Upload
ca-technologies
View
735
Download
3
Embed Size (px)
Citation preview
CAACF2™andCATopSecret®Part1:
TheRoadLeadingtor16Capabilitiesaddedsincer15
PaulRauchet– Director, SoftwareEngineeringJohnPinkowski – Senior Principal ProductManager
Mainframe
CATechnologiesMFX10E
2 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2015CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2015isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferences relatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i)affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreement orservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember18,2015,andissubjecttochangeorwithdrawalbyCAatanytimewithoutnotice.Thedevelopment,release andtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referenced inthispresentation,CAmaymakesuchrelease availabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
3 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Abstract
CAACF2™andCATopSecret®r15havebeenoutfor5years– whatenhancementshaveyoumissed?
Thissessionwillcoverther15enhancementsaddedtohelpeaseadministration, andtohelpsimplifycomplianceandaudittasks.
PaulRauchet–Sr.Director,Engineering
JohnPinkowski–ProductOwner
CAACF2™andCATopSecret®Part1
4 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Agenda
ENHANCEMENTSELECTIONPROCESS(THENANDNOW)1
2
3
CAACF2&TOPSECRETR15POSTGACOMMONGROUND
CATOPSECRETR15POSTGASPECIFICENHANCEMENTS
CAACF2R15POSTGASPECIFICENHANCEMENTS
2
3
4
FINALQUESTIONS/RECAP5
5 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
40Trillionmobiletransactionsperdayby2025
TheMainframeSupportstheCustomerExperience
SOURCES:IBM,Gartner, Aberdeen Research,Enterprise SystemsMedia
IncreasingMobileApps&Devices
2/3transactionsself-serveby2017
25%ofusersabandonanappaftera3seconddelay
71%ofcorporatedatasitsonmainframesystems
RisingCustomerExpectations
DataforAnalytics&Apps
6 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecret&ACF2r15ReleaseUpdates
Weneverstoppedinnovating….
Withyourinputandhelp…
Wouldn’t itbeniceif…
7 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
BeforeCACommunitiesIdeation… “HeyCA,What
happenedtomyDAR?”
CATopSecret&ACF2r15ReleaseUpdates
Notquitethisbad…
8 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
DAREnhancementsTransitionedOvertoIdeation- Dec,2014
ExistingEnhancementRequest
MultipleSitesrequested
TransitionedOvertoIdeation
9 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
OldDARSystemvsCACommunitiesIdeation
§ StoredinCAhomegrownapp.§ Notviewablebycustomersbeyond
requestingsite.§ Communication/discussion
betweensiteslimitedtoUserGroupmeetings,ActiveBetacustomercallsetc.
§ CAinternalDARreviewslimitedtolatestentries.
§ Enhancementsfulfilled chosenbyproduct teamsorafewsites.
OldDARSystem§ StoredinCACommunities site.
IdeasSystem
§ Viewablebyallcustomers.
§ Forumallcustomerscanleveragetoeasilyandanonymously discussenhancementswithCAaswellasotherCAsecuritycustomers.
§ CAreviewsallentriessubmittedandupdateswithcurrentreviewstatus.
§ Customervoting/input heavilyweightedinfulfillment decision.
10 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAMainframe SecurityCommunity Ideas(asof10/17/15)
11 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CAACF2/CATopSecretr15– Transition HybridReleases
§ MajorityenhancementscompletedusingtheoldDARsystem
§ PrioritizedIBMchanges§ Lastfewintroducedenhancements:
§ LeveragedpopularIdeas/DARS§ Agilesprints§ Engagedmultiplecustomers
TSS ACF2
TimetodiveinandtakeapeakatthepostGAr15enhancements!!!
