Problem solve Get help with specific problems with your technologies, process and projects.

CICS command security

I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?

I'm running z/OS 1.4 and CICS TS 2.2 for CICS. Is there any way to monitor who used CEMT and command (SET,Perform) in CICS?

You indicated that you specified SEC=YES, XTRAN=YES, and XCMD=YES in the CICS initialization parameters. You didn't...

describe the problem you encountered, but I'll assume it was related to the CICS command security mechanism that was enabled by specifying XCMD=YES.

You didn't identify any profiles you defined in the RACF supplied resource classes used for CICS command security, member class CCICSCMD and group class VCICSCMD. The resource names that you may define as member class profiles or as member names within group class profiles are documented in Table 12 within Chapter 8 of the CICS RACF Security Guide. The manual number for the CICS TS V2,R2 version of this book is SC34-6011-00.

For any profiles you have defined in the CCICSCMD or VCICSCMD classes, you can cause RACF to create an SMF TYPE 80 record for any CICS SET, PERFORM, CREATE, or DISCARD commands by issuing the following commands for each of the existing profiles:

RALT CCICSCMD profile_name AUDIT(SUCCESS(UPDATE)) or
RALT VCICSCMD profile_name AUDIT(SUCCESS(UPDATE))

Whether or not you have defined profiles in the CCICSCMD or VCICSCMD classes to cover all of the documented resource names, it's desirable to define the following profile in the CCICSCMD resource class:

RDEF CCICSCMD ** OWNER(.....) UACC(READ)

This profile will allow any EXEC CICS INQUIRE or COLLECT commands to execute successfully for any resource names not covered by one of the other profiles, but will cause any request to change the status of any of CICS resource types not covered by other profiles to fail with a NOTAUTH response and produce both an ICH408I message and an SMF TYPE 80 record for the failed attempt to execute an EXEC CICS SET, PERFORM, CREATE, or DISCARD command.

If you are also using any of the additional pairs of RACF resource classes for CICS programs, files, TD queues, TS queues, journals, or started transactions, specified by the XPPT, XFCT, XDCT, XTST, XJCT, or XPCT initialization parameters, you may also encounter security problems with using supplied transaction definition for CEMT in RDO group DFHOPER as this definition specifies RESSEC(YES) as well as CMDSEC(YES).

This definition for CEMT will require the user to have access to the resource security profile covering the resource name as well as access to the command security profile covering the type of resource, at the required level, to allow commands to be processed.

You can create an alternate definition for CEMT with RESSEC(NO) by copying the supplied definition to an RDO group of your choosing and then altering the RESSEC option. If the DFHOPER group is included in the lists of groups installed in CICS during COLD start processing, ensure that the group containing your alternate definition for CEMT follows the DFHOPER group so that your definition will override the supplied definition for CEMT.

Editor's note: Do you agree with this expert's response? If you have more to share, post it in one of our .VO7aaqqaAFk.0@/search390>discussion forums.


This was last published in August 2006

Dig Deeper on IBM system z and mainframe systems

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

SearchServerVirtualization

SearchCloudComputing

Close