The data sets created for the administration and operation of openFT should be protected against unauthorized access (e.g. by using RACF). The degree of protection needed will vary depending on the particular security requirements of individual computer centers. The following sections contain recommendations for protecting the most important data sets. For some of the data sets, the most stringent access restrictions that will still allow openFT operation are described.

FT parameter library

The parameters with which openFT is adjusted to installation-specific requirements (see section “Setting up the FT parameter library”) are stored in the FT parameter library. This is highly sensitive information, the integrity of which is absolutely essential for openFT to be able to function properly (for instance the list of FT or FTAC administrators and possibly the name the FTAC file; see below). This file must therefore be protected extremely carefully.

Request file, partner list, operational parameters file

The request queue, the partner list and the operational parameters file are three DA data sets set up automatically under the following names the first time the system is started:

• The request queue '<openft qualifier>.<inst>.SYSRQF'

• The partner list '<openft qualifier>.<inst>.SYSPTF'
  The partner list contains the address information for the partner systems and corresponds to the network description file used in previous openFT versions.

• The operational parameters file '<openft qualifier>.<inst>.SYSOPF'.

Here, <openft qualifier> is the prefix with which the openFT administrative files are created (OPENFT QUALIFIER in the FJGEN command). <inst> is the instance name (INSTANCE NAME in the FJGEN command).

These three files only need to be accessed by the user ID under which openFT is running.

Logging file

The logging file is generated automatically by openFT. Its components are described in section “Internal openFT data sets”.

Usually, the names of the components of the logging files all begin with
’<openft qualifier>.<inst>.SYSLOG'. "openft qualifier" is the prefix with which the openFT administrative files are created (OPENFT QUALIFIER in the FJGEN command). "inst" is the instance name (INSTANCE NAME in the FJGEN command). Instead of the usual second level qualifier inst.SYSLOG, the administrator may allocate a different name to the file (LOGFILE_2ND_Q key in the PARM member of the FT parameter library).

Only the user ID under which openFT is running should be able to access the components of the logging files. Please also read the note at the end of section "FTAC files".

If you want to store the logging records permanently, redirect the output from the FTSHWLOG command to a file and then back up this file or use the new logging functionality introduced in Version 12 to back up logging records in offline logging files.

To prevent the logging file from becoming unnecessarily large, you should occasionally use the FTDELLOG command to delete old logging records or change the logging file from time to time using the command FTMODOPT LOGGING=*CHANGE-FILES (see section “FT logging”) and archive logging files that are no longer online as required.

FTAC file

The FTAC file is generated automatically by openFT when FTAC is used. It contains the FTAC environment, i.e. the admission sets, admission profiles, etc. The components of the file are described in section “Internal openFT data sets”.

The names of the components of the FTAC file all begin with '<openft
qualifier>.<inst>.SYSFSA'. "openft qualifier" is the prefix with which the openFT administrative files are created (OPENFT QUALIFIER in the FJGEN command). "inst" is the instance name (INSTANCE NAME in the FJGEN command). Instead of the usual second level qualifier inst.SYSFSA, the administrator may allocate a different name to the file (FILE_2ND_Q key in the FTACPAR member of the FT parameter library).

For reasons of security it is strongly recommended that the components of this file be accessible only to the main FT administrator ID and the user ID under which openFT runs.

Note

If you are using RACF and you want to protect the logging file and the FTAC file using generic profiles, you must make sure that all components of the files are covered by the names of the generic profiles.

If you want to use to implement a standard protection for the request file, the partner list, the logging file and the FTAC file and if you select the same beginning for the file names of all of these files then you will need only two generic profiles to protect them.

If you use the standard file names for the files, you only need to implement the following generic profiles for the individual openFT instances:

’<openft qualifier>.<inst>.SYS*’

This generic profile protects the request file (SYSFSF), the partner list (SYSPTF) and the PS data sets that are part of the logging file and the FTAC file (SYSLOG and SYSFSA).

’<openft qualifier>.<inst>.SYS*.*’

This generic profile protects the components of the VSAM cluster, which are part of the logging file and the FTAC file (SYSLOG.P00 etc. for the logging file,
SYSFSA.P00 etc. for the FTAC file).

The OPENFT QUALIFIER stands for the file name prefix defined in the FJGEN command, while inst refers to the instance name defined for the corresponding openFT instance in the INSTANCE NAME parameter in the FJGEN command.