Académique Documents
Professionnel Documents
Culture Documents
X00000-1E
This documentation and related computer software program (hereinafter referred to as the Documentation) is for the end users informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (CA) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the users responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation as is without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end users applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with Restricted Rights as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
Contents
Chapter 1: Working with eTrust Access Control and Unicenter AutoSys Job Management
Architecture...................................................................................................................................................... 1-1 Integrating eTrust Access Control Model with Unicenter AutoSys Job Management ......................... 1-2
Appendix B: Troubleshooting
General Issues and Resolutions.......................................................................................................................B-1 HP Issue............................................................................................................................................................B-3 Web Interface Problem ....................................................................................................................................B-3
Contents
iii
Chapter
Working with eTrust Access Control and Unicenter AutoSys Job Management
With the arrival of Unicenter AutoSys Job Management 4.5, an external security methodology is now provided through eTrust Access Control (eTrust AC). By utilizing eTrust AC, job scheduling administrators are able to provide a more granular level of control towards defining job attributes and administer application level control to ensure security and enforce standards. The purpose of this guide is to describe the integration between eTrust AC and Unicenter AutoSys Job Management as well as provide examples you can possibly find in the real world. This document can be used in providing a quick start in implementing an Unicenter AutoSys Job Management environment secured through eTrust AC.
Architecture
eTrust AC as a standalone solution provides security to servers through a client/server subscription model. Within an enterprise, an administrator installs an eTrust server master database, otherwise referred to as a Policy Model Database (PMDB). This eTrust server acts as the parent server for which eTrust clients could subscribe to receive policy rules. eTrust clients store policy rules in a local database, known as a seosdb. After an eTrust client is subscribed to an eTrust Server, the PMDB pushes out all access control rules to the eTrust client database (seosdb). The benefit of having such an architecture is that the security administrator only needs to update the PMDB, and after doing so, the newly created policy will be pushed out to all subscribed clients.
Working with eTrust Access Control and Unicenter AutoSys Job Management
11
Architecture
Integrating eTrust Access Control Model with Unicenter AutoSys Job Management
With policy rule databases now implemented throughout your environment, you want to be able to tie these rules in with Unicenter AutoSys Job Management scheduling clients to secure the more granular aspects of job scheduling, including job definitions, web interface access, listing jobs, and controlling the Unicenter AutoSys Job Management environment (e.g. stopping the event processor). Unicenter AutoSys Job Management references the eTrust AC before allowing any changes to be submitted. By checking first with the eTrust client database on your Unicenter AutoSys Job Management client machines, Unicenter AutoSys Job Management can allow or deny changes to the Unicenter AutoSys Job Management environment. To gain a fuller understanding, let us take a look at the following diagram and follow the Unicenter AutoSys Job Management logic for an eTrust AC environment. For more detailed information on this integration, please refer to the Unicenter AutoSys Job Management User Guide.
12
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
Architecture
1.
Create policy rules in the PMDB. These rules will be pushed out to the eTrust client machines. When a command is issued from Unicenter AutoSys Job Management (e.g. sendevent, jil, autorep), Unicenter AutoSys Job Management queries the eTrust client database to determine if there are any access restrictions. The eTrust database returns an allow or deny message based on the actions you are trying to take with Unicenter AutoSys Job Management. If access is granted, Unicenter AutoSys Job Management then proceeds to access the database to change or access the information you require. If you are denied access, a message appears indicating the resource requirements you failed to fulfill.
2.
3.
4.
Unicenter AutoSys Job Management Defined Classes in eTrust Access Control When installed with Unicenter AutoSys Job Management, eTrust AC contains several user-defined classes which allow you to secure the Unicenter AutoSys Job Management environment. These classes are as-job as-calendar as-owner as-gvar as-machine as-control as-view
Working with eTrust Access Control and Unicenter AutoSys Job Management
13
Architecture
as-list.
For a description of each of these classes, please refer to the Unicenter Unicenter AutoSys Job Management Job Management User Guide. By now, you should have a general overview of the integration between Unicenter AutoSys Job Management and eTrust AC. The next section goes into actual implementation of rules with common scenarios a Unicenter AutoSys Job Management administrator may run into and the steps they can take to ensure that security is enforced.
