Unicenter AutoSys Job Management

Integration with eTrust Access Control User Guide

X00000-1E

This documentation and related computer software program (hereinafter referred to as the Documentation) is for the end users informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (CA) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the users responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation as is without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end users applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with Restricted Rights as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.

2004 Computer Associates International, Inc.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Contents
Chapter 1: Working with eTrust Access Control and Unicenter AutoSys Job Management
Architecture...................................................................................................................................................... 1-1 Integrating eTrust Access Control Model with Unicenter AutoSys Job Management ......................... 1-2

Chapter 2: Real World Situations

Scenario 1: Defining Naming Standards ........................................................................................................ 2-1 Defining the eTrust Rule........................................................................................................................... 2-2 Administrator Role ................................................................................................................................... 2-2 Scenario 2: Securing Machines ........................................................................................................................ 2-4 Navigating the Policy Manager................................................................................................................ 2-4 Scenario 3: Stopping the event_demon........................................................................................................... 2-7 Scenario 4: Job Ownership............................................................................................................................... 2-8 Conclusion........................................................................................................................................................ 2-9

Appendix A: Job Naming Conventions

Naming Conventions...................................................................................................................................... A-1

Appendix B: Troubleshooting
General Issues and Resolutions.......................................................................................................................B-1 HP Issue............................................................................................................................................................B-3 Web Interface Problem ....................................................................................................................................B-3

Contents

iii

Chapter

Working with eTrust Access Control and Unicenter AutoSys Job Management
With the arrival of Unicenter AutoSys Job Management 4.5, an external security methodology is now provided through eTrust Access Control (eTrust AC). By utilizing eTrust AC, job scheduling administrators are able to provide a more granular level of control towards defining job attributes and administer application level control to ensure security and enforce standards. The purpose of this guide is to describe the integration between eTrust AC and Unicenter AutoSys Job Management as well as provide examples you can possibly find in the real world. This document can be used in providing a quick start in implementing an Unicenter AutoSys Job Management environment secured through eTrust AC.

Architecture
eTrust AC as a standalone solution provides security to servers through a client/server subscription model. Within an enterprise, an administrator installs an eTrust server master database, otherwise referred to as a Policy Model Database (PMDB). This eTrust server acts as the parent server for which eTrust clients could subscribe to receive policy rules. eTrust clients store policy rules in a local database, known as a seosdb. After an eTrust client is subscribed to an eTrust Server, the PMDB pushes out all access control rules to the eTrust client database (seosdb). The benefit of having such an architecture is that the security administrator only needs to update the PMDB, and after doing so, the newly created policy will be pushed out to all subscribed clients.

Working with eTrust Access Control and Unicenter AutoSys Job Management

11

Architecture

Integrating eTrust Access Control Model with Unicenter AutoSys Job Management
With policy rule databases now implemented throughout your environment, you want to be able to tie these rules in with Unicenter AutoSys Job Management scheduling clients to secure the more granular aspects of job scheduling, including job definitions, web interface access, listing jobs, and controlling the Unicenter AutoSys Job Management environment (e.g. stopping the event processor). Unicenter AutoSys Job Management references the eTrust AC before allowing any changes to be submitted. By checking first with the eTrust client database on your Unicenter AutoSys Job Management client machines, Unicenter AutoSys Job Management can allow or deny changes to the Unicenter AutoSys Job Management environment. To gain a fuller understanding, let us take a look at the following diagram and follow the Unicenter AutoSys Job Management logic for an eTrust AC environment. For more detailed information on this integration, please refer to the Unicenter AutoSys Job Management User Guide.

12

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Architecture

1.

Create policy rules in the PMDB. These rules will be pushed out to the eTrust client machines. When a command is issued from Unicenter AutoSys Job Management (e.g. sendevent, jil, autorep), Unicenter AutoSys Job Management queries the eTrust client database to determine if there are any access restrictions. The eTrust database returns an allow or deny message based on the actions you are trying to take with Unicenter AutoSys Job Management. If access is granted, Unicenter AutoSys Job Management then proceeds to access the database to change or access the information you require. If you are denied access, a message appears indicating the resource requirements you failed to fulfill.

2.

3.

4.

Unicenter AutoSys Job Management Defined Classes in eTrust Access Control When installed with Unicenter AutoSys Job Management, eTrust AC contains several user-defined classes which allow you to secure the Unicenter AutoSys Job Management environment. These classes are as-job as-calendar as-owner as-gvar as-machine as-control as-view

Working with eTrust Access Control and Unicenter AutoSys Job Management

13

Architecture

as-list.

For a description of each of these classes, please refer to the Unicenter Unicenter AutoSys Job Management Job Management User Guide. By now, you should have a general overview of the integration between Unicenter AutoSys Job Management and eTrust AC. The next section goes into actual implementation of rules with common scenarios a Unicenter AutoSys Job Management administrator may run into and the steps they can take to ensure that security is enforced.

14

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Chapter

Real World Situations

Your company has recently moved to Unicenter AutoSys Job Management 4.5 and needs additional security for job definitions. You have recently consolidated your disparate Unicenter AutoSys Job Management instances, so they will need to maintain security between these jobs. By using the as-classes in eTrust, Unicenter AutoSys Job Management 4.5 can help your company in securing your environment while allowing it to expand. The job scheduling group for your company consists of four groups with distinct roles: Administrators - define the rules Developers - create the jobs and define them to the Unicenter AutoSys Job Management database Scheduling operators - monitor their particular job flows and take action on failed jobs by resubmitting them Casual users

Scenario 1: Defining Naming Standards

Your company has attempted to enforce naming conventions for jobs so that they can be easily identified by the scheduling operators. However, at times, these naming conventions are not adhered to by some developers who forget the syntax of this nomenclature. Your scheduling administrator does not want any jobs to be created within the database that do not follow this naming standard. eTrust AC functions optimally when naming conventions are followed. It would be much easier to define rules when job names, global variables, and calendars follow a standard. As a job name standard, CA recommends that you define your job names with something similar to the following:
applicationIdentifier_boxname_jobname

Real World Situations

21

Scenario 1: Defining Naming Standards

Defining the eTrust Rule

Lets say, for example, following this schema, the Unicenter AutoSys Job Management administrator in your company wants Developer1 to be able to create and edit jobs for the finance application and Developer2 to create and edit jobs for the payroll application and all of the jobs must follow the naming convention. The naming conventions for these jobs are:
FIN_* PAY_*

To create and edit rules within eTrust, you can use the GUI-based Policy Manager provided on Windows, or the selang command prompt utility provided on both UNIX and Windows platform (under the eTrustAccessControl\bin directory). This guide will provide information from a command line perspective. 1. 2. At the command prompt, type selang to run the selang utility. When the selang command prompt appears it is connected to the local seosdb. To connect to the PMDB, enter
hosts autosys@hostname

where the localhost is also the eTrust server machine. Example:

Target host: localhost eTrust selang v5.2.1173 - eTrust command line interpreter Copyright 2003 Computer Associates International, Inc.

eTrust>hosts autosys@localhost (autosys@localhost) Successfully connected INFO: Target host's version is 5.2.1173 OS info: Windows NT Version:5.1, Service Pack 1 30 Jan 2004 15:31:21 Eastern Standard Time eTrust>

Administrator Role
Now the administrator needs to do two things: Ensure that jobs being entered either begin with FIN_ and PAY_. Restrict Developer1 to only create the FIN_ jobs and Developer2 to create the PAY_ jobs.

22

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Scenario 1: Defining Naming Standards

Change the default permissions for job creation for all users We will focus with the as-job class. Currently this class allows for default permissions for all users to create, edit, delete, execute, read, and write for all jobs.
eTrust> showres as-job _default (autosys@localhost) Data for as-job '_default' ----------------------------------------------------------Defaccess : R, W, X, Cre, Del

Note: The syntax of our selang command consists generally of three parts: <command> <class> <resource>. It is helpful to remember this syntax when referring to resources. Now you need to change the default access for all jobs created in Unicenter AutoSys Job Management so that no one can write to the database unless authorized. You can do this through the editres command.
eTrust> editres as-job _default defaccess(none) (autosys@localhost) Successfully updated as-job _default

You can see the results of this change by the same showres command.
eTrust> showres as-job _default (autosys@localhost) Data for as-job '_default' ----------------------------------------------------------Defaccess Update time Updated by : None : 30-Jan-2004 15:42 : Administrator

Create a new resource for FIN_* jobs and allow only creation and editing of these jobs by Developer1. Now that you have essentially denied access for creating and editing of jobs for all users, you can start defining new eTrust resources based on the job names you want to allow to be created as well as the users that will create and edit them. Lets start with the FIN_* jobs.

