Configuration example: MRO Connections - using only the task user ID

Configure an MRO connection so work that is routed to the remote region runs under the task user ID of the local region.

Before you begin

This configuration task is based on the example security scenario Design example: MRO connection – using only the task user ID .

You must complete the following tasks:

Understand the Design example: MRO connection – using only the task user ID and terminology used.
Allow both regions to use MRO and allow them to connect to each other via MRO. For more information, see Configuring security for MRO.

You need to know:

How to define CICS® resource definitions (examples show DFHCSDUP definitions). For more information, see How you can define CICS resources.
How to install definitions. For more information, see Resource definition installation.

You must have:

Authorization to create CICS resource definitions.
Authorization to install CICS resources.
Authorization to define RACF® commands.

About this task

In this example, you learn how to configure the CICS resource definitions and the RACF security definitions so that a task on local region cicsA can DPL to a remote region cicsB. The work runs under the same task user ID as the local region.

This task assumes the following definitions:

connA, connB are the names of CONNECTION definitions.
sessA, sessB are the names of SESSION definitions.
groupA, groupB are RDO group names.
applidA, applidB are the APPLIDs of the CICS regions.
taskUserGroup is the RACF group that contains the user IDs, such as taskUseridA, that are allowed to run work on cicsB.

Procedure

Define in cicsA the MRO definitions to connect cicsA to cicsB.

DEFINE CONNECTION(connB) GROUP(groupA) ACCESSMETHOD(IRC) NETNAME(applidB) AUTOCONNECT(YES)
DEFINE SESSION(sessB) GROUP(groupA) CONNECTION(connB) PROTOCOL(LU61) AUTOCONNECT(YES)

Define in cicsB the MRO definitions to connect cicsB to cicsA specifying ATTACHSEC(IDENTIFY) on the connection definitions.

DEFINE CONNECTION(connA) GROUP(groupB) ACCESSMETHOD(IRC) NETNAME(applidA) AUTOCONNECT(YES) ATTACHSEC(IDENTIFY)
DEFINE SESSION(sessA) GROUP(groupB) CONNECTION(connA) PROTOCOL(LU61) AUTOCONNECT(YES)

The task user IDs in CICS region A need to be able to run the CSMI transaction in cicsB. The following RACF definitions are based on the DFH$CAT2 sample.
```
RDEFINE GCICSTRN INTERCOM ADDMEM(CSMI) UACC(NONE)
PERMIT INTERCOM CLASS(GCICSTRN) ID(taskUserGroup) ACCESS(READ)
SETROPTS RACLIST(TCICSTRN) REFRESH
```
If you use resource or command security, taskUserGroup also need to be given access to any resources or commands that are used by the DPLed programs.
Install groupA in cicsA and groupB in cicsB.

Results

If you inquire on the connection by using the CICS Explorer® ISC/MRO Connections view or CEMT INQUIRE CONNECTION, you see that they have a connection status of acquired.

To validate the security environment is functioning correctly, you need a transaction that a signed-on user on cicsA can run. This transaction needs the ability to issue a DPL request to a program on cicsB.

You can use the CICS security request recording (SRR) feature from within CICS Explorer to validate this example. With the Regions view in focus, you select the Add Security Request Recording pop-up menu option. On that window, select the 3270 tab and set the User ID field to the user ID of the signed-on user. For more information, see Checking that a CICS security configuration example is working by using the SRR.