CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251622	IDMS-DB-000510	SV-251622r807733_rule		Medium

Description
Server tasks can execute dynamic SQL code and should be protected.

STIG	Date
CA IDMS Security Technical Implementation Guide	2022-09-07

Details

Check Text ( C-55057r807731_chk )
Check the SRTT for externally secured resource TASK for IDMS Server task codes IDMSJSRV and CASERVER. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no TASK entry is found for either IDJSJSRV or CASERVER, this is a finding. If either is not secured external, this is a finding. If tasks IDMSJSRV and CASERVER are found to be secured externally, ensure that the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.

Check Text ( C-55057r807731_chk )

Check the SRTT for externally secured resource TASK for IDMS Server task codes IDMSJSRV and CASERVER.

Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output.

Note: This requires PTFs SO07995 and SO09476.

If no TASK entry is found for either IDJSJSRV or CASERVER, this is a finding.

If either is not secured external, this is a finding.

If tasks IDMSJSRV and CASERVER are found to be secured externally, ensure that the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.

Fix Text (F-55011r807732_fix)
Create or modify as needed entries in the SRTT, then reassemble and relink module RHDCSRTT for the security domain. The external class and external name construction rules must be specified. The following is an example of how IDMSJSRV and CASERVER may be secured externally. #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF,EXTNAME=(RESTYPE,RESNAME), EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='IDMSJSRV', SECBY=EXT #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='CASERVER', SECBY=EXT Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

Fix Text (F-55011r807732_fix)

Create or modify as needed entries in the SRTT, then reassemble and relink module RHDCSRTT for the security domain. The external class and external name construction rules must be specified. The following is an example of how IDMSJSRV and CASERVER may be secured externally.

#SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF,EXTNAME=(RESTYPE,RESNAME),
EXTCLS='CA@IDMS'
#SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='IDMSJSRV', SECBY=EXT
#SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='CASERVER', SECBY=EXT

Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users.

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:

DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY
DCMT VARY NUCLEUS RELOAD