pre-con ed: ca acf2 and ca top secret – part 1: what’s new in the enterprise security managers
TRANSCRIPT
![Page 1: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/1.jpg)
World®’16
CAACF2andCATopSecret– Part1:What’sNewintheEnterpriseSecurityManagers
JohnPinkowski- ProductOwner
MFX39EA
MAINFRAMEANDWORKLOADAUTOMATION
![Page 2: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/2.jpg)
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnlyTermsofthisPresentation
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.Thepresentationprovided atCAWorld2016isintendedforinformationpurposesonlyanddoesnotformanytypeofwarranty.Someofthespecificslideswith customerreferencesrelatetocustomer'sspecificuseandexperienceofCAproductsandsolutionssoactualresultsmayvary.
CertaininformationinthispresentationmayoutlineCA’sgeneralproductdirection.Thispresentationshallnotserveto(i) affecttherightsand/orobligationsofCAoritslicenseesunderanyexistingorfuturelicenseagreementorservicesagreementrelatingtoanyCAsoftwareproduct;or(ii)amendanyproductdocumentationorspecificationsforanyCAsoftwareproduct.Thispresentationisbasedon currentinformationandresourceallocationsasofNovember1,2016,andissubjecttochangeorwithdrawalbyCAatanytimewithout notice.Thedevelopment,releaseandtimingofanyfeaturesorfunctionalitydescribedinthispresentationremainatCA’ssolediscretion.
Notwithstandinganythinginthispresentationtothecontrary,uponthegeneralavailabilityofanyfutureCAproductrelease referencedinthispresentation,CAmaymakesuchreleaseavailabletonewlicenseesintheformofaregularlyscheduledmajorproductrelease.SuchreleasemaybemadeavailabletolicenseesoftheproductwhoareactivesubscriberstoCAmaintenanceandsupport,onawhen andif-availablebasis.Theinformationinthispresentationisnotdeemedtobeincorporatedintoanycontract.
![Page 3: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/3.jpg)
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Businesssuccessintheapplicationeconomydependsonareliableandcost-effectivesecurityinfrastructure.ThissessionwillcoverthelatestenhancementsintheExternalSecurityManagers(ESMs)CATopSecret®andCAACF2™—rangingfromrole-basedaccesscontroltouser-orientedarchitecture—tohelpeaseyourmainframesecurityadministrationandsimplifyyourcomplianceandaudittasks.
JohnPinkowski
CATechnologies
![Page 4: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/4.jpg)
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
EOSDATES
THEOLD
THENEW
1
2
3
![Page 5: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/5.jpg)
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SecurityandComplianceManagingSecurity,DataAccessandCompliance
CADataProtection
3rd partyDLPSolution
3rd partyDLPSolution
SIEMCAComplianceEventManager
IBMRACF
CATopSecret
CAACF2
CACleanup
CAAdvancedAuthenticationMainframe
CADataContentDiscovery
CAAuditor
SecuremainframeassetsCaptureeventsaffectingcomplianceandpolicyDiscoversensitivedata
ExtendcomplianceeventdatatoanalyticssolutionsEnablesecuredatainmotionacrosstheenterprise
SecurityAdministrator
BigDataAnalystAuditor
Planned
Available
Non-CAProduct
![Page 6: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/6.jpg)
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EOSDates
![Page 7: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/7.jpg)
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!
§ …notificationthatwearediscontinuingsupportforCATopSecretVersion14.0,
includingServicePacksbeginningDecember31,2016andVersion15.0beginning
December31,2017.ThiswillallowourDevelopmentorganizationtomore
effectivelyfocusitsresourcesandaddvaluetothenextreleaseofCATopSecret
forz/OS.
![Page 8: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/8.jpg)
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!HelpfulLinks
§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-
content/status/support-life-cycle/indexes/ca-top-secret-product-family-release-
and-support-lifecycle-dates.html
§ http://www.ca.com/us/services-support/ca-support/ca-support-online/product-
content/status/support-life-cycle/indexes/ca-acf2-product-family-release-and-
support-lifecycle-dates.html
![Page 9: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/9.jpg)
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretandCAACF2EOS!
