CICS® Transaction
Gateway supports user ID and password authentication with RACF®, in local and remote modes.
Mapping of a registered X.509 certificate to a RACF user ID is supported in remote mode. RACF user ID and password authentication
is used exclusively for EXCI connections to CICS; authentication of IPIC connections to CICS is performed by the CICS server.
For more information see, User authentication using SSL client certificates.
Preliminary checks
You use the
extattr
+p command to mark HFS files as program controlled. To use
this command, you must be the owner of the files, or a superuser.
The user ID that installed CICS Transaction
Gateway normally owns the files. You also need READ access to the
BPX.FILEATTR.PROGCTL FACILITY class. See
z/OS® UNIX System Services Planning for
more information. Your user ID must have the
RACF SPECIAL
attribute to perform the actions in step
3.
Follow these steps to check that you have the necessary authority:
- Log on to TSO.
- Run ISPF.
- Choose option 6 (Command).
- Issue the following command:
SR CLASS(FACILITY)
Check
that these entries are in the list:BPX.SERVER
BPX.FILEATTR.PROGCTL
- Issue the following command:
SR CLASS(SURROGAT)
Check
that this entry is in the list: *.DFHEXCI
Configuring the system
- Mark the load modules used by CICS Transaction
Gateway as program-controlled. The HFS files which require the extended
attribute +p are set correctly by SMP/E, however the SCTGLOAD and
SDFHEXCI libraries must be set manually. All Java™ program files used by CICS Transaction Gateway during operation must
also be program controlled to successfully run with authentication
active. Use the "ls -E" command from an OMVS or Telnet screen to verify
the CICS Transaction Gateway
HFS files.
- If necessary, activate program control by issuing these commands:
SETROPTS CLASSACT(PROGRAM)
RDEFINE PROGRAM * UACC(READ)
SETROPTS WHEN(PROGRAM)
- Mark the CICS SDFHEXCI
library, which provides the EXCI for CICS Transaction
Gateway, as program controlled. For example, if the library was installed
as CICSTS51.CICS.SDFHEXCI, use the following RACF command:
RALTER PROGRAM * ADDMEM('CICSTS51.CICS.SDFHEXCI'//NOPADCHK)
SETROPTS WHEN(PROGRAM)REFRESH
- Mark the CICS Transaction
Gateway SCTGLOAD library, which provides the CTGBATCH program for CICS Transaction Gateway as program-controlled.
For example, if this library was installed as CICSTG.CTG900.SCTGLOAD,
use the following RACF command:
RALTER PROGRAM * ADDMEM('CICSTG.CTG900.SCTGLOAD'//NOPADCHK)
SETROPTS WHEN(PROGRAM)REFRESH
- Mark the Language Environment® runtime
library SCEERUN2 as program controlled. For example, if this library
was installed as CEE.SCEERUN2, use the following RACF command:
RALTER PROGRAM * ADDMEM('CEE.SCEERUN2'//NOPADCHK)
SETROPTS WHEN(PROGRAM)REFRESH
- Mark the CICS SDFHLINK
library, which contains DFHRXSVC and DFHXCSVC, as program controlled.
- Give the user ID under which CICS Transaction
Gateway runs READ access to the BPX.SERVER FACILITY profile. For more
information, see the __passwd() section in z/OS V2R10.0 C/C++ Run-Time Library
Reference, (SC28-1663-08).
- Ensure that the user ID that starts CICS Transaction
Gateway has READ access to BPX.STOR.SWAP.
- Give the user ID under which CICS Transaction
Gateway runs READ access to the RACF profile
that protects the TCPIP.STANDARD.TCPXLBIN data set. This contains
tables for translating from ASCII to EBCDIC and from EBCDIC to ASCII.
- Use one of the following options to configure CICS Transaction Gateway:
- Editing a STDENV file
- Ensure that this entry is in the file:
AUTH_USERID_PASSWORD=YES
- Editing ctgenvvar
- Ensure that this entry is in the file:
export AUTH_USERID_PASSWORD=Yes
- If you are using CTGBATCH to start CICS Transaction
Gateway, ensure that _BPX_SHAREAS=YES is set in the STDENV DD statement,
regardless of whether a ctgenvvar script is also being used. If starting CICS Transaction Gateway from USS,
set _BPX_SHAREAS=NO in the ctgenvvar script, to force the use of a
clean address space.