Connect security

To perform MRO connect security checking, DFHIRP checks that each CICS region in the connection has read access to its partner's DFHAPPL.applid profile.

When CICS® Transaction Server for z/OS®, Version 3 Release 1 DFHIRP is installed, all regions using earlier CICS releases in the MVS™ image use the DFHAPPL.applid form of MRO connect security. In addition, the SECURITYNAME parameter on the CONNECTION definition is not used for MRO and is ignored.

To authorize the MRO partner regions for bind security purposes, you must define the appropriate DFHAPPL profiles in the RACF FACILITY class. This means that each CICS region in an MRO interregion communication link must be given access to its partner's DFHAPPL.applid profile with READ access authority. For example, for the CICS TOR running under userid CICSRTOR (with APPLID CICSATOR), that connects to the AOR running under userid CICSRAOR (with APPLID CICSAAOR), the RACF commands to authorize the connections are shown in Figure 1.

You cannot specify to CICS whether or not you want connect security checking for MRO connections—CICS always issues the RACROUTE calls.

Figure 1. Illustration of the DFHIRP logon and connect security checks.
This illustration shows a CICS terminal-owning region (TOR) and CICS application-owning region (AOR) logging on to DFHIRP, and connecting to one another:
  • The TOR has an APPLID of CICSATOR and a region user ID of CICSRTOR.
  • The AOR has an APPLID of CICSAAOR and a region user ID of CICSRAOR.
During the logon process, DFHIRP calls RACF to check that:
  1. User ID CICSRTOR has UPDATE access to DFHAPPL.CICSATOR
  2. User ID CICSRAOR has UPDATE access to DFHAPPL.CICSAAOR
During the connection process, DFHIRP calls RACF to check that:
  1. User ID CICSRTOR has READ access to DFHAPPL.CICSAAOR
  2. User ID CICSRAOR has READ access to DFHAPPL.CICSATOR
This figure illustrates the logon and connect security checks made by DFHIRP
The TOR and AOR shown in Figure 1, running under region userids CICSRTOR and CICSRAOR respectively, with APPLIDs CICSATOR and CICSAAOR, require the following RACF definitions to authorize their logon to DFHIRP: