Security for journals and log streams

The CICS® log manager provides facilities to write to and read from the CICS system log and CICS general logs. General logs comprise user journals, forward recovery logs, and autojournals. You can implement security for journals and log streams to protect them from unauthorized access.

The system log is used only for recovery purposes; for example, during dynamic transaction backout, or during emergency restart. Do not use it for any other purpose. Do not, therefore, write to it from a user application using the WRITE JOURNALNAME command.

CICS uses journal identifier DFHLOG for its primary system log. Do not permit user transactions to write to this. You can prevent them doing so by using the following command to define the system log in the JCICSJCT class, without any access list: 
RDEFINE  JCICSJCT  DFHLOG  UACC(NONE) NOTIFY(sys_admin_userid)

In addition to the automatic journaling and forward recovery logging that CICS performs for user transactions (depending on the options in the file resource definitions), user applications can also write user journal records using the WRITE JOURNALNAME command.

Users needing to write journal records must have authority to write to the JOURNALNAME (as defined in JCICSJCT). CICS calls RACF® to perform a security check only for attempts to access a user journal by a CICS API command, and not for the journaling it performs in response to journaling options in the file resource definition. The CICS API does not provide a READ command for reading journals from a CICS transaction. For this reason, with proper exercise of control over the installation of applications on your CICS systems, you might consider it unnecessary to add RACF protection for journals that cannot be read from within CICS.

If you decide to implement security for CICS journals:
  1. Specify RESSEC(YES) in the CSD resource definition of the transactions that write to journals.
  2. Define profiles to RACF in the JCICSJCT or KCICSJCT resource classes (or their equivalent if you have user-defined resource class names) using the CICS journal name to identify the profiles.
    To define journals as members of a profile in the journal resource group class, with an appropriate access list, use the following commands: 
    RDEFINE  KCICSJCT  userjnls UACC(NONE)
                   ADDMEM(JRNL001, JRNL002, ....)
                   NOTIFY(sys_admin_userid)
PERMIT   userjnls  CLASS(KCICSJCT) ID(group_userid) ACCESS(UPDATE)
  3. Specify YES on the SEC system initialization parameter, and YES on the SECPRFX if you define profiles with a prefix. CICS requires a minimum authorization of UPDATE for journal access. For information about the access authorization levels for system programming commands that apply to journals, see Resource and command check cross-reference.
  4. Specify YES on the XJCT system initialization parameter for the default resource class names of JCICSJCT and KCICSJCT, or XJCT=class_name for user-defined resource class names. For more information, see XJCT system initialization parameter.