12 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretr15PostGAEnhancements
MirrorFeature.Createsamirrorofthesecurityfileforimmediaterestartincaseoffiledevice/channelfailure.EnforcesecurityadministratorstofollowNEWPWruleswhenissuing pswdrelatedTopSecretcommands.JES2/JES3 shutdown/restartimprovements.Performanceimprovements asaresultofreducedstorageobtains.Enhancedrestrictedpasswordlist.ExpansionofCOMPAREcommandtoincludeotherACIDtypes.RefinementofWHOHAScommand.AllTSSMODIFYcommands checkedasCASECAUTresources.FACILITYtrackingaddedtoCACleanup interface.UtilityimprovementstoTSSUTIL,LDAP,TSSAUDIT,TSSSIM.CHKCERTandCertificateUtilitydisplayPublic/Private keysizeandtype.ECCkeyscanbestoredandretrievedforICSF.Eliminateneedforsuperuserprivilegeforusermountandunmounts.
13 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
SecurityFileMirrorSupport
§ TSSControloption:MIRROR(ON)– Mirrorcopyofprimarysecurity filemaintained.
§ Providesup-to-the-minutealternatesecurityfile.§ AvailableonlywhenSHRFILE(NO)andMIRROR(ON)arebothset.
– Designed tohavenoimpactonprimarysecurityfileperformance.
Benefits:– Caneliminate theneedtoperformforwardrecoverprocessingwhenMirrorfileis
usedasprimaryfile.– UseemergencystartupPROCtorecycle TopSecretwiththeMirror fileasprimary
file– Note:TopSecretBackupprocessingcanbedoneonceperweek
14 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
TotalRecoverytime:MeasuredinHOURS!!!
CATopSecretforz/OS– MirrorSupportWithoutSecurityFileMirrorSupportActive…
CATopSecretPrimarySecurity
File
CATopSecretBackup Security
File
Backupfile– SnapshottakenfromlastTopSecretBackupprocessedcommand
I/OError
SecurityFilesuddenlyunavailable…
DeviceI/OErroror
ChannelCommunicationsFailure
1–RestartTSSonbackupfile2–RunForwardRecovery
Likely1,000’sofcommands….
Channel
Failure
15 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretPrimarySecurity
File
CATopSecretBackup Security
File
Backupfile– SnapshottakenfromlastTopSecretBackupprocessedcommand
MirrorBenefits:Continuously synched…Uptotheminute copy…No performance impact…
CATopSecretforz/OS– MirrorSupportWithSecurityFileMirror SupportActive…
16 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretPrimarySecurity
File
I/OError
1–RestartTSSonMirrorfile
2–NoneedtoRunForwardRecovery…
TotalRecoverytime:MeasuredinMINUTES!!!
CATop SecretBackup
SecurityFile
MirrorBenefits:Continuously synched…Uptotheminute copy…No performance impact…
Channel
Failure
CATopSecretforz/OS– MirrorSupportWithSecurityFileMirror SupportActive…
17 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretMirrorSupportdetails
TSSControlOption:MIRROR(ON)
• Mirrorcopyofprimarysecurityfilemaintained.• Providesup-to-the-minutealternatesecurityfile.
• AvailableonlywhenSHRFILE(NO)andMIRROR(ON)arebothset.
• Designed tohavenoimpactonprimarysecurityfileperformance.
Benefits:
•Caneliminate theneedtoperformsignificantforwardrecoverprocessingwhenMirrorfileisusedasprimaryfile.•EliminatepotentialMissioncritical workdelaystiedtorecoverycommands
•UseemergencystartupPROCtorecycleTopSecretwiththeMirrorfileasprimaryfile
•CATopSecretBackupprocessingcanbedoneonceperweek•MustmaintainproperlysizedRecoveryFile
18 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretMirrorSafeguards
• AtTSSstartup,acheckisissuedtovalidatetheMirrorandPrimarysecurityfilesarenotonthesamevolume.• Ifonsamevolume,amessageisissuedandTopSecretwillinitializewithoutthemirrorfileactive.
• AtTSSstartup,aSynchronizationmessagecompletemessage isissuedwhenPrimaryandMirrorsecurityfilehavebeensuccessfullysynchronizedforuse.• Ifsynchronizationdoesnotsuccessfullycomplete aTopSecretmessagewillbeissuedandTopSecretwillinitializewithoutthemirrorfileactive.
