- BINDPASSWORD(password) (APPC
only)
- A password of up to 16 hexadecimal digits (0-9, A-F). A password of fewer
than 16 digits is padded on the right with hexadecimal zeros.
CICS masks the password
you supply to avoid unauthorized access. You should therefore find a safe
way of recording the password.
If you supply a password, an identical
password must be supplied in the remote system to ensure bind-time security,
allowing a connection to be established.
CONSOLE({NO|number})
For migration
purposes, it is possible to define a console using CONSOLE(number). However,
when several MVS™ images
are united to form a sysplex, the assignment of console identification numbers
depends on the order in which the MVS images are IPLed. The identification
numbers are determined from the sequence in which they are encountered in
the several CONSOLnn members for the MVS images.
Therefore, you are recommended to identify console devices attached to the
sysplex by CONSNAME instead of CONSOLE. The results of using CONSOLE may be
unpredictable. Code a number in the range 01 through 250, but not 128.
However, before you can use the console, it must be either defined to MVS
in the CONSOLnn member of SYS1.PARMLIB or dynamically
allocated by a product such as NETVIEW.
If you specify this attribute,
do not specify CONSNAME.

- EXTSEC({NO|YES})
- specifies whether an external security manager (for example, RACF®) is to be
used for transaction security or resource security checking.
- NO
- Only the security facilities provided by CICS are used by this transaction.
- YES
- An external security manager may be used by this transaction.
- INDOUBT({BACKOUT|COMMIT|WAIT})
- specifies the action required if the transaction is using intercommunication,
and abends at a critical time during syncpoint or abend processing. For guidance
on using the INDOUBT option, see the CICS Intercommunication
Guide.
- BACKOUT
- The effects of the transaction are backed-out. This must be specified
for recoverable files.
- COMMIT
- The effects of the transaction are committed. Use INDOUBT(COMMIT) if you
do not want dynamic transaction backout.
- WAIT
- Changes to recoverable temporary storage are locked until the session
is recovered. The resources are then committed or backed out in step with
the remote system.
- INSERVICE({YES|NO})
- specifies whether the session(s) can be used for communication. This attribute
applies only to LUTYPE 6.1 ISC sessions. It is invalid for LUTYPE 6.2, and
is ignored for MRO sessions. For MRO the status (in service or out of service)
is determined by the status of the corresponding MRO CONNECTION.
- YES
- Transactions may be initiated and messages may automatically be sent across
the session(s).
- NO
- The session(s) can neither receive messages nor transmit input.
- LOGMODECOM({NO|YES})
- LOGMODECOM indicates LOGMODE compatibility. It shows whether CICS is to
make LOGMODE work the way it does in releases earlier than CICS/ESA 4.1.
This parameter is not available in releases later than CICS/ESA 4.1.
- LOGMODECOM(NO)
- is the default and causes LOGMODE(0|name) to work as described under LOGMODE.
- LOGMODECOM(YES)
- causes LOGMODE(0|name) to work as it did in releases before CICS/ESA 4.1
for non *XRF-capable terminals. LOGMODECOM(YES) is ignored for XRF-capable
terminals. Use this parameter only in exceptional circumstances - see the CICS/ESA 4.1
Migration Guide and the CICS/ESA 4.1 Resource Definition
Guide for a fuller explanation.
- OMGINTERFACE(text)
- Defines a pattern that may match the IDL interface name. The maximum length
of this field is 31 characters. This field is obsolete and retained only for
compatibility with previous releases of CICS Transaction Server.
- OMGMODULE(text)
- Defines a pattern that may match the qualified module name (coded in CORBA
IDL), which defines the name scope of the interface and operation whose implementation
is to be executed. This field is obsolete and retained only for compatibility
with previous releases of CICS Transaction Server.
- OMGOPERATION(text)
- Defines a pattern matching the IDL operation name. The maximum length
of this field is 31 characters. This field is obsolete and retained only for
compatibility with previous releases of CICS Transaction Server.
