DBCTL password security checking

You can protect DBCTL against unauthorized /LOCK and /UNLOCK commands for certain PSBs (referred to as "programs" in the IMS™ publications) and databases by establishing passwords for these PSBs and databases. The IMS security maintenance utility is used to place the definitions needed into DBCTL’s matrix data sets:

)( PROGRAM  PSB11
  PASSWORD PWP11
)( PROGRAM  PSB12
  PASSWORD PWP12
)( DATABASE DB21
  PASSWORD PWD21
)( DATABASE DB22
  PASSWORD PWD22
Note:
The parentheses shown in the above example are used by the security maintenance utility to recognize input commands.

Security considerations for using BMPs with DBCTL

In most cases, PSB authorization checking by CICS® provides sufficient security. The fact that CICS and DBCTL run in the same MVS™ image, and that the connection parameters (in the DRA startup table) have to be in an authorized library should usually allow you enough control over the connection process, and you will not need to implement the DBCTL security checking described in Resource access security checking by DBCTL. However, these considerations do not apply if you are using BMPs with DBCTL. To provide security control for BMPs, use DBCTL resource access security checking. This is because DBCTL resources, such as PSBs, can be accessed by programs that operate in dependent regions. To MVS, these dependent regions are normal MVS jobs that anyone can initiate using the MVS job entry subsystem. This means that a user who is not authorized to access a database using a RACF-protected CICS transaction could access that database by submitting a BMP region with the correct parameters in the EXECUTE statement. (See Making DBCTL resources available for information on starting BMP JCL using a DBCTL operator command.)

Related concepts
Security checking with DBCTL
PSB authorization checking by CICS
Resource access security checking by DBCTL
Migration considerations for security with DBCTL
[[ Contents Previous Page | Next Page Index ]]