• AtTSSstartup,ifthemirrorfileandprimaryfilearethesame, aTSSmessage isissuedandTSSwillfailtostartup.
Safeguards
19 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
CATopSecretMirrorSupportRecap:
Benefits:• CaneliminatetheneedtoperformsignificantforwardrecoverprocessingwhenMirrorfileisusedasprimaryfile.• EliminatepotentialMissioncriticalworkdelaystiedtodelayedrecoverycommandexecution.
• UseemergencystartupPROCtorecycleTopSecretwiththeMirrorfileasprimaryfile.• CATopSecretBackupprocessingcanbedoneonceperweek.• LeverageautomationpackagetoissueFTSS,BACKUP• Backupfileisstillrequired.• MustmaintainproperlysizedRecoveryFile.
20 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
NEWPasswordAdminChangeRestrictions• TSSControloption:PWADMIN(YES)• Securityadministrators:• ForcedtofollowNEWPWrules• Berestrictedfromchangingthepasswordexpirationintervalforindividualusers.
Benefits:• Centralizedanddecentralizedadministratorscannolonger:• BypassNEWPWrequirements-OR-• ChangePSWDEXPIREintervalforindividualusers.
21 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSS/ACF2r15GAEnhancementDetailsz/OS2.1– Updates§ DefaultUSERnolongersupported
– USSaccessrequiresuniqueOECredentials.§ CHOWNURScontroloptionremoval
– UNIXPRIV(CHOWN.UNRESTRICTED)– PerACIDbasisasneeded.
§ JES2/3relatedfeatures– JES2&JES3tolerationsupport– Support zSeries2.1JOBCLASSauthorizations
§ Nowgrantauthorizationtouseaspecific jobclasstoOwnerorjobsubmitter:– PERMITforJOBCLASS.node.class.jobname intheJESJOBS class.– PERMITforIBMFACclassestoactivateJESJOBS/JOBCLASS checking:
§ JES.JOBCLASS.OWNER
§ JES.JOBCLASS.SUBMITTER– toactivatechecking
22 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
Support&ACIDVariableinMODLUSERHOMEField• HOMEdirectoryautoassignedusing&acid/&ACIDvariables• MODLUSERacidcontainsHOME(/u/&acid).Fred01logsonwithout OEcredentials.Fred’sACIDwillbeautoassigned: HOME(/u/fred01)
• EnhancedAUTOUIDandAUTOGID• UID(?)orGID(?)isspecifiedonaCATopSecretcommand:• RECOVERYfilecommandtoincludethelocalsystemautogeneratednumberinsteadofaquestionmark(?).
• CPFAUTOUIDandCPFAUTOGID(newlyadded)• CPFtransmitsaTSScommandwiththelocallyautoassignedUIDvalue(insteadofthequestionmark(?)value)whenyouareusingtheCommandPropagationFacility(CPF).
23 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
CertificateEnhancements•CertificateREPLACEcommandimproved:•Duplicatecertificatechecking• Labelsthesame• Labelnotspecified•PublicandPrivatekeychecking• Existingcertificatehasaprivatekeyandcertificatebeingaddedis notaduplicate.Thecertificatebeingaddedhasthesamepublic keyastheexistingcertificate.
• Theexistingcertificatedoesnothaveaprivatekey.•Displaycertificatechaininformation•ADD,LIST,EXPORTandCHKCERTcommands
•GENREQmodification•Retainprivatekeywhenoldcertificateisdeleted.
24 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
DatacomA/DsupportforCIAandCompliance
Manager
•AddedCADatacomA/DsupportforbothCIAandComplianceManager.
•DatacomA/DBlack-boxinstallswithbaseproducts
ExpandtheInterfacewithJES2
•Provideadditionalability toimproveshutdownprocess•CATopSecretcannowbetheverylasttaskshutdown
•Spoolfilesdynamicallyallocatedandde-allocated
•JES2/3monitoredfornormalorabnormalshutdown
ReducedStorageObtains
•Groupedstorageusage•Reducedthenumberofcalls
•ReducesCPUutilizationpereveryRACROUTEcall
• ImprovedperformanceofhighvolumeCPUboundcalls
25 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetails
EnhancedRPW(RestrictedPasswordList)• EnforceRPWforanypositioninnewpassword• RequiresnewcontroloptionNEWPW(RT)tobeset.