Real World Situations

23

Scenario 2: Securing Machines

To create a resource, issue the newres command.

eTrust> newres as-job FIN_*.ACE (autosys@localhost) Successfully created as-job FIN_*.ACE

Each resource has standard syntax of

name.<INSTANCE>

The instance extension allows you to have multiple Unicenter AutoSys Job Management clients for different instances on the same machine and reference the same eTrust client database. In this case, you only specify the rule for instance ACE. If you wanted the rule to span all instances, you could just omit the instance identifier, e.g. newres as-job FIN_*. Now you want to authorize Developer1 to create and edit the jobs. Assuming that Developer1 is in the eTrust database, you can use the authorize command.
eTrust> authorize as-job FIN_*.ACE uid(developer1) access(create, write) (autosys@localhost) Successfully added developer1 to FIN_*.ACE's ACL

You have just ensured that the only user allowed to create jobs is Developer1. More importantly, Developer1 is only allowed to create and edit jobs that start with FIN_.

Scenario 2: Securing Machines

Your company has a wide range of machines within its environment, however, you want to differentiate between your production instance (PRD) and your development instance (DEV) such that PRD can only schedule jobs on production machines specified by PRD_* and DEV can only schedule to development machines specified by DEV_*. By doing so, you can ensure that a developer who is creating a job flow does not mistakenly run on a production machine, or that jobs that should run on production do not run on a development machine. In addition, it will limit the machines that jobs can be scheduled to so there can be no rogue remote agent machines. Lets approach this from a user interface perspective on the Windows platform.

Navigating the Policy Manager

To launch the eTrust Policy manager, in the Start Menu, select Programs, CA, eTrust, AC, Policy Manager. As described in scenario 1, you will need to connect and selecting the PMDB to connect to. to your PMDB by clicking

24

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Scenario 2: Securing Machines

Once you have connected, you should be able to view the User Defined Resource classes for use with Unicenter AutoSys Job Management. Click in the left hand pane.

Similar to the selang command line utility, you should see the Unicenter AutoSys Job Management user defined classes as specified. Note: In this scenario, the class that we will focus on will be as-machine. Select the default policy for the as-machine class and click Set Default Access. Referring back to the scenario, you want to be able to secure machines Unicenter AutoSys Job Management jobs can be scheduled to.

Real World Situations

25

Scenario 2: Securing Machines

Prevent users from being able to define jobs that can be scheduled to any machine 1. Set the default access to None. As a result of this, no user will be able to create a job with any machine name.

Allow users in the DEV group to only create jobs with machines that start with DEV_*. 1. Right-click in the right hand pane under the default policy and select New for a new resource.

2.

Enter the resource Name DEV_*.DEV.

26

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Scenario 3: Stopping the event_demon

3.

Click Authorize. Select a new group to have full permission on machines starting with DEV_* in the DEV instance. Click OK.

Allow users in the PRD group to only create jobs with machines that start with PRD_*. 1. 2. 3. Right-click in the right hand pane under the default policy and select New for a new resource. Enter the resource Name PRD_*.PRD. Click Authorize. Select a new group to have full permission on machines starting with PRD_* in the PRD instance. Click OK.