- OPERID(code)
- specifies the 3-character operator identifier associated with the sessions.
Use OPERID if you are not specifying SECURITYNAME on the CONNECTION definition. Specifying
OPERID is the only way of having an operator identifier if you have
preset security (by specifying OPERRSL and OPERSECURITY).
- OPERPRIORITY({0|number})
- specifies the operator priority code to be used to determine the task
processing priority for each transaction attached to the sessions. The code
may be any value from 0 through 255. Use OPERPRIORITY if you are not specifying
SECURITYNAME on the CONNECTION definition. Specifying
OPERPRIORITY is the only way of having an operator priority code if
you have preset security (by specifying OPERRSL and OPERSECURITY).
- OPERRSL({0|number[,...]})
- specifies the resource security key for these sessions.
- number[,...]
- Code the preset resource security keys for these sessions. The OPERRSL
keys are checked to see that they include the resource RSL value, by transactions
that request RSL checking (RSLC(YES)). They are referenced for function shipping
and distributed transaction processing requests. The OPERRSL keys comprise
one or more decimal values from 1 through 24. You can specify more than one
value as an inclusive range, using a dash (for example: 5-12),
or as a series of numbers separated by commas, for example: 5,6,7,8,9,10,11,12. These
two examples are equivalent. You can use dashes and commas in the same specification
if you need to.
Specify OPERRSL keys if you are not specifying SECURITYNAME
on the CONNECTION definition. However, if you specify OPERRSL keys for the
sessions, you cannot have a sign-on, using SECURITYNAME, when the link is
established. Note that the OPERRSL keys give access only to resources with
the RSL values actually specified in the OPERRSL keys, not to resources with
lower RSL values.
- 0
- The sessions have no OPERRSL keys specified and do not have access to
any resources through transactions with RSLC(YES), except resources with RSL(PUBLIC).
- OPERSECURITY({1|number[,...]})
- specifies the preset transaction security keys for the device. The transaction
security keys are checked to see that they include the security value (TRANSEC)
for a transaction about to be attached. They are referenced for function shipping
and distributed transaction processing requests.
The security keys comprise one or more
decimal values from 1 through 64. You can specify these values in the same
way as for OPERRSL, above. In addition to the values you specify, a value
of 1 is also assumed. The default value of 1 gives access to all unsecured
transactions, because the default TRANSEC value is 1. For example: 5-10,12 is
translated into: 1,5,6,7,8,9,10,12.
Use OPERSECURITY
if you are not specifying SECURITYNAME on the CONNECTION definition. However,
if you specify OPERSECURITY keys for the sessions, you cannot have a sign-on,
using SECURITYNAME, when the link is established.
OUTPRIVACY(SUPPORTED|NOTSUPPORTED|REQUIRED)
reflects
the level of SSL encryption required for inbound connections to this service
that is specified by the CIPHERS attribute. During the SSL handshake, the
client and server advertise which cipher suites they support, and, from those
they both support, select the suite that offers the most secure level of encryption.
For more information about cipher suites, see
the CICS RACF Security Guide.
- NOTSUPPORTED
- Encryption is not used. During the SSL handshake, CICS advertises only
supported cipher suites that do not provide encryption.
- REQUIRED
- Encryption is used. During the SSL handshake, CICS advertises only supported
cipher suites that provide encryption.
- SUPPORTED
- Encryption is used if both client and server support it. During the SSL
handshake, CICS advertises all supported cipher suites.

- PORT(number)
- specifies
the TCP/IP port number to be used for non-SSL communication to this logical
EJB/CORBA server. The port number must be in the range 1–65535. The default
is 00683.
You must not specify the same port number for PORT and SSLPORT.
If
you install a TCP/IP service on this port, the TCPIPSERVICE definition must
specify SSL(NO).
- PRIMEDSIZE({0|value})
- specifies the primed storage allocation size in bytes.
- 0
- CICS takes care of the storage for the control blocks.
Note: Leave PRIMEDSIZE
as 0 if this TRANSACTION definition has been migrated with ANTICPG=YES.