ExpandTSSCOMPARE• AllowsforotherACIDtypestobecomparedincludingtype: Zone,Division,DepartmentandProfiles
TSSWHOHASUpdates• Reflects onlythoseresourcesthatmatchaspecificownership• Removedanyduplicatesfromlist
TSSMODIFYControlbyCASECAUT• AllTSSModifycommandsnowunderCASECAUT• ConsoleBitcheckedfirst• Ifbitoffthendoresourcecheck
• PrefixingandmaskingNOT allowed.
26 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetailsFacilityUsageTrackedviaCACleanupforTopSecret• Allowsforcleanupofprofilesthatonly includeaFacility.
TrackingTRANIDBypassedTransactionsUsed• TSSUTILreportshowstransactionsleveragedintheTRANIDBypasslist.• TheResource(TYPE&NAME)willspecifya'+'followedby thetransactionid.
• AllowsforeasyidentificationofTRANIDbypassedtransactionusage.
CALDAPandTSSSIM• TSSSIMnowaservicetoCALDAP• AllowsforLoggingintheTSSSIMprocess• AllowsCALDAPtomakeexternalcallsandcreateloggedevents
TSSUTILUpdates• Allowforspecificnameonresource&Multi-linesupportoninput
TSSAUDITUpdates- SearchbyDateandTime(likeTSSUTIL)
INACTIVESupportExtended• INACTIVEcontroloptionmaxintervalextended from255daysto999days.
27 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostTSSr15GAEnhancementDetailsDepartmentACIDMaximumSizeIncreased• Supportedsizeincreasedto1024
DB2V11Support• Support forDB2v11added.
IMS13.1Support• Support forIMS13.1added.
UserDefinedFieldsEnhancedtoSupport• ComplianceInformationAnalysis(CIA)component• batchloadandreal-timeprocesses.
FSACCESSControlOption• Performanceimprovement- NewlyaddedcontroloptionsettingallowscustomerstodisablesecuritycallsrelatedtoFSACCESSchecks.
CTS4.2Support– CTS4.2Support
28 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementRecapRoleBasedSecurityRefinements.
ImprovedResourceUtilization.
ImprovedUsability.
Additional IMSEnhancements.
NewACFAESAGEUnloadUtility.
Additional SHOWCommandOptions.
NewPassphraseSupport forCTS.
z/OS1.13Support•ECCKeyscanbestoredandretrievedforICSF.•UserMountandUNMountgranularity
z/OS2.1Support.•BPX.DEFAULT.USERnolongervalid.•Controlling AccesstoJobClass•POSIXCHOWNUnrestricted
29 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
RoleBasedSecurityUpdates• EnhancedModelandArchivecommands• Rolerecordsnowincluded• BuildsACFcommandstogenerateamodeleduser• BuildsACFcommandstore-addanArchivedusertorolerecords
• Clean-upX-ROLRolerecordswhenauseraccountisdeleted• RoleInclude/Excludefieldsupdatedfornon-maskedvalues• IncorporateRolerulesetsinCAACFACCESScommand
30 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
RoleBasedSecurityUpdates• PreventionofchangingRolerecordtype• X(ROL)recordsdefinedas‘role’or‘group’recordtype
• RoleBasedAPIEnhanced(ACF00RBS)• NewSYSIDparametertoreportonallrolerecordtypesdefinedonthesecuritydatabase.
• Returnslistofusersforagiverole.
31 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
ACFVSAMReserveEnqueueName• AllowstheminornameforACFVSAMENQ/RESERVEnametobeassociatedwithadatasetnameinsteadoftheDDBNAME.
• Bettergranularityforuserswithmultiple securityfilesinsameSysplex.
