Introduction to CICS/VSE internal security

CICS/VSE internal security, apart from resource security, is defined at two levels:

User security
You define a security profile for each workstation user.
Link security
You define a security profile for the link. This gives the link access to all the resources that the users can access collectively. No user has access to a resource that the link itself cannot access.

Security profile

Security profiles consist of one or more numeric keys, chosen from the digits 1 through 24. When a protected resource is defined, it is associated with one of these values. A user who has a matching key is allowed to access that resource, provided that the link also has a matching key (user security is a subset of link security).

Link profile

If you do not need to specify security for individual users, you can let all user security profiles default to the link profile. For this, you specify ATTACHSEC(Local) on the CEDA DEFINE CONNECTION6 command. You define the link security profile by specifying OPERRSL on the same command. Let this option default if you want the link to access only unprotected resources.

SNT entry for link

An alternative way to specify link security is to define an SNT entry for the link. Specify RSLKEY to define the link security profile. The user ID you give to the link has to be matched to SECURITYNAME on the CEDA DEFINE CONNECTION6 command.

Required specifications in remote systems

To enable protected access to CICS/VSE resources, specifications are needed in each remote system.

CICS Transaction Server for Windows specifications

To enable security checking of CICS® Transaction Server for Windows users by CICS/VSE, Attach security must be specified as V in the CICS Transaction Server for Windows TCS definition of the CICS/VSE system. All user IDs must be defined in the CICS Transaction Server for Windows signon table (SNT).

CICS for AIX specifications

In the communications definition (CD) stanza, the entry for the CICS/VSE system should specify RemoteSystemSecurity=IDENTIFY, which is consistent with either IDENTIFY or VERIFY in the SNA Services connection profile. All user IDs, whether or not they use intercommunication, must be in the user definition (UD) stanza.

AIX SNA Services

In the connection profile for the CICS/VSE system, the conversation security access list must contain the user IDs and passwords of all users that are to access the CICS/VSE system. The connection profile should specify SecurityLevel=IDENTIFY or VERIFY, depending on the security required.

CICS/400 specifications

An AS/400® user profile, containing a user ID and password, is required for each CICS/400 user who accesses protected CICS/VSE resources. In the AS/400 configuration list, the entry for the CICS/VSE system should specify Secure Loc(*YES), which is the equivalent of ATTACHSEC=Verify in the CICS/VSE CONNECTION definition.

CICS/VSE specifications

For CICS/VSE resource security, entries are needed in the SNT for all remote users. Each entry must match a corresponding entry in a remote system’s SNT or equivalent.7The level of security on a link depends on the ATTACHSEC option of the CEDA DEFINE CONNECTION8 command.

If you are using an external security manager, you probably need only the default entry in the CICS SNT. This covers both link and users.

Because the mirror transaction accesses all resources for the users, CICS/VSE does not apply resource security checking unless you specify RSLC(YES) or RSLC(EXTERNAL) on the CEDA DEFINE TRANSACTION for the mirror transaction.

For further guidance, see the CICS/VSE Version 2 Release 3 Intercommunication Guide. Note that bind-time security is not supported.

Implementation

Implementation of security for CICS Transaction Server for Windows, CICS on Open Systems, or CICS/400 access to CICS/VSE resources is similar to that for CICS/VSE--CICS/VSE intercommunication.

Sign-on security
If ATTACHSEC=IDENTIFY is specified in the CICS/VSE and CICS non-System/390® connection definitions, the remote user ID must match an entry in the CICS/VSE SNT. For ATTACHSEC=VERIFY, the user ID and password transmitted with the request must match the user ID and password in a CICS/VSE SNT entry. For ATTACHSEC=LOCAL, there is no user security.
Attach-time and resource access security
For ATTACHSEC=LOCAL, the resources accessed must have security keys that are a subset of the range of the OPERRSL keys specified for the connection.

For ATTACHSEC=VERIFY|IDENTIFY, in addition to the requirements for ATTACHSEC=LOCAL, the user’s SNT operator class must match the RSL key for the resource. Additional checks may be needed, depending on the definitions of mirror and routed transactions.

Related tasks
Specifying LU 6.2 security requirements

6.
If the link is single-session LU 6.2, specify ATTACHSEC and SECURITYNAME in the CEDA DEFINE TERMINAL command.
7.
For example, for CICS for AIX® this is the UD stanza; for CICS/400, the AS/400 user profiles.
8.
If the link is single-session LU 6.2, specify ATTACHSEC and SECURITYNAME in the CEDA DEFINE TERMINAL command.

[[ Contents Previous Page | Next Page Index ]]