In CICS® Transaction Server for z/OS® and CICS Transaction Server for OS/390®, CICS intercommunication security is described in detail in the CICS-RACF Security Guide. In CICS Transaction Server for VSE/ESA, it is described in the CICS Transaction Server for VSE/ESA Security Guide. This section is intended to be read in conjunction with your CICS security manual; it describes security considerations that are specific to CICS Clients and CICS on System/390®.
Users of external security managers (ESMs) other than the Resource Access Control Facility (RACF®) or the CICS Transaction Server for VSE/ESA ESM should read this section in conjunction with the documentation for their own ESM.
Bind-time security is not supported on CICS Client-CICS on System/390 APPC links. Therefore, specify BINDSECURITY(NO) on the CONNECTION definitions that define Clients to CICS on System/390.
Link security provides the lowest level of resource security for intercommunication links. It defines the total set of resources that can be accessed across the connection.
To specify link security for a CICS Client-CICS on System/390 APPC connection:
If you do not specify a user ID on SECURITYNAME, the authority of the link is that of the CICS default user.
User (attach-time) security:
If you are using APPC links, specify the level of user-security on the ATTACHSEC option of the CONNECTION definition that defines the Client to CICS on System/390.
If you are using ECI over TCP/IP, specify the level of user-security on the ATTACHSEC option of the TCPIPSERVICE definition for ECI over TCP/IP.
The valid values of ATTACHSEC for CICS Client-System/390 links are LOCAL and VERIFY.
For APPC links
, if you specify ATTACHSEC(VERIFY), you
must also specify USEDFLTUSER(YES). If you do not, the first time the Client
tries to initialize the connection to CICS on System/390 you see security violation
messages DFHZN2701 and DFHZC2047 and an SDUMP is taken. (This is because,
when trying to attach the CCIN transaction, the Client does not include the
password and user ID required by CICS on System/390.)
If a Client does not support VERIFY attach-time security, you must specify ATTACHSEC(LOCAL) and rely on link security.
CCIN and CIEP (which is used for ECI over TCP/IP) are category 3 transactions--that is, they are exempt from security checking.
CTIN is a category 2 transaction--that is, it is always associated with a terminal.
You should specify:
The supplied definitions in the DFHCLNT and DFHIPECI CSD groups specify these values.
RDEFINE GCICSTRN INTERCOM UACC(NONE)
ADDMEM(CEHP,CEHS,CPMI, . . . ,CTIN, . . . )
NOTIFY(security_admin_userid)
OWNER(userid or groupid)
PERMIT INTERCOM CLASS(GCICSTRN) ID(intrgrp1,..,intrgrpz)
ACCESS(READ)
To activate security on CICS Client-CICS on System/390 links, you need to specify the following system initialization parameters:
DFLTUSER=name, To specify the CICS default userid *
SEC=YES, To turn on security checking *
XTRAN=YES, To turn on transaction security *
For detailed information about these parameters, see your CICS on System/390 System Definition Guide.