Protecting CICS load libraries

Although, in general, CICS runs in unauthorized state, the CICS initialization program, DFHSIP, needs to run in authorized state for part of its execution. For this reason, the version of the DFHSIP module supplied on the distribution tape is link-edited with the “authorized” attribute (using the linkage-editor SETCODE AC(1) control statement), and is installed in CICSTS31.CICS.SDFHAUTH. This library must be defined to the operating system as APF-authorized.

To prevent unauthorized or accidental modification of CICSTS31.CICS.SDFHAUTH, make this library RACF-protected. Without such protection, the integrity and security of your MVS system are at risk. To control the unauthorized start-up of a CICS system using DFHSIP, also consider implementing the following:

Also give RACF protection to SYS1.CICSTS31.CICS.SDFHLINK and to SYS1.CICSTS31.CICS.SDFHLPA; and the other libraries (including CICSTS31.CICS.SDFHLOAD) that make up the STEPLIB and DFHRPL library concatenations.

See Authorizing access to CICS data sets for more information about protecting CICS data sets and creating suitable data set security profiles.

Note: The source statements of your application programs are sensitive; consider having RACF protect the data sets containing them.