In CICS Transaction Server Version 2.2 is there an option to allow for the addition of the 8-byte RACF identifier...
to the format of general log journal record?Most of the access to our CICS TOR is via a TCP/IP stack on the mainframe and it uses a pool of approximately 8,000 NETNAMES to grant access to VTAM. When access is attempted to our TOR, the auto-install program verifies that the NETNAME should be allowed access by reading a VSAM file. If a record is found, a TERM ID assigned to that NETNAME is then installed. Because of audit concerns the owners of sensitive data stored in VSAM files have asked us to journal reads to these files in CICS as well as updates. When they suspect that inappropriate access to the data has happened, they currently have to use a combination of the CICS journal records, RACF successes report and a copy of the auto-install file to identify possible offenders. If the CICS journal record contained the RACF ID then they would have all of the information by simply accessing the journal backups.
I think for your case you should look into creating a distinct journal/logger stream just to record these accesses. You could stick in there the access to the first lookup/verification file to obtain the Termid authorization and at the end of the session record a gone away status. Access to the various secret VSAM files would also be recorded in this journal/stream, recording the FileName, Key, Termid and Userid as required. I would use the file control XFCFROUT GLUE to monitor VSAM requests, and then use the DFHJCJCX WRITE_JOURNAL_DATA XPI command to write the required information.
CICS Technical Strategist -- CICS expert at Search390.com
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our .VO7aaqqaAFk.0@/search390>discussion forums.
Dig Deeper on IBM system z and mainframe systems
Related Q&A from Robert Crawford
For better mainframe capacity planning, how do I convert CPU hours to MIPS? And is there a way to calculate the relationship between MIPS and MSUs?continue reading
I have two years of experience in mainframe technology, currently working as a mainframe developer. I want to change to Java technology.continue reading
I want to replicate DB2 from the mainframe to an AIX box since it's cheaper and the copy can be used for testing. Is this possible?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.