• ReducescontentiononACF2VSAMusage.
ImprovedCSAStorageUtilization• ProfileDirectoriesMovedto64-BitCSAStorage• CertificateTablesMovedto64-BitCSAStorage• ResultsinimprovedREFRESHprocessing.
32 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
CrossReferenceRecordExpansion• x(ROL),x(RGP)andx(SGP)recordsincreasefor4Kto16K
GSOINFORDIRExpanded•Nowabletosupport double theamountofentries,512.
SymbolicSubstitutioninDatasetRules•Reducesruleadministrationbyallowing&LIDasasubstitution string• The&LIDisusedontherulelineduringadjudication.
OptionalUseofCancelledLIDforRACROUTEEXTRACTS•EquivalentsupportforalESM’s•Reducesamountofpotentialdowntime.
33 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
LogonidExclusionfromPassword/PassphraseViolations• Passwordviolationswillnotbeincrementedforspecialuseuserids.• Preventsapplicationoutagesduetoviolations.
DatacomA/DSupportforCIAandComplianceEventManager• AddedCADatacomA/Dsupport forbothCIAandComplianceManager.
• DatacomA/DBlack-boxinstallswithbaseproducts
34 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
IMSforz/OSEnhancements• SecurityfortheIMSDBCTLenvironment.• SecurityforPSBsandAOIcommands.• /ACFcommandnowavailableinOMenvironment.• RemovalofCAACF2IMSrequirementtousetheIMSSecurityMacro.
NewACFESAGEUtility• SimilartoCAACF2TSSCFILEgivingafixedformattedversionoftheCAACF2database.
AdditionalSHOWCommands• SHOWALLnowcontainsoutput fromSHOWRSRCTYPE.• SHOWAUTOERASEdisplayserase-on-scratchoptions ineffect.
35 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
z/OS1.13CompatibilityandNewFunctionality• NewR_usermapfunctiontoreturnUseridfromDNorRealmname• PasswordPhrasesupport• CESLtransactionsupportssign-onwithpasswordorpasswordphrase• ACFMULfunctionupdated• Idletime-outs(locktime)
36 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
z/OS1.13CompatibilityandNewFunctionality• CertificateKeydisplaychanges• CHKCERTcommandnowdisplaysPublic/Privatekeysizeandtype• CertificateUtility(SAFCRRPT)displayskeysizeandtypeinheader
• ECC(EllipticCurveCryptography)KeysandICSF• CertificatecommandsallowforECCkeytobestoredandretrievedfromICSF
• Kerberosaddresschecking• NewCHKADDRSfieldinREALMrecord• AllowsticketaddresscheckinginKerberosserver
• Usermountandunmount• Privilegecheckingaccomplishedbyresourcechecks• Noneedforalluserstohavesuperuserprivilege
37 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetailsz/OS2.1CompatibilityandNewFunctionality
§ TYPEENF71NotificationEvent(ENF)– CACF2will sendanENFsignaltoCICSwhenaSecurityAdministrator– SuspendsorCancelsasigned-onremoteuser– Deletes thelogonid forasigned-onremoteuser
§ ControllingAccesstoJobClass– NewSAFcall forJES2andJES3controllinguseofJOBCLASS– AuthorizationChecking isactivated ifthenewFACILITYprofilesexist
§ BPX.DEFAULT.USERnolongervalid– AssignUID/GIDvaluesusingGSOAUTOIDOMrecord– Callable Serviced forUID/GIDarenowCPFeligible– Newtrace facilitytoidentifyworkloadscurrentlyusingdefaultvalues
38 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetails
z/OS2.1CompatibilityandNewFunctionality• SymbolicinOMVSSegment• Thehomefieldcannowuse‘&LID’torepresenttheuser’sLOGONIDvalue
• UsefulwhenusingtheMODELrecord• POSIXCHOWNUnrestricted• Newrestrictionsonnon-superusersmodifyingownershipoftheirfiles
39 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
PostACF2r15GAEnhancementDetailsz/OS2.1CompatibilityandNewFunctionality• CertificateProtectionafterGENREQ• GENREQcommandusedtocreateaCertificateRequestbasedonexistingcertificate.• AftercertificateisgeneratedandsignedbyCA,itisreinsertedovertheoldcertificate.• CAACF2willnotallowtheprivatekeybeforethere-insert.• IncreasedprotectionforROLLOVERprocess
• CertificateCHAINSupportonCHKCERT• Eachcertificateinthechain’scontentisnowdisplayed.• Newsummarydisplayingthenumberofcertificatesinthechain.• Keyringsthecertificateshaveincommon.• Indicatorifthechaincontainsexpiredoruntrusted certificates.
