Migration considerations for security with DBCTL

Before migrating, review the security facilities available and decide which ones you want to use in a CICS-DBCTL environment--in particular, whether you need to use the additional DBCTL checks.

Security migration scenarios

Figure 35 and Figure 36 show considerations for migrating installations that already use PSB security checking.

CICS PSB authorization checking

Figure 35 shows migration from a CICS® system with local DL/I to a CICS system with DBCTL. In this situation, you can retain all existing security-related definitions.

Figure 35. CICS with local DL/I to CICS with DBCTL
 This figure shows a two-stage scenario for migrating from local DL/I to DBCTL. The first stage shows a CICS system with local DL/I and associated databases. The second stage shows these databases under the control of DBCTL, to which CICS is connected.

Figure 36 shows migration from a multiregion operation (MRO) installation with a CICS database-owning region (DOR) and local DL/I to DBCTL, which replaces local DL/I and the DOR. If you already use PSB security checking in the CICS application-owning regions (AORs), you do not need any security-related changes.

Figure 36. MRO installation with CICS DOR with DBCTL replacing local DL/I
 This figure shows a two-stage migration scenario involving MRO. The first stage shows a CICS DOR with local DL/I and associated databases. Two CICS AORs connect to the CICS DOR. In the second stage, the CICS DOR and local DL/I have been replaced with DBCTL, and the CICS AORs connect to DBCTL.

Figure 37 shows PSB RACF® checking being done in the CICS DOR.

Figure 37. Local DL/I environment--PSB RACF checking in CICS DOR
 This figure shows two CICS AORs with no RACF checking of PSBs, connected to a CICS DOR with local DL/I and databases in which RACF checking of PSBs is done.

If you want this kind of checking after replacing the DOR with DBCTL, it must be done in the CICS AORs that use DBCTL, as shown in Figure 38.

Figure 38. DBCTL environment--PSB RACF checking in CICS AOR
 This figure shows two CICS AOR connected to DBCTL, which has databases. RACF PSB checking is done in the AORs, because DBCTL is present.

Decide whether you want to keep your previous setup with respect to grouping PSBs, and using or not using prefixes.

Review the CICS system initialization parameters SEC, XPSB, and PSBCHK for each CICS AOR. Depending on any changes you make to these parameters, you may also need to change the corresponding RACF definitions (CDT class names, RDEFINE, and PERMIT).

DBCTL resource access security checking

Follow the steps below only if you have decided to use the additional DBCTL checks.

  1. DBCTL system generation

    Select the appropriate macros and parameters:

  2. Application group name (AGN)

    For multiple CICS systems connected to DBCTL, first decide whether you want to use the same, or different, AGNs.

    Specify the appropriate AGN in the DRA startup parameter table for each CICS, or by a BMP JCL parameter (AGN=).

  3. Allocate MATRIX data set, and

    If you want to use online change, you must also define MATRIXA and MATRIXB.

    For further guidance on space calculations, see the section on establishing IMS™ security in the IMS System Administration Guide or the IMS Administration Guide: System.

  4. Define AGNs and their PSBs using the IMS security maintenance utility, DFSISMP0.

    Note that you can run DFSISMP0 only after DBCTL system generation has completed.

  5. For password security checking, define the PSBs (or programs) and/or databases and the passwords to be used with /LOCK and /UNLOCK in the MATRIX data set.
  6. Specify the value of the DBCTL startup parameter ISIS. Values are as follows:

    ISIS=0 - no checks
    ISIS=1 - checks using RACF
    ISIS=2 - checks using an installation exit (DFSISIS0)

RACF preparations

  1. CICS P/QCICSPSB definitions.
  2. Specify RDEFINE for AGNs in RACF CLASS AIMS.
  3. Specify PERMIT for CICS USERIDs.

    Before CICS or a BMP can connect to DBCTL, the USERID from the JOB statement of the CICS startup job or the BMP JCL must be authorized to access its AGN.

  4. You may want to write a simple program to list existing RACF profiles for PCICSPSB and QCICSPSB and construct the control statements needed for the IMS security maintenance utility. The group structure for PSBs within RACF (QCICSPSB) will probably be the same as that required within DBCTL AGN groups, plus the additional groups needed for BMPs.

Related concepts
Security checking with DBCTL
PSB authorization checking by CICS
Resource access security checking by DBCTL
DBCTL password security checking
[[ Contents Previous Page | Next Page Index ]]