Scenario 3: Stopping the event_demon

Your company needs to control who can stop the event_demon. This was once controlled by the Unicenter AutoSys Job Management exec super user. However, now that an external security provider (eTrust) has been integrated with Unicenter AutoSys Job Management, once eTrust is enabled, the Unicenter AutoSys Job Management super user concept is overridden. You can control Unicenter AutoSys Job Management administration via the as-control class. The next steps will explain how you will authorize certain users to be able to stop the event_demon while revoking these rights for others. By default, after eTrust AC has been turned on, the default permission to stop the event_demon is execute for all users. This will be one of the first items you will need to address before deciding to enable eTrust AC. Unicenter AutoSys Job Management administrative access controls are stored in the as-control class. When querying the STOP_DEMON* resource through selang, we can see the default access permissions for this resource.
eTrust> sr as-control STOP_DEMON*

Real World Situations

27

Scenario 4: Job Ownership

(autosys@localhost) Data for as-control 'STOP_DEMON*' ----------------------------------------------------------Defaccess Audit mode Owner Create time Update time Updated by : X : Failure : Administrator (USER) : 29-Oct-2003 11:11 : 29-Oct-2003 11:11 : Administrator

Comment : Controls who can stop the Unicenter Unicenter AutoSys Job Management JM Event Processor

Once again, you need to disable the default access permissions and authorize a select group of users to be able to stop the event_demon. As a reinforcement of the walkthroughs given above, you will need to perform the following steps to secure the STOP_DEMON* resource. 1. 2. Disable the default access to the resource.
editres as-control STOP_DEMON* owner(nobody) defaccess(none)

Authorize the specific user (root) to be able to issue a STOP_DEMON.

auth as-control STOP_DEMON* uid(root) access(X)

Now, only the root user should be able to issue the STOP_DEMON command and have it succeed. All other users will not be allowed to stop the event processor.

Scenario 4: Job Ownership

Your company wants to further secure their environment by restricting user access to run jobs as the root user. In order to do this, you need to create a policy where a job cannot be owned by the root user, thus disabling any possibility of a job being defined that is owned by the root user. By doing this, you will be better able to audit what particular users do without having to worry about people running jobs under the root user. The particular class you are interested in is as-owner. This class controls who can own job (based on the owner attribute of a job definition). Here you will deny all users the ability to create a job owned by the root user. As in the above examples, you will check the current default permissions on the _default resource under the as-owner class. 1. Check the default permissions under the as-owner class through selang.

28

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

Conclusion

eTrust> showres as-owner _default (localhost) Data for as-owner '_default' ----------------------------------------------------------Defaccess Update time Updated by : X : 25-Nov-2003 11:24 : root

As you can see, all users are able to be defined as the owner, and the owner will be able to run this job. Lets create a new specific resource which will deny the root user from owning a job, thereby, controlling root from ever executing a process on the remote agent machine. 2. Define a new resource for the root user under the as-owner class, and deny this user execute permissions.
eTrust> newres as-owner root* owner(nobody) defaccess(none) (localhost) Successfully created as-owner root*

Conclusion
Hopefully, by now you should have a basic understanding to how eTrust AC integrates with Unicenter AutoSys Job Management. As you can see, there are many additional Unicenter AutoSys Job Management user-defined classes to eTrust AC which will help you in securing additional items like calendars and global variables. Security does not only encompass access rights to these Unicenter AutoSys Job Management elements, you can also use it to enforce naming conventions for jobs as well as limit how and where a job stream will flow. This quick start guide is meant to be used in conjunction with the security module in the current Unicenter AutoSys Job Management document.

Real World Situations

29

Appendix

Job Naming Conventions

Naming Conventions
All names start with a three letter application identifier. Underscore will be used to delimit name levels. If the job is in a box, the box name follows the application name. The job name comes after the box name. The fw extension must be added if the job is a file watcher job. Example job name: TRD_REPORTS_EOD223. The name TRD_REPORTS_EOD223 indicates that this job is from the TRD application, it is in the box REPORTS, and its name is EOD223. A file watcher job that is not in a box could be named like this: TRD_STRTAPP_FW. This job is also from the TRD application, it is not in a box, its name is STRTAPP and it is a file watcher job.

Job Naming Conventions

11

Appendix

Troubleshooting

The following section outlines some of the most common issues that occur while working with eTrust Access Control and Unicenter AutoSys Job Management together.

