The SECVFYFREQ system
initialization parameter specifies whether or not CICS makes a full
verification request at least once a day for each user ID that is
used to log on to the CICS region.
- SECVFYFREQ={NEVER|USRDELAY}
When a user logs
on to CICS by a method that uses password verification, such as the EXEC
CICS VERIFY PASSWORD or EXEC CICS VERIFY PHRASE command,
instead of a full verification request such as the EXEC CICS
SIGNON command, RACF normally does not record the login,
and does not write audit information for the user ID. You can use SECVFYFREQ to
require that CICS makes a full verification request for each user
at least once a day. The full verification request makes RACF record
the date and time of last access for the user ID, and write user statistics.
The following login processes in CICS use
password verification:
- HTTP basic authentication with CICS web support
- Web services authentication
- IP interconnectivity (IPIC) authentication
You might also have your own login processes that use the
EXEC
CICS VERIFY PASSWORD or
EXEC CICS VERIFY PHRASE command.
- NEVER
- When the login process uses password verification, CICS makes
a full verification request only if an attempt at password verification
fails. User IDs that are used only with login processes involving
password verification can appear to be unused.
- USRDELAY
- CICS makes a full verification request at least once a day for
each user ID that is used to log on to the CICS region. The USRDELAY system
initialization parameter for the CICS region controls the interval
between full verification requests for the user IDs.
- When the user ID is unused for more than the USRDELAY limit
and is removed from the system, CICS makes a full verification request
when the user next logs in. If USRDELAY is set
to 1440 minutes (1 day) or higher, CICS enforces a full verification
request at user login for each user ID once a day.
- If USRDELAY is set to 0, CICS always makes
a full verification request when a user logs in, unless the user is
currently signed on and running a task in the CICS region.
Additional full verification requests can take place for other
reasons, such as a user sign-on using the EXEC CICS SIGNON command.
The full verification request
uses the RACROUTE REQUEST=VERIFYX macro, instead of the RACROUTE REQUEST=EXTRACT
macro that is used for password verification. The RACROUTE REQUEST=VERIFYX
macro has a higher processor cost and response time, so you might
notice a slight performance impact when you implement this function.
If your USRDELAY parameter is set to less than
1440 minutes, the performance impact is greater, because the full
verification request takes place at user login more frequently than
once a day.
Restriction: You
can specify the SECVFYFREQ system initialization
parameter in the SIT, PARM, or SYSIN only.