CICS NEWSLETTER
CICS command security
Phil Emrich
08.24.2006
Rating: -3.00- (out of 5)
|
I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?
You indicated that you specified SEC=YES, XTRAN=YES, and XCMD=YES in the CICS initialization parameters. You didn't describe the problem you encountered, but I'll assume it was related to the CICS command security mechanism that was enabled by specifying XCMD=YES.
You didn't identify any profiles you defined in the RACF supplied resource classes used for CICS command security, member class CCICSCMD and group class VCICSCMD. The resource names that you may define as member class profiles or as member names within group class profiles are documented in Table 12 within Chapter 8 of the CICS RACF Security
Guide. The manual number for the CICS TS V2,R2 version of this book is
SC34-6011-00.
For any profiles you have defined in the CCICSCMD or VCICSCMD classes, you can cause RACF to create an SMF TYPE 80 record for any CICS SET,
PERFORM, CREATE, or DISCARD commands by issuing the following commands for each of the existing profiles:
RALT CCICSCMD profile_name AUDIT(SUCCESS(UPDATE)) or
RALT VCICSCMD profile_name AUDIT(SUCCESS(UPDATE))
Whether or not you have defined profiles in the CCICSCMD or VCICSCMD
classes to cover all of the documented resource names, it's desirable to define the following profile in the CCICSCMD resource class:
RDEF CCICSCMD ** OWNER(.....) UACC(READ)
This profile will allow any EXEC CICS INQUIRE or COLLECT commands to execute successfully for any resource names not covered by one of the other profiles, but will cause an...
To continue reading for free, register below or login
To read more you must become a member of SearchDataCenter.com
y request to change the status of any of CICS resource types not covered by other profiles to fail with a NOTAUTH response and produce both an ICH408I message and an SMF TYPE
80 record for the failed attempt to execute an EXEC CICS SET, PERFORM,
CREATE, or DISCARD command.
If you are also using any of the additional pairs of RACF resource classes for CICS programs, files, TD queues, TS queues, journals, or started transactions, specified by the XPPT, XFCT, XDCT, XTST, XJCT, or XPCT initialization parameters, you may also encounter security problems with using supplied transaction definition for CEMT in RDO group DFHOPER as this definition specifies RESSEC(YES) as well as
CMDSEC(YES).
This definition for CEMT will require the user to have access to the resource security profile covering the resource name as well as access to the command security profile covering the type of resource, at the required level, to allow commands to be processed.
You can create an alternate definition for CEMT with RESSEC(NO) by copying the supplied definition to an RDO group of your choosing and then altering the RESSEC option. If the DFHOPER group is included in the lists of groups installed in CICS during COLD start processing, ensure that the group containing your alternate definition for CEMT follows the DFHOPER group so that your definition will override the supplied definition for CEMT.
Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our discussion forums.
|
|
|
|
|
|