14
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
Chapter
Your company has recently moved to Unicenter AutoSys Job Management 4.5 and needs additional security for job definitions. You have recently consolidated your disparate Unicenter AutoSys Job Management instances, so they will need to maintain security between these jobs. By using the as-classes in eTrust, Unicenter AutoSys Job Management 4.5 can help your company in securing your environment while allowing it to expand. The job scheduling group for your company consists of four groups with distinct roles: Administrators - define the rules Developers - create the jobs and define them to the Unicenter AutoSys Job Management database Scheduling operators - monitor their particular job flows and take action on failed jobs by resubmitting them Casual users
21
To create and edit rules within eTrust, you can use the GUI-based Policy Manager provided on Windows, or the selang command prompt utility provided on both UNIX and Windows platform (under the eTrustAccessControl\bin directory). This guide will provide information from a command line perspective. 1. 2. At the command prompt, type selang to run the selang utility. When the selang command prompt appears it is connected to the local seosdb. To connect to the PMDB, enter
hosts autosys@hostname
eTrust>hosts autosys@localhost (autosys@localhost) Successfully connected INFO: Target host's version is 5.2.1173 OS info: Windows NT Version:5.1, Service Pack 1 30 Jan 2004 15:31:21 Eastern Standard Time eTrust>
Administrator Role
Now the administrator needs to do two things: Ensure that jobs being entered either begin with FIN_ and PAY_. Restrict Developer1 to only create the FIN_ jobs and Developer2 to create the PAY_ jobs.
22
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
Change the default permissions for job creation for all users We will focus with the as-job class. Currently this class allows for default permissions for all users to create, edit, delete, execute, read, and write for all jobs.
eTrust> showres as-job _default (autosys@localhost) Data for as-job '_default' ----------------------------------------------------------Defaccess : R, W, X, Cre, Del
Note: The syntax of our selang command consists generally of three parts: <command> <class> <resource>. It is helpful to remember this syntax when referring to resources. Now you need to change the default access for all jobs created in Unicenter AutoSys Job Management so that no one can write to the database unless authorized. You can do this through the editres command.
eTrust> editres as-job _default defaccess(none) (autosys@localhost) Successfully updated as-job _default
You can see the results of this change by the same showres command.
eTrust> showres as-job _default (autosys@localhost) Data for as-job '_default' ----------------------------------------------------------Defaccess Update time Updated by : None : 30-Jan-2004 15:42 : Administrator
Create a new resource for FIN_* jobs and allow only creation and editing of these jobs by Developer1. Now that you have essentially denied access for creating and editing of jobs for all users, you can start defining new eTrust resources based on the job names you want to allow to be created as well as the users that will create and edit them. Lets start with the FIN_* jobs.
23
The instance extension allows you to have multiple Unicenter AutoSys Job Management clients for different instances on the same machine and reference the same eTrust client database. In this case, you only specify the rule for instance ACE. If you wanted the rule to span all instances, you could just omit the instance identifier, e.g. newres as-job FIN_*. Now you want to authorize Developer1 to create and edit the jobs. Assuming that Developer1 is in the eTrust database, you can use the authorize command.
eTrust> authorize as-job FIN_*.ACE uid(developer1) access(create, write) (autosys@localhost) Successfully added developer1 to FIN_*.ACE's ACL
You have just ensured that the only user allowed to create jobs is Developer1. More importantly, Developer1 is only allowed to create and edit jobs that start with FIN_.
24
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
Once you have connected, you should be able to view the User Defined Resource classes for use with Unicenter AutoSys Job Management. Click in the left hand pane.
Similar to the selang command line utility, you should see the Unicenter AutoSys Job Management user defined classes as specified. Note: In this scenario, the class that we will focus on will be as-machine. Select the default policy for the as-machine class and click Set Default Access. Referring back to the scenario, you want to be able to secure machines Unicenter AutoSys Job Management jobs can be scheduled to.
25
Prevent users from being able to define jobs that can be scheduled to any machine 1. Set the default access to None. As a result of this, no user will be able to create a job with any machine name.
Allow users in the DEV group to only create jobs with machines that start with DEV_*. 1. Right-click in the right hand pane under the default policy and select New for a new resource.
2.
26
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
3.
Click Authorize. Select a new group to have full permission on machines starting with DEV_* in the DEV instance. Click OK.
Allow users in the PRD group to only create jobs with machines that start with PRD_*. 1. 2. 3. Right-click in the right hand pane under the default policy and select New for a new resource. Enter the resource Name PRD_*.PRD. Click Authorize. Select a new group to have full permission on machines starting with PRD_* in the PRD instance. Click OK.
27
(autosys@localhost) Data for as-control 'STOP_DEMON*' ----------------------------------------------------------Defaccess Audit mode Owner Create time Update time Updated by : X : Failure : Administrator (USER) : 29-Oct-2003 11:11 : 29-Oct-2003 11:11 : Administrator
Comment : Controls who can stop the Unicenter Unicenter AutoSys Job Management JM Event Processor
Once again, you need to disable the default access permissions and authorize a select group of users to be able to stop the event_demon. As a reinforcement of the walkthroughs given above, you will need to perform the following steps to secure the STOP_DEMON* resource. 1. 2. Disable the default access to the resource.
editres as-control STOP_DEMON* owner(nobody) defaccess(none)
Now, only the root user should be able to issue the STOP_DEMON command and have it succeed. All other users will not be allowed to stop the event processor.