40 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Recap
CAACF2&TopSecretr15PostGAEnhancements
• Vastmajorityofupdatesoriginatedfromcustomerenhancementrequests.
• Manyoftheenhancementsprovidedtoaddresssitespecificand/orfederalregulatedcompliancerequirements.
HowtogetTheseEnhancements?
• Obtainrelatedr15solutionsfromCA’sCustomerSupportsite.
• UpgradetoCAACF2orCATopSecretr16• Allenhancementsdiscuss inthissessionincludedattheCAACF2&TopSecretr16baseinstalls.
• Noadditionalmaintenancerequired.• Fullyregressiontested.• Stagedforthenextnewreleaseofz/OS.
41 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
SummaryAFewWords toReview
RememberYouareonly assecureasyourleastsecurevendor(none aretoosmalltoconsider)
Implementingasecondlayerofauthenticationcanprotectyoufromthingsoccurringoutside ofyournetwork
DoBeawareofrecentbreachesandensureyouraisethebarforattackers
Provideuserswithflexibilityandaneasywaytodotherightthing
Don’tBeconvincedthatyouaresecurebecauseyourinfrastructurehasadvancedmonitoringandprotection
Cripple thebusiness withcumbersomeprocessestheywillfindawaytocircumvent
42 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
Q&A
43 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
HowdoIdeliveraflawlessexperienceeverytimeanapplicationtouchesthemainframe?
Intheapplicationeconomyit’sallaboutyourcustomers.Youneedtothinkaboutyourmainframereframed.
Connectmobile-to-mainframeapplications
Createmainframeinfrastructureflexibility
forthefuture
Unleashthepowerofdataonthemainframe
43 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
44 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
TheCostofBeingNon-Compliant
“TheRisingCostsofNon-Compliance:FromtheEndofaCareertotheendofaFirm,”ThompsonReutersAccelus,November2014
45 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
RecommendedSessionsSESSION# TITLE DATE/TIME
MainframeTheater CastleWallsUnderDigitalSiege:Risk-basedSecurity
11/18– 1:00pm
MainframeTheater
MFX25S LocatingUnmanagedbutRegulatedDataonSystemz11/18– 3:00pm
BreakersI
MainframeTheater
PanelDiscussion: IsComplacency AroundMainframeSecurityaDisasterWaitingtoHappen?
11/18– 3:45pm
MainframeTheater
Tech Talk Isn’toneauthenticationmechanismonzSystems™enough?11/18– 4:30pm
MainframeContentCenter
TechTalkTheKnownUnknown – Findinglost, abandoned,andhiddenregulateddataontheMainframe
11/19– 12:15pm
MainframeContentCenter
MFX26SHowtoIncreaseUserAccountabilitybyEliminatingtheDefaultUserinUnixSystemServices
11/19– 1:00pm
BreakersI
MFX47STop10things youshout NOTforgetwhenevaluatingyoursecurityimplementation
11/19– 2:00pm
BreakersI
46 ©2015CA.ALLRIGHTSRESERVED.@CAWORLD #CAWORLD
FollowConversationsintheMainframeContentCenter
CADataContentDiscoveryCAACF2™forz/OSCATopSecret®forz/OSCACleanupCAAuditor
AdvancedAuthentication –Nov18th @4:30pm
TheKnownUnknown -Nov19th @12:15pm
DEMOS
SMART BAR
TECH TALKS