Updating the security table

You can update the security table for internal and external security.

About this task

To update the security table, perform these steps:

Procedure

  1. Edit the control statements in the KO2SUPDI member of &rhilev.&rte.RKD2SAM.

    To edit the setting, specify a new one instead of blanking out the old one, especially when changing a command from EXTERNAL=YES to EXTERNAL=NO.

    If you implement external security, perform these steps:

    1. Enter the MODULE control statement.

      It denotes the load module that contains the exit routine.

    2. Indicate which commands should use external security by using the EXTERNAL=YES setting on the COMMAND control statements.

    To remove control from external security, perform these steps:

    1. Blank out the keyword of the MODULE control statement.
    2. Change commands that are marked with EXTERNAL=YES to EXTERNAL=NO.

      Otherwise, you cannot execute commands that are marked with an internal security level of 0.

  2. Submit the job by using the KO2SUPD member of &rhilev.&rte.RKD2SAM.

    KO2SUPD contains the JCL to run KOBSUPDT, which is the security update utility program. KOBSUPDT performs the updates to the security table. It generates a list of the edits and, if requested, a complete list of security information.

    Successful completion of the job produces the message OB9147 LOAD MODULE TEXT SUCCESSFULLY UPDATED

    If the update program flags statements as incorrect, correct the statements and resubmit them.

  3. Stop all Classic Interface sessions in an address space.

    You must do this before the changed security table comes into effect because it is part of a reentrant load module. For example, if five Classic Interface sessions are active, you must stop them all before new Classic Interface sessions can use the updated security table.

  4. Start a new Classic Interface session.

Results

The changes to the security table come into effect.

Examples

This example shows the provided sample JCL that you can modify according to the needs of your system.

It resides in the data set &rhilev.&rte.RKD2SAM(KOBSUPDT), where &rhilev.&rte is the high-level qualifier of your runtime environment.

//SECURITY JOB ,
//STEP1        EXEC PGM=KOBSUPDT,PARM=KO2OCMDB
//STEPLIB        DD DSN=&rhilev.&rte.RKANMOD,DISP=SHR
//SYSLIB         DD DSN=&rhilev.&rte.RKANMOD,DISP=SHR
//SYSPRINT       DD SYSOUT=*
//SYSIN          DD DSN=&rhilev.&rte.RKD2SAM(O2SUPDI),DISP=SHR
//

where:

PARM=
Identifies the load module that contains the security table of the Classic Interface.
STEPLIB
Specifies the name of the load library where KOBSUPDT resides.
SYSLIB
Specifies the name of the library where KO2OCMDB resides.
SYSPRINT
Specifies the print output for the reports that the security program produces.
SYSIN
Specifies the name of the data set that contains the control statements.

This example shows the control statements that are used to update the security table.

Member O2SUPDI in the &rhilev.&rte.RKD2SAM data set contains these control statements:

COMMAND=PEEK LEVEL=1
COMMAND=.DSA,LEVEL=3,EXTERNAL=YES,AUDIT=WTO
COMMAND=MLST,EXTERNAL=YES
COMMAND=XMZP,LEVEL=DISABLE,AUDIT=BOTH
COMMAND=XMLS,LEVEL=2
MINOR=JOBS,LEVEL=2
COMMAND=/SAVE,LEVEL=1,AUDIT=NONE
MODULE=MYSECURE
SMFNUM=233
LIST=YES
UPDATE=NO

The command control statements in this example result in these settings for the commands of the Classic Interface:

PEEK
A user who has specified the internal security level 1 password or higher can execute PEEK and its minor commands. The Classic Interface does not perform external security checking.
.DSA
The Classic Interface performs external security checking and writes a message on the master console when .DSA is invoked. If external security is unavailable, only a user who specifies the internal security level 3 password can execute .DSA.
MLST
The Classic Interface performs external security checking but no auditing.
XMZP
The command cannot be executed. The Classic Interface writes a message on the master console and writes an SMF record when XMZP is issued. There is no external security checking.
XMLS
A user who has specified either the level 2 or level 3 internal security password can execute XMLS.
JOBS
This is a minor command of the PEEK command. In the example, the PEEK is specified as a level 1 authorized command. The LEVEL=2 setting on the JOBS command specifies that only level 2 or 3 users can access it.
/SAVE
A user who has specified the level 1 password, the level 2 password, or the level 3 password can execute the /SAVE command. It is not audited.

The remaining command control statements in this example result in these settings:

MODULE
MYSECURE is the name of the module that contains the security exit routine.
SMFNUM
The SMF ID is set to 233.
LIST
YES indicates that the Classic Interface produces a listing.
UPDATE
NO indicates that the Classic Interface does not update the security table. This is a trial run.