SEC06: What's New with CA ACF2 and CA Top Secret?
Transcript of SEC06: What's New with CA ACF2 and CA Top Secret?
SEC06: What's New with CA ACF2 and CA Top Secret?JOHN PINKOWSKI, PRODUCT OWNER MAINFRAME SECURITY
1.19.2020
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of 13th October 2020 and is subject to change or withdrawal by CA at any time without
notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole
discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this
presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release
may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-available
basis. The information in this presentation is not deemed to be incorporated into any contract.
Copyright © 2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or it’s subsidiaries. Broadcom, the pulse
logo, Connecting everything, CA Technologies and the CA Technologies logo are among the trademarks of Broadcom.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. Broadcom assumes no responsibility for the accuracy or
completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENT “AS IS”
WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will Broadcom be liable for any loss or damage, direct or
indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost
data, even if Broadcom is expressly advised in advance of the possibility of such damages.
Disclaimer
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
GROWING THREATS REQUIRE A RE-EVALUATIONOF MAINFRAME SECURITY
3
Adjust / Manage Access
Assign Privileged
Users
Determine Access Risk
Monitor Activity
Clean up unused entitlements and IDs
10010101
How can I better manage Mainframe Security
and elevate it to modern practices?
Where do I have potential
risk in my data or data
moving off mainframe?
What potential security
risks or Bad Actors are
on my Mainframe?
What are Privileged
Users doing and how do
I best manage them?
How do I reduce
risk from all
entitlements and
IDs I manage?
CA ACF2/CA Top Secret:By The Numbers
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Continuous Delivery
CA ACF2 r16 & CA Top Secret r16
• Delivery of enhancements as consumable PTFs to the
existing GA release
• Developed, QA’d and customer-validated via the agile process
• Typically inactive by default
• Triggered by a new command or selected option
• Delivered with updated, QA’d documentation via TECHDOCS
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2 r16 By the Numbers
CA ACF2 Features: 49
8 Roadmap Sessions
z/OS 2.4 IMS 15
CTS 5.6
6
Next 2021 Roadmap Sessions: TBD
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret r16 By the Numbers
CA Top Secret Features: 65
8 Roadmap Sessions
z/OS 2.4 IMS 15
CTS 5.6
7
Next 2021 Roadmap Session: TBD
Documentation Updates
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2:
Send to [email protected]
CA Top Secret:
Send to [email protected]
Laura and Scott also manage:
• CA Advanced Authentication for Mainframe
• CA Auditor
• CA Cleanup
• CA Trusted Access Manager for Z
Request Mainframe Security Documentation Enhancements
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
• CA ACF2:
– Using STIG Articles
– Define Authorizations for the z/OSMF Core Services
• CA Top Secret:
– Define Security Configuration Assistant Security Authorizations for z/OSMF
– Manage Protected ACIDs
– Prohibit an Administrator from Deleting ACIDs
– CA Top Secret STIG Articles
• CA Cleanup:
- CA Clean Up for CA Top Secret STIG Articles
• CA Advanced Authentication Mainframe:
Includes all install/usage content for AAM use with CA ACF2, CA Top Secret, IBM RACF
• All Security Release Notes:
New Feature descriptions include the applicable PTF number and CARS ID with links to detailed feature topics.
Mainframe Security Customer Documentation: Recent Updates
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Release Notes Example
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
STIG Article Example: Identify Audit Finding
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
STIG Article Example: Remediate Audit Finding
OS and Sub System Updates
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2 / CA Top Secret and z/OS 2.4
Need: We are migrating to z/OS 2.4.
Solution: CA ACF2 r16 and CA Top Secret r16 compatibility support is available for you.
CA ACF2 SO08264 & SO09656
CA Top Secret PTF SO06782
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
z/OSMF Security
Sample JCL for z/OSMF Security Configuration
CA Top PTF SO03835, SO08601, SO09829, SO13290
CA ACF2 PTF SO04537, SO08630, SO09961, SO06996, SO07429, SO12969
z/OSMF Cloud Provisioning REXX
CA Top Secret PTF SO03835
CA ACF2 PTF SO04740
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
JES3plus Compatibility
Need: We plan to move to Phoenix Software JES3plus so we need compatibility
support.
Solution: Compatibility Support is available for you
CA ACF2 SO12556, SO12738
CA Top Secret PTF SO12965
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CTS 5.6 Compatibility
Need: We plan to upgrade to CTS 5.6.
Solution: Compatibility Support is available for you.
CA Top Secret PTF SO09836, SO10618
CA ACF2 PTF SO09833
What is New Since We Last Talked?
