You can define CPF nodes in the NDT record in the CA Top Secret security file. CPF nodes are grouped on the NDT record by system ID to allow multiple CA Top Secret systems to use separate CPF node definitions. The system ID entry contains the global system defaults for CPF processing.
CA Top Secret supports defining CPF nodes by using the CPFNODES control option. After a CPF node is defined to the NDT record, a control option definition for the same node name is ignored. When a node is defined by using the parmlib CPFNODE method, the word STATIC appears during the issuance of a TSS MODI STATUS(CPF) command.
When the NDT has a CPFSYSID entry for the local system, the following parmfile control options are ignored:
Follow these steps:
Administer the system ID definition:
TSS ADD(NDT) CPFSYSID(system_id) CPFTARGET(*|LOCAL|AUTO) CPFWAIT(YES|NO) CPFRCVUND(YES|NO) CPFLISTMULT(YES|NO) CPFAUTOUID(YES|NO) CPFAUTOGID(YES|NO) RECVCMDS(YES|NO) RECVDSN(dsname)
Administer the node definition:
TSS ADD(NDT) CPFNODE(node_name) CPFSYSID(system_id) ACTIVE(YES|NO) RECEIVE(ALL|NONE) SEND(ALL|CMD|PWD|NONE) GATEWAY(YES|NO) BROADCAST(YES|NO) JOURNAL(YES|NO) JOURNALDSN(dsname)
Activate the newly defined CPF node:
Your definition is complete.
Example: Define a CPF Node
This example sets up the NDT CPFNODE definitions for system SYS1 to allow the following activities:
TSS ADD(NDT) CPFSYSID(SYS1) RECVCMDS(YES) CPFTARGET(LOCAL) TSS ADD(NDT) CPFSYSID(SYS1) CPFNODE(SYS2) JOURNAL(YES) RECEIVE(ALL) SEND(ALL)
Example: Define a New System
This example defines a new system:
TSS ADD(NDT) CPFSYSID(SYSA)
Example: Define a Node
This example defines a node:
TSS ADD(NDT) CPFSYSID(SYSA) CPFNODE(NODE1)
Example: Remove a Node Definition
This example removes a node definition:
TSS REMOVE(NDT) CPFNODE(nnnnnnnn) CPFSYSID(ssssssss)
Example: List the CPF Node Definitions
This example lists the CPF node definitions:
TSS LIST(NDT) CPFNODE(nnnnnnnn) CPFSYSID(ssssssss)
Example: List All Nodes for All Systems
This example lists all nodes for all systems:
TSS LIST(NDT) CPFSYSID(*)
If all CPF related control options are migrated from the control options parameter file to the NDT, control option CPF(ON) or CPF(OFF) is required in the parameters file for CPF to initialize using the NDT based definition. If neither is specified, CPF will not initialize and cannot be activated unless CA Top Secret is recycled. CPF(ON) activates CPF as soon as CA Top Secret is started up. CPF(OFF) starts CA Top Secret with CPF inactive. CPF is activated with TSS MODIFY(CPF(ON)).
Adding a new CPF node to an active CA Top Secret system requires adding a NODE definition to CAICCI.
CAICCI allow you to define two or more CAICCI sysids as parts of a sysplex. CA Top Secret systems residing on these hosts can be collectively targeted by their common SYSPLEXID to allow CAICCI to distribute the workload.
When setting up the CPF node definitions on CA Top Secret systems outside the CAICCI sysplex, only a single CPFNODE definition using the generic CAICCI SYSPLEXID is required. Commands are transmitted into the SYSPLEX using the generic name as the target node. CAICCI forwards the commands to any available CA Top Secret system within the SYSPLEX.
Security Administrator authority and scope are verified at the sending and target nodes before a command is applied to the targeted security files. To enter TSS commands with a targeted destination, you need MISC2(TARGET) authority.
The CPF allows the security administrator to view the contents of security files in remote nodes. This is secure since scope is verified at both locations and the data is encrypted between nodes.
Propagated administration commands execute on the remote system using the authority and scope of the user as defined on the remote system, and not from the originating system. For example, if a user who is defined as an SCA on one system propagates a TSS command to a system where that user is defined only as a USER, then the command is limited to the USER authority.
User initiated (versus administrator initiated) password changes propagated through CPF cause the user's password to change at each node where the change is sent, provided that the user's existing passwords are the same. The password will not change at nodes where the existing passwords are not identical or are not synchronized. This prevents one user from changing the password of an identically named ACID on another node used by another person.