Explicit sign-on

Users can explicitly sign on either by using the CICS-supplied transaction, CESN, which can be defined as the “good morning” transaction on the GMTRAN system initialization parameter; or by using an installation-provided sign on transaction which uses the SIGNON command. OIDCARD users can use CESN to sign on if the card reader supports the DFHOPID identifier (AID). If it does not, use your own installation-provided sign-on transaction. When a user signs on to CICS, the sign-on process involves the following phases:

Scoping
After the sign-on panel is completed and sent, CICS verifies that the entered userid does not match a userid already signed on within the scope of the SNSCOPE definition for the CICS system.
Identification
CICS calls RACF® with the supplied userid to confirm that a profile has been defined for the user.
Verification
CICS passes information to RACF to verify that the user is genuine. For RACF this is either a password or an OIDCARD or both. If the password entered has expired, CICS prompts the user for a new password. When the new password conforms to the RACF password formatting rules for an installation, the new password and the date-of-change are recorded in the RACF user profile.

Immediately following the request to RACF for userid and password verification, CICS clears the internal password field. This minimizes the possibility of the password being revealed in any dump of the CICS address space that may be taken.

You may also voluntarily change your password by entering a new value.

Figure 1. The CICS sign-on panel
                      Sign-on for CICS     APPLID CICSA100
 
 . . . . . . This is where the good morning message appears. . . . . . .
 . . . . . . It can be up to four lines in depth . . . . . . . . . . . .
 . . . . . . to contain the maximum message length . . . . . . . . . . .
 . . . . . . of 246 characters . . . . . . . . . . . . . . . . . . . . .
 
 
 
 Type your userid and password, then press ENTER:
 
          Userid . . . . ________    Groupid . . . ________
 
          Password . . . ________
 
          Language . . . ___
 
      New Password . . . ________
 
 
 
 
 
 DFHCE3520 Please type your userid.
 F3=Exit
Authorization
RACF performs checks on the application name and the port of entry to verify that the user is allowed to use the CICS system. In the application name check, RACF determines whether the user is authorized to access the application named in the APPLID or GRNAME system initialization parameter. RACF does this by checking the access list of the CICS application profile defined in the RACF APPL resource class. (See Authorizing access to the CICS region for information about how to define profiles in the APPL resource class.)

With the port of entry check, RACF verifies that the user is authorized to sign on using that port of entry. The use of defined terminals can be restricted to certain times of the day, and to certain days of the week. See Controlling access to CICS from specific ports of entry.

These checks restrict the user to signing on only to those CICS regions for which they are authorized, and only from terminals they are authorized to use.

Explicit sign-on, with the CESN transaction, or the SIGNON command, is performed by the user at the port of entry.

Table 1. Explicit and implicit signons
Phase Explicit Implicit
Scoping Yes No
Identification Yes Yes
Verification Yes No except with ATTACHSEC(IDENTIFY)
Authorization Yes Yes
User attributes
CICS obtains CICS user attributes from the CICS and LANGUAGE segments of the RACF database.