The following are the possible operands of ATTACHSEC:
- LOCAL
- specifies that a user identifier is
not to be supplied by the remote system. If one is received, the attach fails.
CICS makes the user security profile equivalent to the link security profile.
You do not need to specify RACF® profiles for the remote users. LOCAL
is the default value.
- IDENTIFY
- specifies that a user identifier is
expected on every attach request. All remote users of a system must be identified
to RACF.
If an attach request with both a user identifier and a password
is received on a link with ATTACHSEC(IDENTIFY), CICS does not reject the
attach request. CICS handles the attach request as if the connection was defined
with ATTACHSEC(VERIFY).
If a null (X'00') user identifier
or an unknown user identifier is received, CICS rejects the attach request.
- VERIFY
- specifies that, in addition to a user
identifier, a user password is required for verification against the local
RACF database. All remote users of a system must be identified to RACF.
The rules that apply to the checking of the user identifier
for ATTACHSEC(IDENTIFY) also apply for ATTACHSEC(VERIFY). If a valid user
identifier is received but the password verification fails, CICS rejects
the attach request.
If the communicating system is CICS for AIX, ATTACHSEC=IDENTIFY should be
used.
Note: Products other than CICS can connect to a
CICS Transaction Server for z/OS AOR via an LU6.2 link. They then use the
SNA LU6.2 FMH-5 ATTACH mechanism to start a transaction on the CICS AOR.
Where this mechanism is being used from an insecure system, the ATTACHSEC=VERIFY
option should be used on the connection definition to protect the transaction
on the AOR. (See
SNA profiles and attach-time security.
- PERSISTENT
- specifies that a user identifier and
a user password are required with the first attach request for a new user,
but all following attach requests for the same user need supply only a user
identifier. (All remote users of a system must be identified to RACF.) The
first attach signs on the user, even if the attach request is later unsuccessful
because the user is not authorized to attach the transaction.
Note: PERSISTENT
cannot be used for CICS-to-CICS communication.
- MIXIDPE
- specifies that the sign-on level for
the remote user is determined by parameters sent with the attach request.
The possibilities are: PERSISTENT or IDENTIFY.