- value
- This value must not exceed 65520 bytes and, if specified at all, must
include an allowance of 2800 bytes for CICS control blocks, and an allowance
for the size of the TWA.
Storage acquired by a GETMAIN within the primed
storage area is never freed (that is, the corresponding FREEMAIN is ignored).
Note
that storage accounting areas within the primed storage allocation are doubleword-aligned,
instead of the normal double-doubleword-aligned.
PRIVACY(REQUIRED|SUPPORTED|NOTSUPPORTED)
reflects
the level of SSL encryption required for inbound connections to this service
that is specified by the CIPHERS attribute. During the SSL handshake, the
client and server advertise which cipher suites they support, and, from those
they both support, select the suite that offers the most secure level of encryption.
You can edit the list of ciphers to set a minimum as well as
a maximum encryption level. For more information about cipher suites, see
the CICS RACF Security Guide.
- NOTSUPPORTED
- Encryption is not used. During the SSL handshake, CICS advertises only
supported cipher suites that do not provide encryption.
- REQUIRED
- Encryption is used. During the SSL handshake, CICS advertises only supported
cipher suites that provide encryption.
- SUPPORTED
- Encryption is used if both client and server support it. During the SSL
handshake, CICS advertises all supported cipher suites.

- PROTECT({NO|YES}) (SNA LUs only)
- specifies whether output messages can be recovered (see the MSGINTEG option),
and whether message logging is to take place.
- NO
- Neither message integrity nor message logging is to take place.
- YES
- Provides recovery for output messages. CICS also records the contents
of deferred write requests that are pending at a syncpoint, and records the
receipt of the definite response (associated with the deferred write) on the
system log for message recovery and resynchronization purposes. Journaling
support is required during generation of the CICS system.
If you specify
PROTECT(YES):
- Specify MSGINTEG(YES). This ensures that the integrity response is received.
- Ensure that definitions for the transaction CSLG and program DFHZRLG are
available.
- RECOVNOTIFY({NONE|MESSAGE|TRANSACTION})
- specifies whether, and how, the terminal user is notified that an XRF
takeover has occurred, in case the user needs to take some action such as
signing on again.
- NONE
- The user is not notified.
- MESSAGE
- The user receives a message on the screen that the system has recovered.
There are two BMS maps, DFHXRC1 and DFHXRC2, in map set DFHXMSG for the message.
MESSAGE, rather than TRANSACTION, minimizes the takeover time.
The terminal
must be defined with the ATI(YES) option, and must be capable of displaying
a BMS map.
- TRANSACTION
- CICS initiates a transaction at the terminal. The name of the transaction
is specified by the RMTRAN system initialization parameter. (The default transaction
for this is the one specified in the GMTRAN system initialization parameter:
the good-morning transaction.) TRANSACTION is more versatile than MESSAGE.
The terminal must be defined with ATI(YES).
- RESSECNUM({0|value|PUBLIC})
- specifies the resource security value to be associated with this file.
This attribute is used when an EXEC command is executed within a transaction
that has been defined with RESSEC(YES), and the command is attempting to reference
this file.
- 0
- A transaction defined with RESSEC(YES) is not allowed access to the file.
- value
- The resource security value, in the range 1 through 24. When a transaction
defined with RESSEC(YES) attempts to reference this file, value is
checked against the keys derived from RESSECKEYS either in the sign-on table,
or from the TERMINAL definition. If one of these keys matches value,
the transaction is allowed access to the file.
- PUBLIC
- Any transaction is allowed access to the file, regardless of whether security
checking is specified or not.
- RPG
- RPG
was a permitted value for the LANGUAGE option of a PROGRAM resource until CICS Transaction Server for OS/390®.
- RSL(0|value|PUBLIC)
- specifies the resource security value to
be associated with this resource. This operand is used when an EXEC command
is executed within a transaction that has been defined with RSLC(YES), and
the command is attempting to reference the partition set.
- 0
- A transaction defined with RSLC(YES) is not allowed access to the partition
set.
