Configuring security request recording (SRR)

Security request recording (SRR) collects trace data about security settings in CICS® regions by recording security checks conducted by one or more requests. You can use it to diagnose CICS security issues.

About this task

CICS writes security request recordings to a CICS user journal with a journal name of DFHSECR. A journal model with this journal name must be installed in every CICS region in which you expect to use security request recording. For more information about SRR, see Diagnostic tools and information.

Procedure

  1. Decide whether you want to have a single log stream across the plex, separate log streams for separate LPARs, or separate log streams for sets of regions. This decision is based on whether you use coupling facility log streams or DASD-only log streams. Another factor to consider is that if you need a single CSV file for analysis of transactions involving multiple regions then you need to share a single log stream between those regions.
    Important: You must not mix production log streams with test log streams.
  2. Define the log streams or log stream model.
    The trace data is only intended for short-term diagnostic use. Therefore, use AUTODELETE(YES) with a suitable retention period (RETPD) for the log stream. For more information about defining the log streams, see coupling facility log streams or DASD-only log streams.

    When you configure the log stream, note that maximum size of a DFHSECR record is 32 K. That does not include the length of additional information that is written to the log stream by CICS and the system logger. It is recommended that you define the log streams or log stream model with MAXBUFSIZE set to at least 33 K.

  3. Configure the CICS regions that need to use the log streams to have UPDATE access to these log streams.
    For more information about defining log stream security, see Authorizations for CICS regions.
  4. Authorize system programmers who need to investigate security problems with READ access to the log streams.
  5. CSD group DFHSECR contains a sample of the journal model. Copy the sample journal model DFHSECR and update it to use the log streams you defined earlier. The DFHSECR group is not included in any CICS supplied CSD lists.
  6. Add the new group to the installation list of all regions in which you want to use the SRR.
    Recommended: You are advised to ensure that the journal model is included in a CSD list that is installed during CICS initialization. This configuration means that SRR can be activated at any time without any additional setup.
  7. Authorize operators who need to issue the SECRECORDING command with UPDATE access to the SPI command.
  8. Configure the sample JCL DFH$SRRP. Authorize the system programmers who run this JCL with read and write access to the zFS directory that is used to store the .csv file.