaDisasterWaitingtoHappen?

11/18– 3:45pm

MainframeTheater

Tech Talk Isn’toneauthenticationmechanismonzSystems™enough?11/18– 4:30pm

MainframeContentCenter

TechTalkTheKnownUnknown – Findinglost, abandoned,andhiddenregulateddataontheMainframe

11/19– 12:15pm

MainframeContentCenter

MFX26SHowtoIncreaseUserAccountabilitybyEliminatingtheDefaultUserinUnixSystemServices

11/19– 1:00pm

BreakersI

MFX47STop10things youshout NOTforgetwhenevaluatingyoursecurityimplementation

11/19– 2:00pm

BreakersI


FollowConversationsintheMainframeContentCenter

CADataContentDiscoveryCAACF2™forz/OSCATopSecret®forz/OSCACleanupCAAuditor

AdvancedAuthentication –Nov18th @4:30pm

TheKnownUnknown -Nov19th @12:15pm

DEMOS

SMART BAR

TECH TALKS

Technology

CA ACF2™ and CA Top Secret® Part 1: The Road Leading to r16 and Capabilities added since r15