- value
- The resource security value, in the range 1 through 24. When a transaction
defined with RSLC(YES) attempts to reference this partition set, value is
checked against the keys derived either from the RSLKEY in the sign-on table,
or from the OPERRSL on the TERMINAL definition. If one of these keys matches value,
the transaction is allowed access to the partition set.
- PUBLIC
- Any transaction is allowed access to the partition set, regardless of
whether no security checking or RSL checking is specified. However, if an
external security manager is in force, it checks access authorities no matter
what RSL value (including PUBLIC) has been defined for the resource.
- SSL({CLIENTCERT|NO|YES})
- specifies the secure sockets layer (SSL) type for this logical EJB/CORBA
server:
- CLIENTCERT
- SSL is used and authentication must be performed using a client certificate.
You must specify a value for SSLPORT.
If you install a TCP/IP service
on the SSL port, the TCPIPSERVICE definition must specify SSL(CLIENTAUTH)
and AUTHENTICATE(CERTIFICATE). (This means that the client is required to
send an SSL certificate which maps to an external security manager userid.)
- NO
- SSL is not used. This CorbaServer does not have an SSL port.
- YES
- SSL is used. You must specify a value for SSLPORT.
If you install a
TCP/IP service on the SSL port, the TCPIPSERVICE definition must be specified
in one of the following ways:
- SSL(CLIENTAUTH) and AUTHENTICATE(NO). The client is asked for an SSL certificate
and, if it sends one, CICS uses any userid configured for it.
- SSL(YES) and AUTHENTICATE(NO). SSL is used, but the client is not asked
for an SSL certificate.
- SSLPORT(NO|number)
- specifies
the TCP/IP port number to be used for SSL communication by this logical EJB/Corba
server. The port number must be in the range 1–65535. The default is No.
If
SSL is NO, the value of this option is ignored.
If SSL is YES, the
default for SSLPORT is 00684.
You must not specify the same port number
for PORT and SSLPORT.
- TCLASS({NO|value})
- specifies the class associated with the task.
- NO
- No class is assigned to the task.
- value
- The decimal value (from 1 to 10) of the class associated with a task.
Note: Do not specify a TCLASS for a CICS-supplied transaction,
because it may not be able to start if the class threshold is reached.
- TRANSACTION(name)
- allows only the specified transaction to be initiated from this device.
The name
can be up to four characters in length. The acceptable characters are: A-Z
a-z 0-9 $ @ # . / - _ % & ¢ ? ! : | " = ¬ , ; < >.
If you code
this operand for a 3270 display, the only CICS functions the operator is able
to invoke—other than this transaction—are paging commands and print requests.
- TRANSEC({1|value})
- specifies the transaction security value, in the range 1 through 64. When
a user attempts to initiate the transaction, or when it is automatically initiated
(through transient data or interval control), value is
matched against the user's security keys defined in the DFHSNT SCTYKEY operand
or, if the user is not signed on, the security keys defined in OPERSECURITY
on the TERMINAL definition. If value is present
in the security keys, the transaction is initiated.
Because
all users and terminals have a security key of 1, any transaction with the
default TRANSEC value of 1 is an unsecured transaction, and as such, it can
be initiated by any user on the CICS system, whether they are signed on or
not.
- XRFSIGNOFF({NOFORCE|FORCE})
- specifies the sign-on characteristics of a group of terminals.
- FORCE
- CICS should force sign-off of these terminals after an extended recovery
facility (XRF) takeover.
- NOFORCE
- CICS should not force sign-off of these terminals after an extended recovery
facility (XRF) takeover.
If you have a collection of terminals in a security-sensitive
area, for example, you might choose to force sign-off of those terminals after
a takeover, to prevent the use of the terminal in the absence of the authorized
user. (This could happen if the authorized user left the terminal during takeover,
and the terminal became active again while it was unattended.) This option
works in conjunction with the XRFSOFF system initialization parameter and
the XRFSOFF entry in the CICS RACF segment (if you are running RACF 1.9).