Activating security checking for API commands and resource definitions

To activate CICS® Configuration Manager security checking:

  1. In your external security manager, such as RACF:
    1. Choose an existing resource class, such as FACILITY, or create a new class for CICS Configuration Manager security checking. You can use separate classes for the two types of security check (API commands and resource definitions), or use the same class for both.

      When choosing or creating a class, consider the following:

      Security key length
      The supplied CICS Configuration Manager ISPF dialog and batch client interfaces require a maximum security key length of only 39 characters, allowing you to choose a supplied resource class, such as FACILITY, that supports this key length.

      The client interfaces have this maximum security key length because, in their API command requests, they exclusively use CICS configuration names (up to 8 characters) to refer to the location of resource definitions, never CSD file names (up to 44 characters). The format of security keys for API commands (see below) includes the location parameter that is specified by the API command request; using CICS configuration names keeps the security key length within 39 characters.

      However, if you develop a custom client interface, then its API commands may refer to CSD file names. In this case, you need to choose or create a class that supports keys of up to 75 characters. You can also configure an optional security exit that is invoked before and after each SAF call. See the skeleton exit supplied in the CCVX0001 member of the sample library, SCCVSAMP.

      Special characters
      The class that you use for resource definition key security checks must allow special characters. This is because the security key that the CICS Configuration Manager server creates for this security check includes the resource definition name; for some resources, such as transactions, the name can include special characters. For example, if you define a new class using the RACF command RDEFINE, then specify the following parameter:
      CDTINFO(FIRST(ALPHA,NATIONAL,NUMERIC,SPECIAL),
              OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL)
              …)

      The supplied resource class FACILITY allows special characters.

    2. Define general resource profiles for this class, to match the format of the security keys created by the CICS Configuration Manager server. For details, see:

      For API command security checking, consider temporarily defining a general resource profile such as this:

      CCM.**

      (where CCM is the prefix that you have chosen for the security keys)

      with a universal access authority (UACC) of READ. This enables you to activate security checking in CICS Configuration Manager and then continue to work as before, while you define more specific general resource profiles. When you have finished defining specific profiles, delete this generic profile.

      For more examples of the general resource profiles that you might want to define, see Example security scenario.

    3. Authorize the appropriate users for these profiles.
  2. Ensure that the system initialization parameter SEC of the CICS region running the CICS Configuration Manager server is active (SEC=YES). The CICS Configuration Manager server will perform security checking only if this SIT parameter is active.
  3. In CICS Configuration Manager:
    1. Select primary menu option 1.1 System Options.
    2. Activate either or both security checks: to do this, you will need to enter the name of the resource class and the security key prefix that you have chosen for the security check.

Information Information

Feedback


Timestamp icon Last updated: Friday, 8 February 2013


http://pic.dhe.ibm.com/infocenter/cicsts/v5r1/topic//ccv-security-activate.htm