User security in link definitions

The level of user security you require for a remote system is specified in the ATTACHSEC attribute of the CONNECTION definition.

CICS interprets the parameters of the ATTACHSEC attribute as described here. However, special rules apply for CICS transaction routing using CRTE, as described in Transaction routing security with MRO.

The ATTACHSEC attribute specifies the sign-on requirements for incoming requests. It has no effect on requests that are issued by your system to a remote system; these are dealt with by the remote system.

The following values of the ATTACHSEC attribute are valid with MRO:

LOCAL
specifies that a user identifier is not required from the remote system, and if one is received, it is ignored. Here, CICS makes the user security profile equivalent to the link security profile. You do not need to specify RACF® profiles for the remote users. (LOCAL is the default value.)

Specify ATTACHSEC(LOCAL) if you think that the link security profile alone provides sufficient security for your system.

IDENTIFY
specifies that a user identifier is expected on every attach request. All remote users of a system must be identified to RACF.

Specify ATTACHSEC(IDENTIFY) when you know that CICS can trust the remote system to verify its users, when, for example, the remote system is another CICS.

The following rules apply to IDENTIFY:
  • If a password is included in an attach request with a user identifier on a link with ATTACHSEC(IDENTIFY), CICS rejects the attach request and unbinds the session.
  • If a null user identifier or an unknown user identifier is received, CICS rejects the attach request.
  • If no user identifier is received, the attach is rejected unless USEDFLTUSER(YES) is specified on the connection. In this case CICS applies the security capabilities of the default user, as specified in the DFLTUSER system initialization parameter. For more information, see The CICS default user ID.
Note: In the case of distributed transaction processing (DTP) transactions, you must issue a BUILD ATTACH request before the MRO SEND or CONVERSE command to include the userid of the terminal user in an attach request.