General Issues and Resolutions

Installation If you install eTrust AC, always make sure the client uses absolute the root or administrator account. Any form of su to root on UNIX or using a user that belongs to Administrator group will cause problems in eTrust. It is really hard to pinpoint exactly what problem it will cause because the symptom varies. This should be the very first thing support needs to verify on any eTrust related issue.

Error: You are not authorized to do in Unicenter AutoSys Job Management_secure. You are completely locked out of Unicenter AutoSys Job Management_secure. Cause The security word in the eTrust PMDB is out of sync with the one in Unicenter AutoSys Job Management DB. Resolution On Unicenter AutoSys Job Management side, delete the security word from the keymaster table. Command on the Autosys DB server: Delete from keymaster where keymaster.hostname = SecurityWord Command on the eTrust server : rr as-control <securityword>_ON.<instance> rr as-control <securityword>_OFF.<instance> After that, reset the security word in Unicenter AutoSys Job Management_secure

Troubleshooting

B1

General Issues and Resolutions

Remarks This error is caused by a synchronization error between the eTrust client and PMDB server. This can be manifested by viewing the as-control class in both client and server eTrust databases and checking to see if they are both there. If not, then instructions to resubscribe the client to the server should be provided before manipulating eTrust content that state Please do not modify this content. This brings up the issue of severity levels, solutions that you should try first and then ultimately to resolve an issue. Well run into this especially when clients have separate administrators for say job scheduling and security. If the Unicenter AutoSys Job Management admin knows that by deleting and running things here and there from the Unicenter AutoSys Job Management database/command line, they can essentially override any security that the security administrators are trying to enforce.

Error: The Windows machine is locked down from login after installation of Web Interface Cause and Resolution For Unicenter AutoSys Job Management and WI, if you choose to install eTrust, absolute root/administrator user account must be used. If you belong to the Administrator group on Windows or su and sudo to root on UNIX this error will occur.

Error: "Job Access Denied.

Unicenter AutoSys Job Management/eTrust subscriber authentication error: the phACEE parameter is a null pointer Class: Resource: User: Access:"

Cause The lookaside DB in eTrust in eTrust is not up-to-date. Resolution Execute ./sebuildla a to rebuild the lookaside DB. Then recycle eTrust. Remarks eTrust support team suggests that you run sebuildla a regularly to avoid this problem from happening.

B2

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide

HP Issue

HP Issue
Core dump after entering multiple EDIT/EXEC superusers. Fix T346100 does not fix the problem completely. The core dump is gone but we still see the following problem. After entering multiple EDIT/EXEC superusers in the Unicenter AutoSys Job Management_secure, superuser got locked out of the Unicenter AutoSys Job Management_secure option 1-4. You can still see option 5-8. Workaround 1. Logon to the Oracle DB from weather
#zql UUnicenter AutoSys Job Management PUnicenter AutoSys Job Management Sautodev

2.

Reset 2 values
zql>update alamode set int_val=0 where type=EVT zql>/ zql> update alamode set int_val=0 where type=JOB zql>/

3. 4.

CONTROL-D key to get out of zql Restart Unicenter AutoSys Job Management_secure and the problem should be resolved.

Web Interface Problem

Issue Special characters (i.e. !) in the user ID prevent Web Interface from installing. Cause This is an InstallShield problem. InstallShield unpacks the JVM to %TEMP%, and starts the install wizard with that java. For some reason the ! in the path was preventing java from loading some properties files which are required for xalan so we got an exception doing an xsl transform.

Troubleshooting

B3

Web Interface Problem

Workaround The problem with the '!' seems not to be a bug in ISMP, but more a limitation of the xml parser. The '!' character acts as a comment character and so having that character in the classpath for java causes problems for the parser. The reason the '!' is part of the path to the jvm is because when you use a bundled jvm, the bundle is extracted to a temp location which is a subfolder of your home directory. Because of the '!' in your user ID, the path has the '!' as well. The work around to this is to specify the -is:tempdir switch to use a different temp location. This will allow you to specify a directory which does NOT have the '!' in the path. For example
setupwin32.exe -is:tempdir C:\temp

Will extract the bundled jvm to the C:\temp directory, and the install will be successful.

B4

Unicenter AutoSys Job Management Integration with eTrust Access Control User Guide