![Page 10: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/10.jpg)
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheOld
![Page 11: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/11.jpg)
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:Ineedtohaveastatusforauserthatremovestheabilitytoaccessasystem,yetnotallowthatusersIDtobereused
Solution:AnuserthenewRETIREstatusforauser.Theuserwilllosetheabilitytologon/accessasystem.Furtherelevatedprivilegesarerequiredtoun-RETIREanuser.
Benefit:- CentralRepositorytoNotAllowingtheRe-UseofID- CompliancewithIRSPub1075
![Page 12: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/12.jpg)
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:Aspartofourauditreview,movingthefacilityinformationtothesecurityfilewouldbeagreatbenefit.
Solution:ActiveFACTOR(YES|NO)tostorethefacilitymatrixinformationonthesecurityfile.
Benefit:- Facilitydefinitionsprotectedfromview- EasiertoadministerandmaintainmultipleLPARcomplexes- SizeoftheTSSPARMSFILEgreatlyreduced
![Page 13: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/13.jpg)
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:IhaveimplementedarolebasesecurityarchitectureandneedtheabilitytoprovideaLogonIDaccessreportby role
Solution:RolesupportfortheLogonIDAccessreport.AbilitytocontrolthecreationofthereportusingthenewROLEinputparameter.Providingareportsectionforeachroleshowingwhichrulelinesgrantorpreventaccess
Benefit:- Improvedcompliancereportingbyroles- Improvedperformancebenefits
![Page 14: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/14.jpg)
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:ThereisaneedtogivemoregranularityoveradminscanassignaUID(0)
Solution:FornonMSCAadminsanadditionalauthorizationchecktoCASECAUT(TSSCMD.ADMIN.UID0)isissued.TheadminmusthaveACID(MAINTAIN)authorityandcheckisonlyissuedwhenUID(0)ispresentwithinaTSSADDorREPLACEcommandstring
Benefit:- FurtherrestrictswhocanassignauthorizationforUID(0)- Satisfiescompliancerequirements
![Page 15: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/15.jpg)
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WehaveanewPCIrequirementtoensurewelimitthedatabeingmadevisibleduringmessageprocessing.Thisdetailedsysteminformationmaybeusedtocreatedenialofserviceinterruptions,orcausesecuritytofailwhenusedbyhackers
Solution:TheACF2MSGOPTSrecordallowstheadministratortocontrolwhichsignonmessageswillbeconvertedtoasinglegenericmessageACF01125LogonCredentialsInvalid.TheTopSecretcontroloptionGENSMSGallowstheadministratortocontroltheissuingofthegenericmessageTSS7099ESignonCredentialsInvalid
Benefit:- PCI6.5.5compliance- Limitedsecurityinformationshared
![Page 16: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/16.jpg)
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:IwasaskedbyourauditorwhatistheencryptionstrengthsofthepasswordsontheCAACF2andareweatthestrongest
Solution:ActivateAES256-bitencryptionforCAACF2passwordsandpasswordhistory
Benefit:Makesbruteforcepassworddecryptionofpasswordshardertoattain
![Page 17: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/17.jpg)
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:MystorageteamisaskingifthereareanystorageimprovementsinCAACF2.Moreworkloadsaremovingtothemainframeandwewanttobeinpositiontoscale.
Solution:UpgradetoCAACF2r16.Outoftheboxrulesetswillbemovedtointo64-bitCSA.
Benefit:Potentiallya70-90%savingsinCSAutilizationbelowthebar(ResultsMayVary)
![Page 18: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/18.jpg)
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:OurauditorswouldlikeustostopusingtheCICSBypassprocessinginourCTSregions
Solution:ExploitthenewCICSfacilitysubfunctionBYPLIST.YoucanstarttoworkwithyourauditorsimplementingBYPLIST(AUDIT)totracktheusageofbypasswithintheregion.OncetheseaccessesareadministrateditisasimpleswitchtoBYPLIST(NO)tonotallowtheuseofbypassinthefuture.
Benefit:- CompletecontrolofCTSresourcesfromCATopSecretpermissions- Improvedauditabilityoftheseresources
![Page 19: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/19.jpg)
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheNew
![Page 20: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/20.jpg)
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:Iwasaskedbyourauditorifwecanuseourtokenstosignontothemainframe!
Solution:EnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframeSession:MFX42E
Benefit:Education!
![Page 21: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/21.jpg)
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WearelookingtoexploitPasswordPhraseinourenvironmentandwouldliketoensureupperandlowercasecharactersarefollowingcompliancerequirements.