28
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
Conclusion
eTrust> showres as-owner _default (localhost) Data for as-owner '_default' ----------------------------------------------------------Defaccess Update time Updated by : X : 25-Nov-2003 11:24 : root
As you can see, all users are able to be defined as the owner, and the owner will be able to run this job. Lets create a new specific resource which will deny the root user from owning a job, thereby, controlling root from ever executing a process on the remote agent machine. 2. Define a new resource for the root user under the as-owner class, and deny this user execute permissions.
eTrust> newres as-owner root* owner(nobody) defaccess(none) (localhost) Successfully created as-owner root*
Conclusion
Hopefully, by now you should have a basic understanding to how eTrust AC integrates with Unicenter AutoSys Job Management. As you can see, there are many additional Unicenter AutoSys Job Management user-defined classes to eTrust AC which will help you in securing additional items like calendars and global variables. Security does not only encompass access rights to these Unicenter AutoSys Job Management elements, you can also use it to enforce naming conventions for jobs as well as limit how and where a job stream will flow. This quick start guide is meant to be used in conjunction with the security module in the current Unicenter AutoSys Job Management document.
29
Appendix
Naming Conventions
All names start with a three letter application identifier. Underscore will be used to delimit name levels. If the job is in a box, the box name follows the application name. The job name comes after the box name. The fw extension must be added if the job is a file watcher job. Example job name: TRD_REPORTS_EOD223. The name TRD_REPORTS_EOD223 indicates that this job is from the TRD application, it is in the box REPORTS, and its name is EOD223. A file watcher job that is not in a box could be named like this: TRD_STRTAPP_FW. This job is also from the TRD application, it is not in a box, its name is STRTAPP and it is a file watcher job.
11
Appendix
Troubleshooting
The following section outlines some of the most common issues that occur while working with eTrust Access Control and Unicenter AutoSys Job Management together.
Error: You are not authorized to do in Unicenter AutoSys Job Management_secure. You are completely locked out of Unicenter AutoSys Job Management_secure. Cause The security word in the eTrust PMDB is out of sync with the one in Unicenter AutoSys Job Management DB. Resolution On Unicenter AutoSys Job Management side, delete the security word from the keymaster table. Command on the Autosys DB server: Delete from keymaster where keymaster.hostname = SecurityWord Command on the eTrust server : rr as-control <securityword>_ON.<instance> rr as-control <securityword>_OFF.<instance> After that, reset the security word in Unicenter AutoSys Job Management_secure
Troubleshooting
B1
Remarks This error is caused by a synchronization error between the eTrust client and PMDB server. This can be manifested by viewing the as-control class in both client and server eTrust databases and checking to see if they are both there. If not, then instructions to resubscribe the client to the server should be provided before manipulating eTrust content that state Please do not modify this content. This brings up the issue of severity levels, solutions that you should try first and then ultimately to resolve an issue. Well run into this especially when clients have separate administrators for say job scheduling and security. If the Unicenter AutoSys Job Management admin knows that by deleting and running things here and there from the Unicenter AutoSys Job Management database/command line, they can essentially override any security that the security administrators are trying to enforce.
Error: The Windows machine is locked down from login after installation of Web Interface Cause and Resolution For Unicenter AutoSys Job Management and WI, if you choose to install eTrust, absolute root/administrator user account must be used. If you belong to the Administrator group on Windows or su and sudo to root on UNIX this error will occur.
Cause The lookaside DB in eTrust in eTrust is not up-to-date. Resolution Execute ./sebuildla a to rebuild the lookaside DB. Then recycle eTrust. Remarks eTrust support team suggests that you run sebuildla a regularly to avoid this problem from happening.
B2
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide
HP Issue
HP Issue
Core dump after entering multiple EDIT/EXEC superusers. Fix T346100 does not fix the problem completely. The core dump is gone but we still see the following problem. After entering multiple EDIT/EXEC superusers in the Unicenter AutoSys Job Management_secure, superuser got locked out of the Unicenter AutoSys Job Management_secure option 1-4. You can still see option 5-8. Workaround 1. Logon to the Oracle DB from weather
#zql UUnicenter AutoSys Job Management PUnicenter AutoSys Job Management Sautodev
2.
Reset 2 values
zql>update alamode set int_val=0 where type=EVT zql>/ zql> update alamode set int_val=0 where type=JOB zql>/
3. 4.
CONTROL-D key to get out of zql Restart Unicenter AutoSys Job Management_secure and the problem should be resolved.
Troubleshooting
B3
Workaround The problem with the '!' seems not to be a bug in ISMP, but more a limitation of the xml parser. The '!' character acts as a comment character and so having that character in the classpath for java causes problems for the parser. The reason the '!' is part of the path to the jvm is because when you use a bundled jvm, the bundle is extracted to a temp location which is a subfolder of your home directory. Because of the '!' in your user ID, the path has the '!' as well. The work around to this is to specify the -is:tempdir switch to use a different temp location. This will allow you to specify a directory which does NOT have the '!' in the path. For example
setupwin32.exe -is:tempdir C:\temp
Will extract the bundled jvm to the C:\temp directory, and the install will be successful.
B4
Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide