Setting up CICS security discovery

6.2 and later Applies to 6.2 and later.

CICS® security discovery collects information about the security resource access requests that have been made in the CICS region. It can also collect information about requests that would be made if the required security settings were changed such as by setting RESSEC(YES) or specifying a class name on the associated Xnnn system initialization parameter.

About this task

CICS writes security discovery data (SDD) to a CICS user journal with a journal name of DFHSECD. A journal model with this journal name must be installed in every CICS region in which you expect to collect security discovery data.

For more information about security discovery, see How it works: CICS security discovery.

Procedure

  1. Decide whether you want to have a single log stream across the plex, separate log streams for separate LPARs, or separate log streams for sets of regions.

    This decision is based on whether you use coupling facility log streams or DASD-only log streams.

    Important: You must not mix production log streams with test log streams.
  2. Define the log streams or log stream model.

    CICS regions write security discovery data to the log stream at the end of each day. This data is a record of everything that was discovered since security discovery was first activated in the region.

    If your regions run continuously, you need the log stream to only retain the set of records from the previous day.

    If your regions are regularly recycled, you need the log stream to retain the set of records from an extended period to ensure that you do not miss information that is related to infrequent resource accesses.

    The maximum size of a DFHSECD journal record is 32 K. That does not include the length of additional information that is written to the log stream by CICS and the system logger. It is recommended that you define the log streams or log stream model with MAXBUFSIZE set to at least 33 K.

  3. Configure the CICS regions that need to use the log streams to have UPDATE access to these log streams.

    For more information about defining log stream security, see Authorizations for CICS regions.

  4. Authorize system programmers who need to process the security discovery data with READ access to the log streams.
  5. CSD group DFHSECD contains a sample of the journal model. Copy the sample journal model DFHSECD to a new group and update it to use the log streams you defined earlier.

    The DFHSECD group is not included in any CICS supplied CSD lists.

  6. Add the new group to the installation list of all regions in which you want to use security discovery.
    Recommendation: You are advised to ensure that the journal model is included in a CSD list that is installed during CICS initialization. This configuration means that security discovery can be activated at any time without any additional setup.
  7. Authorize operators who need to issue the SECDISCOVERY commands with UPDATE access to the SPI command. The resource type is SECURITY.
  8. Configure the sample JCL DFH$SDDP. Authorize the system programmers who run this JCL with READ and WRITE access to the zFS directory that is used to store the output SDD files in UTF8.

    The target zFS directory must exist before the JCL is run.

Results

You have successfully configured CICS for security discovery. The operators can now start capturing security discovery data.