12 – Define Connector for Top Secret in the Top Secret System

The following Top Secret definitions are required in order for Connector for Top Secret to function properly. Sample definitions can be found in member CTSTSS in the INSTALL library. Read carefully the explanations below and the notes in member CTSTSS and tailor according to site standards before submitting the job or using the commands from this member.

Note

  • Before submitting the job or executing the commands verify that the ACID used to submit thejob or execute the commands has the necessary authority for the Top Secret commands. For example, CTSTSS creates an SCA ACID. Therefore, the ACID submitting the job or the one specified in the USER= parameter in the job card should be the MSCA ACID.

  • After submitting the job or executing the commands, check the whole output and verify that all the commands were processed successfully.

  • It is assumed that the user who installed Connector for Top Secret has ACCESS(ALL) authority to all Connector for Top Secret files, ssigned to him at the beginning of the installation process.

12.1 - Define a Multi-user facility to be used by Connector for Top Secret

A sample definition can be found in member CTSTSS in the INSTALL library.

This definition is required only once, on the first time Connector for Top Secret is installed in the system.

Before adding this facility, check in Top Secret if facility CTSA is defined. If not, define it using the commands in member CTSTSS.

To be retained after the next IPL, the definitions must be copied to the Top Secret parameters member.

12.2 – Define Connector for Top Secret Started Tasks as Valid Started Tasks in Top Secret

Started task

Description

CTSGATE

Top Secret Connector Gateway monitor

CTSACS

Connector Transaction Server (CS)

CTSACD

Connector Notification Server (CD)

CTSAONI

Connector Online Interceptor

CTSAOFLI

Connector Offline Interceptor

Note
In the list of started tasks used in this section, it is assumed that the default value CTS was accepted for the DEFPARMS parameter PROCPREFS. If you assigned a different value to this parameter, modify the started task names accordingly.

Connector for Top Secret started tasks must be associated with an ACID of type SCA (Central Security Administrator) and must be granted authority to LIST all data.

The Multi-user facility defined for Connector for Top Secret must be assigned to the Connector for Top Secret started tasks ACID as MASTFAC.

Sample commands for setting these authorities can be found in member CTSTSS in the INSTALL library.

12.3 – Define the Connector STC ACID to OMVS

The Connector STC ACID must have OMVS definitions to allow the CTSGATE to use the TCP/IP services of the z/OS UNIX System Services (USS). When a user attempts to use the USS, Top Secret verifies that the user is a USS user before the system allows access.

To define the Connector STC ACID as a USS user the ACID has to be assigned a UID and has to be connected to a group having a GID.

For more information, see details provided within the CTSTSS member.

12.4 – Set Permissions to Connector Datasets

Permit READ access for the Connector DIAGLVL and CLIST libraries for your MVS system programmers, z/OS staff, or SailPoint Mainframe support team who should be able to see them.

Important
Do not allow users access to any DIAGLVL or CLIST libraries in the CTSTSS installation job.

Permit all Connector for Top Secret installation and operation files to be accessed by Connector for Top Secret started tasks listed above with read and write authorizations.

12.5 – Protect the Encryption Keys Datasets

Transmitted Data Encryption Keys Dataset

Note
This permission is only required when Transmitted Data Encryption is implemented.

Set Top Secret to permit only Connector for Top Secret servers (CTSACS and CTSACD) READ access to the encryption key dataset ENCREXT created in Procedure "9.4 – Set up secured communication" in 11 – Customize Communication Settings. No other users, other than the installer User ID, must be authorized to access this dataset (not even READ authorization).

Stored Data Encryption Keys Dataset

Set Top Secret to permit only Connector for Top Secret servers (CTSACS and CTSACD) and Connector Interceptors (CTSAONI and CTSOFLI) READ access to the encryption key dataset ENCRINT created in 9 – Format Connector for Top Secret Datasets. No other users, other than the installer User ID must be authorized to access this dataset (not even READ authorization).

12.6 – Grant CTSGATE with authority to use TCP/IP stack

This permission is required only when Top Secret SERVAUTH resource class is defined to protect TCP/IP resources from unauthorized access. For more information, see details provided within the CTSTSS member.

12.7 - Grant users permission to facility CTSA

All ACIDs whose passwords are managed by Connector for Top Secret and the ACID of the Managed System Administrator (used to perform updates originating in SailPoint) must be permitted to FACILITY(CTSA), defined in "10.1 - Define a Multi-user facility to be used by Connector for Top Secret".

For more information, see details provided within the CTSTSS member.