Removing sensitive data from CICS trace using CONFDATA
CICS® trace data can contain sensitive data such as passwords and similar tokens. This occurs in various places in CICS such as transport data and containers. You can use the CONFDATA system initialization parameter in conjunction with the CONFDATA transaction attribute to prevent confidential data from appearing in external and internal trace records in a transaction or system dump.
The CONFDATA mechanism
Data is redacted based on the settings of the CONFDATA system initialization parameter and the CONFDATA transaction attribute as shown in the following table.
| System initialization parameter CONFDATA=HIDE |
System initialization parameter CONFDATA=SHOW |
|
|---|---|---|
| Transaction attribute CONFDATA(NO) | Not redacted | Not redacted |
| Transaction attribute CONFDATA(YES) | Redacted | Not redacted |
| CICS transactions (see CICS transactions that specify CONFDATA(YES)) | Redacted | Not redacted |
The trace points affected by the CONFDATA mechanism are listed in Trace points that might contain redacted data.
Where CICS has identified data as a password or similar security token, such as in the security domain trace points, the data is never traced.
While CICS attempts to mask sensitive data, sensitive data might still appear in dumps; therefore, do keep dumps data sets secured.
Usage notes for CONFDATA transaction attribute
The default transaction attribute of CONFDATA(NO) assumes that most user applications do not handle passwords. You should set CONFDATA(YES) to any transaction that might contain passwords in its transport data.
Usage notes for CONFDATA system initialization parameter
The CONFDATA system initialization parameter should usually be set to the default value of HIDE to prevent sensitive data from being exposed in trace entries or dumps. Most problems can be diagnosed without this data. If it is necessary to reproduce problems with CONFDATA set to SHOW, be aware that password data could be exposed.
Changing the CONFDATA setting in a running system
You can use CSFE DEBUG to change the value of the CONFDATA system initialization parameter in a running system. Optionally, you can also use it to change the CONFDATA option of a transaction. Make sure that you are authorized to use the CSFE transaction. For more information, see Using CSFE to change the CONFDATA setting.
CICS transactions that specify CONFDATA(YES)
All CICS system transactions are treated as CONFDATA(YES).
| CE, CR, CV, CW | CS | CP |
|---|---|---|
|
|
|
Trace points that might contain redacted data
| Component | Trace points | Data that might contain sensitive data |
|---|---|---|
| z/OS® Communications Server | AP FC90-91 |
The z/OS Communications Server receive-any input area (RAIA) storage containing initial input that is created when the RECEIVE ANY operation has been processed, and before the target transaction has been identified. Only the first 4 bytes of normal data, or the first 8 bytes of function management headers (FMHs) are traced. |
| MRO | AP DD16 AP DD23 AP DD25 AP FC9B |
Initial input received on an MRO link. |
| EXCI | AP 4E25-26 |
If CONFDATA=HIDETC in the DFHXCOPT. |
| IPIC | SO 0201-02 SO 029D |
|
| HTTP (web) | WB 0700-01 WB 0410 |
|
| HTTP (IP) | IS 0602-03 IS 0702-03 IS 0906 |
|
| FEPI | AP 1243-44 AP 145E-61 AP 1595-99 |
FEPI screens and RPL data areas (RPLAREAs) areas and user data. |
| CICS client | AP 3057-5A | |
| Containers (Web Services) |
PG 1910-12 PG 1921 |
Data in the DFHREQUEST container. |
Redacted trace data is replaced by the string SUPPRESSED BY CONFDATA=HIDE or similar.