Implementing a CA-TOP SECRET Environment

When assembling both the stage 1 signon exit and the stage 2 security exit, you must provide the following DD statements.

  1. For the assembly step, ensure that the SYSLIB concatenation contains the following information:
    //SYSLIB   DD     DSN=$CD.SDGAMAC
    //         DD     DSN=SYS1.MODGEN
    //         DD     DSN=SYS1.MACLIB
  2. Replace $CD with the appropriate high-level qualifier for your IBM® Connect:Direct® data sets.
  3. For the link-edit step, provide the following DD statements.
    //SYSLIB   DD   DSN=$CD.SDGALINK
    Note: You must have Assembler H or the High-Level Assembler for correct assembly. Do not specify NOALIGN as an option. The correct option is ALIGN.
  4. Add IBM Connect:Direct as a CA-TOP SECRET Facility.
  5. Observe the following restrictions or requirements:
    • If you are using CA-TOP SECRET Release 4 or later, issue the following commands.
      TSS  CREATE(NDM)   NAME('...')   DEPT(...)
           MASTFAC(NDM)  FAC(STC)      PASSWORD(NOPW)
      TSS  ADDTO(STC)    PROC(NDM)     ACID(NDM)
      TSS  PERMIT(NDM)   DSN(NDM)      ACCESS(ALL)

      Issue TSS MODIFY commands to obtain the following list of attributes.

      NDM PGM=DMG        ID=your choice
      ATTRIBUTES=ACTIVE, SHRPRF, ASUBM, MULTIUSER, NOXDEF,
            SIGN(M) NORNDPW NOAUDIT, RES, NOABEND,
            NOPROMPT, NOTSOC
    • If you are using CA-TOP SECRET Release 4 or later, and if the z/OS TCB Extension Feature is installed, IBM Connect:Direct only needs update authority to its system files, such as TCQ and network map. These prerequisites allow IBM Connect:Direct to use the SAF of z/OS. Otherwise, the ACID referenced previously must provide full access authority to all files IBM Connect:Direct accesses. Alternatively, you can identify IBM Connect:Direct in the privileged program name table as having access to all files by setting bit 6 (bypass password checking) in the program properties table (IEFSDPPT) to 1.