During the operation of CICS® ONC RPC, various CICS commands are
used to make security checks with an external security manager (ESM). The
checks will always give positive results if SEC=NO is specified as a system initialization parameter. The checks will always
give negative results if SEC=YES was specified, but the ESM abended while CICS was operating. The following discussion of the use made of CICS security commands
assumes that SEC=YES is specified, and that the ESM is active.
- When a transaction whose user ID is userid1 issues
EXEC CICS START USERID(userid2), a surrogate-user check is made with the ESM
to see that userid1 is authorized to use userid2. The check is made only if XUSER=YES is specified as a system initialization parameter.
This command is
issued when the connection manager starts the server controller, and each
time the server controller starts an alias transaction. In the first case,
the user ID used is the one supplied to the connection manager as CRPM Userid
on panel DFHRP02. In the second case, the user ID used is the one output from Decode.
- EXEC CICS VERIFY PASSWORD is issued by the alias before it links to the CICS program that services the client request.
A check is made with the ESM that the user ID and password are an acceptable
combination.
- EXEC CICS QUERY SECURITY is
used by the alias to check that the user ID under which it is executing is
authorized to use the CICS program. The check is made only if XPPT=YES is specified as a system initialization parameter.
- During the operation of the CICS program, security checks are made each
time the program tries to access a protected resource. The check is made only
if RESSEC(YES) is specified in the definition
of the alias transaction, and the system initialization parameter controlling
security checking for the resource type is set to YES.
- During the operation of the CICS program, security checks are made each
time the program tries to use a command from the CICS SPI (system programming interface). The
check is made only if CMDSEC(YES) is specified
in the definition of the alias transaction, and if XCMD=YES is specified as a system initialization parameter.
Figure 64 shows how CICS security interacts with the operation
of CICS ONC RPC.
The figure shows that the alias will link to the user-supplied resource
checker program if one is configured, but the use of the resource checker
program is not recommended. You should use the CICS security facilities, and make the appropriate
definitions in the ESM.
RACF® Secured Sign-on support allows clients to gain security access to CICS facilities by sending a PassTicket (that is, a one-time-only password).
This avoids the security hazard of a password being transmitted across the
network in clear text.
For further information, see Resource Access Control Facility: System Programmer's Guide, Version 2 Release 2. This includes details
of the algorithm that the RPC client must use to generate the PassTicket. This algorithm includes the DES algorithm.
PassTicket generation
The algorithm that generates the PassTicket is a function of:
- The CICS user ID of the client
- The CICS application ID of the CICS region running CICS ONC RPC
- A secured sign-on application key, known to both sides
- A time and date stamp
To generate the PassTicket, the client must:
- Know its CICS user ID, the server CICS application ID, and the application key.
- Synchronize its clock to within ten minutes of the server.
- Have access to the encryption algorithm on its machine. Only the DES algorithm
may be used.
[[ Contents Previous Page | Next Page Index ]]