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Advanced Authentication with CA ACF2 r16
Support for RSA Secure ID (Initial offering)
PIV/CAC Support using CA PAM CA ACF2 PTF RO95460
RADIUS Support CA ACF2 PTF RO99164
RSA Next Token/New PIN CA ACF2 PTF RO9777, RO97998
IBM MFA CA ACF2 RO92884, RO99159, SO00374,
SO05486,SO05487
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret r16 Advanced Authentication
Support for RSA Secure ID (Initial offering)
PIV/CAC Support using CA PAM CA Top Secret PTF RO96977
RADIUS Support CA Top Secret PTF RO98716
RADIUS/TSS Password CA Top Secret PTF SO01063
RSA Next Token/New PIN CA Top Secret PTF RO95793
IBM MFA CA Top Secret RO92696, SO00132
IKJTSO CA Top Secret SO03858PPASSWORDPREPROMPTOPTION
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Identity Token Support (IDT)
Need: We are looking to exploit the new Identity Token processing.
Solution: Compatibility support is available for you.
CA ACF2 PTF SO10329
CA Top Secret APAR Available on Request
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
IBM MFA Out of Band Support
Need: We are looking to exploit out of band MFA signons.
Solution: Compatibility PTFs are there for you
CA ACF2 PTF SO11443
CA Top Secret APAR available
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
JES2 Spool Encryption Support
Need: We are looking to encrypt our JES2 spool information.
Solution: Compatibility PTFs are there for you
CA ACF2 PTF SO14631
CA Top Secret APAR available
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Stronger Pass Ticket Session Key Protection
Need: We use Pass Tickets to secure a number of our applications. We
are looking to have stronger protection for the applications
Pass Ticket session keys.
Solution: We have moved the SSKEY into ICSF KSDS using
a KEYLABEL to access.
CA ACF2 PTF SO13143
CA Top Secret APAR available
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2: Remove Delimiters from SHOW OMVS
Need: We use the UID/GID output from the SHOW OMVS in
downstream processing. The comma delimiters cause us to
add additional steps to our process.
Solution: We added a parameter to the SHOW OMVS command to
remove the delimiter from the output.
CA ACF2 PTF SO11664
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret: Certificate Cache Improvement
Need: As customer increasingly use certificates for security processing, we must
improve CA Top Secret retrieval of certificate information.
Solution: Additional certificate information is now cached.
CA Top Secret PTF SO12332
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret: Allow User-Defined FDT Fields to be Assignedto Group ACIDS
Need: We have a number of user-defined FDT fields that we cannot assign to
group ACIDs.
Solution: Ability to assign user defined FDT fields to Group ACIDs.
CA Top Secret PTF SO12989
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret: Provide Functionality Similar to IBM'S RACFPROTECTED ID
Need: We would like to have equivalent processing as RACF PROTECTED
attribute.
Solution: Ability to create ACIDs with the PROTECTED attribute.
CA Top Secret PTF SO12318
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2: Add ACF Command Line Interface for USS/OMVS
Need: We would like to issue CA ACF2 commands in a batch-like mode from TSO
or a USS prompt.
Solution: CA ACF2 now has a new utility, ACFUNIX, to allow a user to issue ACF2
commands from a USS prompt.
CA ACF2 PTF SO07541
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA Top Secret: REFRESH SMSVSAM ACID
Need: We are exploiting Pervasive Encryption for more of our data. We need the
ability to refresh the SMSVSAM address space often to accomplish this for
our users.
Solution: A new parameter was added to the TSS REFRESH command to cause
address spaces to have their security environments refreshed
immediately.
CA Top Secret PTF SO14515
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2: Emit ENF71 Signal When LOGONID Reaches PASSLMTSuspension
Need: We would like to have CTS listen for password limit suspensions.
Solution: CA ACF2 will emit the ENF71 Signal when a user is suspended due to
password violations.
CA ACF2 APAR available
Broadcom Proprietary and Confidential. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
CA ACF2: ADD NOUIDALL TO ACFRPTRX REPORT
Need: We would like to have remove the generic rule line information from the
Logonid Access Report
Solution: A new NOUIDALL parm for the ACFRPTRX will not display
any rule lines that are a match due to UID(*), ROLE(-), or USER(-).
CA ACF2 PTF SO08334
Thank You
Now, please join us for a live Question and Answer discussion. Click the meeting link at the bottom of the Session Description to join us.
This is your opportunity to connect with the presenter(s) and your peers, ask
questions, and share information related to this topic.