SEC06: What's New with CA ACF2 and CA Top Secret?JOHN PINKOWSKI, PRODUCT OWNER MAINFRAME SECURITY

JOHN.PINKOWSKI@BROADCOM.COM

1.19.2020

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights

and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software

product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current

information and resource allocations as of 13th October 2020 and is subject to change or withdrawal by CA at any time without

notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole

discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this

presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release

may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-available

basis. The information in this presentation is not deemed to be incorporated into any contract.

Copyright © 2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or it’s subsidiaries. Broadcom, the pulse

logo, Connecting everything, CA Technologies and the CA Technologies logo are among the trademarks of Broadcom.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. Broadcom assumes no responsibility for the accuracy or

completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENT “AS IS”

WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will Broadcom be liable for any loss or damage, direct or

indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost

data, even if Broadcom is expressly advised in advance of the possibility of such damages.

Disclaimer

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

GROWING THREATS REQUIRE A RE-EVALUATIONOF MAINFRAME SECURITY

3

Adjust / Manage Access

Assign Privileged

Users

Determine Access Risk

Monitor Activity

Clean up unused entitlements and IDs

10010101

How can I better manage Mainframe Security

and elevate it to modern practices?

Where do I have potential

risk in my data or data

moving off mainframe?

What potential security

risks or Bad Actors are

on my Mainframe?

What are Privileged

Users doing and how do

I best manage them?

How do I reduce

risk from all

entitlements and

IDs I manage?

CA ACF2/CA Top Secret:By The Numbers

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Continuous Delivery

CA ACF2 r16 & CA Top Secret r16

• Delivery of enhancements as consumable PTFs to the

existing GA release

• Developed, QA’d and customer-validated via the agile process

• Typically inactive by default

• Triggered by a new command or selected option

• Delivered with updated, QA’d documentation via TECHDOCS

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2 r16 By the Numbers

CA ACF2 Features: 49

8 Roadmap Sessions

z/OS 2.4 IMS 15

CTS 5.6

6

Next 2021 Roadmap Sessions: TBD

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret r16 By the Numbers

CA Top Secret Features: 65

8 Roadmap Sessions

z/OS 2.4 IMS 15

CTS 5.6

7

Next 2021 Roadmap Session: TBD

Documentation Updates

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2:

Send to Laura.Fletcher@Broadcom.com

CA Top Secret:

Send to Scott.Bohnert@Broadcom.com

Laura and Scott also manage:

• CA Advanced Authentication for Mainframe

• CA Auditor

• CA Cleanup

• CA Trusted Access Manager for Z

Request Mainframe Security Documentation Enhancements

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

• CA ACF2:

– Using STIG Articles

– Define Authorizations for the z/OSMF Core Services

• CA Top Secret:

– Define Security Configuration Assistant Security Authorizations for z/OSMF

– Manage Protected ACIDs

– Prohibit an Administrator from Deleting ACIDs

– CA Top Secret STIG Articles

• CA Cleanup:

- CA Clean Up for CA Top Secret STIG Articles

• CA Advanced Authentication Mainframe:

Includes all install/usage content for AAM use with CA ACF2, CA Top Secret, IBM RACF

• All Security Release Notes:

New Feature descriptions include the applicable PTF number and CARS ID with links to detailed feature topics.

Mainframe Security Customer Documentation: Recent Updates

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Release Notes Example

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

STIG Article Example: Identify Audit Finding

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

STIG Article Example: Remediate Audit Finding

OS and Sub System Updates

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2 / CA Top Secret and z/OS 2.4

Need: We are migrating to z/OS 2.4.

Solution: CA ACF2 r16 and CA Top Secret r16 compatibility support is available for you.

CA ACF2 SO08264 & SO09656

CA Top Secret PTF SO06782

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

z/OSMF Security

Sample JCL for z/OSMF Security Configuration

CA Top PTF SO03835, SO08601, SO09829, SO13290

CA ACF2 PTF SO04537, SO08630, SO09961, SO06996, SO07429, SO12969

z/OSMF Cloud Provisioning REXX

CA Top Secret PTF SO03835

CA ACF2 PTF SO04740

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

JES3plus Compatibility

Need: We plan to move to Phoenix Software JES3plus so we need compatibility

support.

Solution: Compatibility Support is available for you

CA ACF2 SO12556, SO12738

CA Top Secret PTF SO12965

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CTS 5.6 Compatibility

Need: We plan to upgrade to CTS 5.6.

Solution: Compatibility Support is available for you.

CA Top Secret PTF SO09836, SO10618

CA ACF2 PTF SO09833

What is New Since We Last Talked?

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Advanced Authentication with CA ACF2 r16

Support for RSA Secure ID (Initial offering)

PIV/CAC Support using CA PAM CA ACF2 PTF RO95460

RADIUS Support CA ACF2 PTF RO99164

RSA Next Token/New PIN CA ACF2 PTF RO9777, RO97998

IBM MFA CA ACF2 RO92884, RO99159, SO00374,

SO05486,SO05487

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret r16 Advanced Authentication

Support for RSA Secure ID (Initial offering)

PIV/CAC Support using CA PAM CA Top Secret PTF RO96977

RADIUS Support CA Top Secret PTF RO98716

RADIUS/TSS Password CA Top Secret PTF SO01063

RSA Next Token/New PIN CA Top Secret PTF RO95793

IBM MFA CA Top Secret RO92696, SO00132

IKJTSO CA Top Secret SO03858PPASSWORDPREPROMPTOPTION

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Identity Token Support (IDT)

Need: We are looking to exploit the new Identity Token processing.

Solution: Compatibility support is available for you.

CA ACF2 PTF SO10329

CA Top Secret APAR Available on Request

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

IBM MFA Out of Band Support

Need: We are looking to exploit out of band MFA signons.

Solution: Compatibility PTFs are there for you

CA ACF2 PTF SO11443

CA Top Secret APAR available

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

JES2 Spool Encryption Support

Need: We are looking to encrypt our JES2 spool information.

Solution: Compatibility PTFs are there for you

CA ACF2 PTF SO14631

CA Top Secret APAR available

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Stronger Pass Ticket Session Key Protection

Need: We use Pass Tickets to secure a number of our applications. We

are looking to have stronger protection for the applications

Pass Ticket session keys.

Solution: We have moved the SSKEY into ICSF KSDS using

a KEYLABEL to access.

CA ACF2 PTF SO13143

CA Top Secret APAR available

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2: Remove Delimiters from SHOW OMVS

Need: We use the UID/GID output from the SHOW OMVS in

downstream processing. The comma delimiters cause us to

add additional steps to our process.

Solution: We added a parameter to the SHOW OMVS command to

remove the delimiter from the output.

CA ACF2 PTF SO11664

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret: Certificate Cache Improvement

Need: As customer increasingly use certificates for security processing, we must

improve CA Top Secret retrieval of certificate information.

Solution: Additional certificate information is now cached.

CA Top Secret PTF SO12332

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret: Allow User-Defined FDT Fields to be Assignedto Group ACIDS

Need: We have a number of user-defined FDT fields that we cannot assign to

group ACIDs.

Solution: Ability to assign user defined FDT fields to Group ACIDs.

CA Top Secret PTF SO12989

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret: Provide Functionality Similar to IBM'S RACFPROTECTED ID

Need: We would like to have equivalent processing as RACF PROTECTED

attribute.

Solution: Ability to create ACIDs with the PROTECTED attribute.

CA Top Secret PTF SO12318

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2: Add ACF Command Line Interface for USS/OMVS

Need: We would like to issue CA ACF2 commands in a batch-like mode from TSO

or a USS prompt.

Solution: CA ACF2 now has a new utility, ACFUNIX, to allow a user to issue ACF2

commands from a USS prompt.

CA ACF2 PTF SO07541

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA Top Secret: REFRESH SMSVSAM ACID

Need: We are exploiting Pervasive Encryption for more of our data. We need the

ability to refresh the SMSVSAM address space often to accomplish this for

our users.

Solution: A new parameter was added to the TSS REFRESH command to cause

address spaces to have their security environments refreshed

immediately.

CA Top Secret PTF SO14515

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2: Emit ENF71 Signal When LOGONID Reaches PASSLMTSuspension

Need: We would like to have CTS listen for password limit suspensions.

Solution: CA ACF2 will emit the ENF71 Signal when a user is suspended due to

password violations.

CA ACF2 APAR available

Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

CA ACF2: ADD NOUIDALL TO ACFRPTRX REPORT

Need: We would like to have remove the generic rule line information from the

Logonid Access Report

Solution: A new NOUIDALL parm for the ACFRPTRX will not display

any rule lines that are a match due to UID(*), ROLE(-), or USER(-).

CA ACF2 PTF SO08334

Thank You

Now, please join us for a live Question and Answer discussion. Click the meeting link at the bottom of the Session Description to join us.

This is your opportunity to connect with the presenter(s) and your peers, ask

questions, and share information related to this topic.