Specifying LU 6.2 security requirements

Specifying your security requirements involves entries in several CEDA and macro resource definitions:

Note:
If a definition is included in the supplied group DFHISC, you should copy it to another group before making any changes.

Mirror transaction

If you want security protection of CICS/VSE resources such as files, transient data destinations, and temporary storage queues, you must specify RSLC(YES) for the mirror transaction. You can protect the mirror transaction itself by specifying a TRANSEC value other than 1 or an RSL value other than PUBLIC, or both. TRANSEC (2-64) causes a check of the operator class and link security keys when the mirror is invoked from a CICS® non-System/390® terminal. RSL(00) prevents access to the mirror transaction by any other transaction that is itself specified with RSLC(YES).

The simplest way to protect your resources is suggested below. With these definitions, the mirror transaction itself is unprotected. You control CICS/VSE resource security by the resource RSL key and the connection, terminal, and user keys.

ALTER TRANSACTION (CPMI) GROUP(CICSWIN)
OVERTYPE TO MODIFY
 CEDA  ALTER
 ...................................
 ...................................
 SECURITY
 Extsec           No                  No|Yes
 TRANsec          01                  1-64
 RSL              00                  0-24|Public
 RSLC             YES                 No|Yes|External
 ...................................
 ...................................

Mirror program and data conversion modules

If you specify RSLC=YES for the mirror transaction, CICS checks the RSL keys for all resources it accesses. These resources include the mirror program, and the data conversion modules, DFHCNV, DFHCCNV, and DFHUCNV. Each resource can be associated with only one key, and the RSL key for each resource is likely to be different. It is therefore easiest to specify the key for all these modules as PUBLIC, which allows unprotected access. This creates no security exposure if you protect your data resources.

It is recommended that you specify the RSL key for the mirror program as shown, and repeat for DFHCNV, DFHCCNV, and DFHUCNV.

ALTER PROGRAM(DFHMIRS) GR(CICSWIN)
OVERTYPE TO MODIFY
 CEDA ALTer
 ...................................
 ...................................
 RSL              Public              0-24|Public
 ...................................
 ...................................

Connection

The ATTACHSEC value in the connection definition determines the level of user security. If you want CICS/VSE to verify each user and password, alter the connection definition as shown below. For CICS Transaction Server for Windows--CICS/VSE links do not specify BINDPASSWORD.

ALTER CONNECTION (APPC) GR(CICSWIN)
OVERTYPE TO MODIFY
 CEDA ALTer
 ...................................
 ...................................
 ATtachsec        Verify              Local|Identify|Verify
 ...................................
 ...................................

Session

The OPERRSL values in the session definition must include the RSL key of any protected resource accessed. The OPERSECURITY values must include the TRANSEC key of any protected transaction accessed. Only resources with an RSL key of 4 and transactions with a TRANSEC key of 10 can be accessed by links set up with the session definition below.

ALTER SESSION (ONE) GR(CICSWIN)
OVERTYPE TO MODIFY
 CEDA ALTer
 ...................................
 ...................................
 OPERRsl          4                   0-24
 OPERSECurity     10                  1-64
 ...................................
 ...................................

Transaction

Security of transaction routing from a CICS non-System/390 system is affected by the definition of the routed transaction. The example shows the security fields in the definition of a transaction. The meanings of the entries shown are:

EXTSEC(NO)
specifies the use of CICS resource security level (RSL) checking rather than an external security manager.
TRANSEC(10)
specifies that routing of this transaction is permitted only if the link and terminal OPERSECURITY keys include the value 10. If the terminal has no OPERSECURITY key, the user’s SNT operator keys must include the value 10. For example, TRANSEC(1) means that the transaction can be attached by any user or terminal.
RSL(0)
prevents invocation of this transaction by other transactions defined with RSLC(YES). This protects the transaction without affecting transaction routing.
RSLC(YES)
specifies that security checking is required for resources accessed by this transaction.

ALTER TRANSACTION (RTED) GR(CICSWIN)
OVERTYPE TO MODIFY
 CEDA ALTer
 ...................................
 ...................................
 SECURITY
 Extsec           No                  No|Yes
 TRANsec          10                  1-64
 RSL              00                  0-24|Public
 RSLC             YES                 No|Yes|External
 ...................................
 ...................................

File control table (FCT)

If FILEA is to have a resource security value of 4, generate your file control table (FCT) to include the following definition:

Figure 5. File control table
          
          DFHFCT TYPE=FILE,                                         X
                 DATASET=FILEA,                                     X
                 RSL=4,                                             X
 
  

To protect transient data destinations and temporary storage queues, use a similar entry in any DFHDCT TYPE=EXTRA, DFHDCT TYPE=INTRA, and DFHTST TYPE=SECURITY macros.

Signon table (SNT)

Specify each CICS non-System/390 user in the SNT on CICS/VSE, as shown in Figure 6. For a CICS non-System/390 user to use a CICS/VSE link with ATTACHSEC=VERIFY security, an entry in the non-System/390 signon table (or equivalent) must have a password and user ID that exactly match an entry in the CICS/VSE signon table.

For ATTACHSEC=IDENTIFY, only the user IDs must match.

For ATTACHSEC=LOCAL, all users can use the link.

Assuming the connection is defined with ATTACHSEC=VERIFY, the example CICS/VSE SNT entry below makes the link available to a CICS Transaction Server for Windows user with a CICS Transaction Server for Windows SNT entry that specifies user ID USR1 and password PAS1.

Figure 6. Example signon table
 
          DFHSNT TYPE=ENTRY,                                       X
                OPIDENT=USR1,                                      X
                PASSWORD=PAS1,                                     X 
                USERID=USR1
 
 

The user’s authority to access resources is determined by the RSLKEY, SCTKEY, and OPCLASS options in this entry.

Related concepts
Introduction to CICS/VSE internal security
[[ Contents Previous Page | Next Page Index ]]