Solution:NewoptionswereintroducedviaPTFRO92400toenablethecontrolofforcingatleaseoneupperorlowercasecharacterinCAACF2.EquivalentsupportisbeingbuiltinCATopSecretifyouareinterestedpleasecontactus!
Benefit:- Greatercontroloverphraseedits- Additionalcomplianceregulationadherence
![Page 22: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/22.jpg)
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2/CATopSecretr16Enhancement
Need:WeareexploitingtheCAACF2andCATopSecretinformationinwaysthatthetraditionalprintercarriagecontrolcharactersareahindrance.
Solution:TheteamshavedevelopedsolutionsforreportsACFRPTRV,ACFRPTSLandTSSUTILfortherespectiveproducts.Ifyouareinterestedinanyofthesereports,pleaseletusknow.
Benefit:Improvedsortingofdatafromreports
![Page 23: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/23.jpg)
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:CurrentlyweareusingtheCASECAUTresourcetocontroladministratorsaccesstothecertificateprocess.Weareinterestedinhavingmoregranularcontroloverthisprocess.
Solution:CAACF2nowhassupportforadditionalGranularCertificateAdministration.YoumaynowuseRDATALIBclassrulestocontrolaccesstothespecificcertificateandkeyringcommands.TheexistingCASECAUTrulessimplyallowedaccesstousethecertificatecommandsbutgaveaccesstoallcertificatesownedbyanotheruserorbySITECERTorCERTAUTH.PTF:RO89501
Benefits:Thegranularadministrationallowsyoutocreaterulestoprovideaccesstoaspecificuserscertificateorasub-setofthem
![Page 24: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/24.jpg)
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:WehaveexploitedtheuseofexitsinCATopSecret.Aspartofserviceabilitywewouldlikethedatasetthattheexitisbeingloadedfromdisplayed.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).Aninitializationmessagewillbeaddedtoprovideexitinformation.
Benefits:Easeofsupportability
![Page 25: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/25.jpg)
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAACF2r16Enhancement
Need:WeareusingtheACFESAGEoutputtohelpconvertinstallationstoaRBACimplementation.Wearelookingtoexploitmoreoftheruntimeinformationinthisprocessandwouldlikeadditionaldatatobeavailableintheunload.
Solution:CAACF2ACFESAGEreportnowincludesadditionalactivesysteminformation:Rundate/time,databasenames,exitinformation,classmapdefinitions,andsomeoptioninformation.PTF:RO92424.
Benefits:AdditionaldatapointsforRBACconversions
![Page 26: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/26.jpg)
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:ForauditpurposeswewouldliketoseemoreenvironmentalinformationavailableintheTSSCFILErun.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionalinformationisscheduledtobeaddedtoTSSCFILE:CreationDate,LPARofTSSCFILErun,andSecurityfilenames.
Benefits:Additionaldatapointsforaudittrail
![Page 27: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/27.jpg)
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CATopSecretr16Enhancement
Need:WewouldlikeCATopSecrettohaveadditionadministrativeeditsaroundDFLTGRPprocessing.
Solution:JoinoursprintreviewsforCATopSecret.ThisideahasbeenincludedinourcurrentPI(ProgramIncrement).AdditionaleditstovalidatetheGROUP,andthatitisassignedtothetargetACID’sGROUPlistandthataGIDisassignedtoit.
Benefits:- Easeofadministration- EnsuresvalidusableUnixSystemServicescredentialareassigned
![Page 28: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/28.jpg)
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
![Page 29: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/29.jpg)
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX39EBPre-ConEd:CAACF2andCATopSecret– Part2:AdvancedSecurityControls 11/14/2016at10:00am
MFX42EEnterpriseWideAdvancedAuthentication:IntroducingAdvancedAuthenticationMainframe 11/14/2016at3:00pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
![Page 30: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/30.jpg)
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurity&Compliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecretMainframeTheatre
Real-TimeDataSecurity&Compliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2MainframeTheatre
![Page 31: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/31.jpg)
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
![Page 32: Pre-Con Ed: CA ACF2 and CA Top Secret – Part 1: What’s New in the Enterprise Security Managers](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f03f21a28abc26f8b47a7/html5/thumbnails/32.jpg)
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.32 @CAWORLD#CAWORLD
MainframeandWorkloadAutomation
FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI