cics racf security guide release 3

Click here to load reader

Post on 24-Oct-2014

219 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

CICS Transaction Server for OS/390

CICS RACF Security GuideRelease 3

SC33-1701-02

CICS Transaction Server for OS/390

CICS RACF Security GuideRelease 3

SC33-1701-02

Note! Before using this information and the product it supports, be sure to read the general information under Notices on page xiii.

Third edition (March 1999) This edition applies to Release 3 of CICS Transaction Server for OS/390, program number 5655-147, and to all subsequent versions, releases, and modifications until otherwise indicated in new editions. Make sure you are using the correct edition for the level of the product. This edition replaces and makes obsolete the previous edition, SC33-1701-00. The technical changes for this edition are summarized under Summary of changes and are indicated by a vertical bar to the left of a change. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address given below. At the back of this publication is a page entitled Sending your comments to IBM. If you want to make comments, but the methods described are not available to you, please address them to: IBM United Kingdom Laboratories, Information Development, Mail Point 095, Hursley Park, Winchester, Hampshire, England, SO21 2JN. When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Copyright International Business Machines Corporation 1989, 1999. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ContentsNotices . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Programming interface information . . . . . . . . . . . . . . . . . xiv Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Preface . . . . . . . . . . . . . What this book is about . . . . . . . Who this book is for. . . . . . . . What you need to know to understand this How to use this book . . . . . . . . Determining if a publication is current . Notes on terminology . . . . . . . . . . . . . . book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii xvii xvii xvii xvii xvii xviii

CICS Transaction Server for OS/390 . . . . . . CICS books for CICS Transaction Server for OS/390 CICSPlex SM books for CICS Transaction Server for Other CICS books . . . . . . . . . . . . .

. . . . . . OS/390 . . . . 3 . 2 1 .

. xix . xix . xix . xx . . . . . . xxi xxi xxi xxii xxii xxii

Summary of changes. . . . . . . . . . . . . . Changes for CICS Transaction Server for OS/390 Release Implementing RACF security for CICSPlex SM . . . Changes for CICS Transaction Server for OS/390 Release Changes for CICS Transaction Server for OS/390 Release Changes for CICS/ESA 4.1 . . . . . . . . . . . .

Part 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 1. Security facilities in CICS . Why CICS needs security . . . . . . What CICS security protects . . . . . What CICS security does not protect . . Terminal user security . . . . . . . . Preset terminal security . . . . . . . Non-terminal security . . . . . . . . Transaction security. . . . . . . . . CICS resource security . . . . . . . CICS command security . . . . . . . Surrogate user security . . . . . . . QUERY SECURITY command . . . . . APPC (LU6.2) session security . . . . Multiregion operation (MRO) security . . Front End Programming Interface security CICS Business Transaction Services . . Generating and using RACF PassTickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13 3 4 4 4 5 5 6 6 6 7 7 7 8 8 8 8 11 11 12 12 13 14 15 18 19

|

Chapter 2. RACF facilities . . . . . . . . . . Overview. . . . . . . . . . . . . . . . . RACF administration . . . . . . . . . . . . Delegation of RACF administrative responsibility . . RACF user profiles . . . . . . . . . . . . . RACF segment . . . . . . . . . . . . . CICS segment. . . . . . . . . . . . . . LANGUAGE segment . . . . . . . . . . . Creating or updating segment data for a CICS user Copyright IBM Corp. 1989, 1999

iii

RACF group profiles . . . . . . . . . . . . . . . . . Data set profiles . . . . . . . . . . . . . . . . . . . Generic data set profiles . . . . . . . . . . . . . . . Brief summary of RACF commands . . . . . . . . . . . . Creating a general resource profile . . . . . . . . . . . Removing a user or group entry from an access list . . . . . Changing a profile . . . . . . . . . . . . . . . . . Deleting a profile . . . . . . . . . . . . . . . . . . Copying from a profile . . . . . . . . . . . . . . . . Listing profiles in a class . . . . . . . . . . . . . . . Activating protection for a class . . . . . . . . . . . . Defining a generic profile . . . . . . . . . . . . . . . Deactivating protection for a class . . . . . . . . . . . Determining active classes . . . . . . . . . . . . . . Security classification of data and users . . . . . . . . . . Defining port of entry profiles . . . . . . . . . . . . . . Terminal profiles . . . . . . . . . . . . . . . . . . Defining a profile of an individual terminal. . . . . . . . . Defining a profile of a group of profiles . . . . . . . . . . Profiles in the TERMINAL or GTERMINAL class . . . . . . Universal access authority for undefined terminals . . . . . Console profiles . . . . . . . . . . . . . . . . . . Conditional access processing . . . . . . . . . . . . . General resource profiles. . . . . . . . . . . . . . . . RACF resource class names . . . . . . . . . . . . . IBM-supplied resource class names for CICS . . . . . . . Activating the CICS classes . . . . . . . . . . . . . . Refreshing resource profiles in main storage . . . . . . . Other IBM-supplied RACF resource class names affecting CICS Defining your own resource class names . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19 21 21 22 22 22 22 22 22 23 23 23 23 23 24 24 24 25 25 25 25 26 26 27 27 28 29 30 30 36

Part 2. Implementing RACF protection for a single-region CICS . . . . . . . . 39Chapter 3. CICS data set and system security . . . . . . . CICS installation requirements for RACF . . . . . . . . . . CICS-supplied RACF dynamic parse validation routines . . . Using RACF support in a multi-MVS environment . . . . . . Setting options on the MVS program properties table . . . . Protecting CICS load libraries . . . . . . . . . . . . . Specifying the CICS region userid . . . . . . . . . . . . Authorizing CICS procedures to run under RACF . . . . . . Defining user profiles for CICS region userids . . . . . . . Defining the default CICS userid to RACF . . . . . . . . Authorizing access to MVS log streams . . . . . . . . . . Authorizing access to CICS data sets . . . . . . . . . . . Authorizing access with the MVS library lookaside (LLA) facility Authorizing access to user data sets . . . . . . . . . . Authorizing access to the temporary storage pools . . . . . . Authorizing access to temporary storage servers . . . . . . . System authorization facility (SAF) responses to the TS server . Authorizing access to SMSVSAM servers. . . . . . . . . . Authorizing access to the CICS region . . . . . . . . . . . Controlling the opening of a CICS regions VTAM ACB . . . . . Controlling userid propagation . . . . . . . . . . . . . . Surrogate job submission in a CICS environment . . . . . . . Attention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 41 41 42 42 42 43 43 45 47 48 49 52 52 52 53 53 54 55 55 56 57 57

iv

CICS TS for OS/390: CICS RACF Security Guide

Authorizing the CICS region userid as a surrogate user JES spool protection in a CICS environment . . . . Defining security-related system initialization parameters SEC . . . . . . . . . . . . . . . . . . SECPRFX . . . . . . . . . . . . . . . . CMDSEC . . . . . . . . . . . . . . . . DFLTUSER . . . . . . . . . . . . . . . . ESMEXITS . . . . . . . . . . . . . . . . PLTPISEC . . . . . . . . . . . . . . . . PLTPIUSR . . . . . . . . . . . . . . . . PSBCHK . . . . . . . . . . . . . . . . . RESSEC . . . . . . . . . . . . . . . . . SNSCOPE . . . . . . . . . . . . . . . . CICS resource class system initialization parameters Using IBM-supplied classes without prefixing . . . Using IBM-supplied classes with prefixing. . . . . Using installation-defined classes without prefixing . Chapter 4. Verifying CICS users . . . . . . . . Identifying CICS terminal users . . . . . . . . . Si