DFHIRP, the CICS® interregion communication
program, performs two security checks against users that want to either
log on to IRP (specific connections only), or connect to a CICS region
(also referred to as bind-time security).
About this task
Generic EXCI connections: The
discussion about logon security checking in this section applies only
to EXCI connections that are defined as SPECIFIC. The MRO logon security
check is not performed for generic connections.
The MVS client
program is treated just the same as another CICS region
as far as MRO logon and connect (bind-time) security checking is concerned.
This means that when the client program logs on to the interregion
communication program, IRP performs logon and bind-time security checks
against the user ID under which the client program is running. In
the remainder of this information, this user ID is called the user
ID of the batch region.
To enable your client program to log
on to IRP successfully, and to connect to the target server region,
first ensure that you define the user ID of the batch region in a
user profile to RACF®. After you define the user ID of the batch
region to RACF, you can then give the batch region the
appropriate logon and bind-time authorizations.
Procedure
Logon authorization:
- Authorize the user ID of the batch region to the DFHAPPL.user_name
RACF FACILITY class
profile, with UPDATE authority. The user_name part of the profile name is the
user name defined on the INITIALIZE_USER command.
- For the EXCI CALL interface, the user_name must be the name you specify on
the user_name parameter of the INITIALIZE_USER command.
Define FACILITY class
profiles, with appropriate authorizations, for each user name specified in a client program if the
program has INITIALIZE_USER commands for more than one user name.
For example, if the
user_name defined on an INITIALIZE_USER command is DCEUSER1, define the DFHAPPL
profile in the FACILITY class as follows:
RDEFINE FACILITY (DFHAPPL.DCEUSER1) UACC(NONE)
If the batch region's user ID is CLIENTA, authorize the batch region to log on to IRP as follows:
PERMIT DFHAPPL.DCEUSER1 CLASS(FACILITY) ID(CLIENTA)
ACCESS(UPDATE)
- For the EXEC CICS
LINK command, the user_name is preset by the external CICS interface as
DFHXCEIP. This does not require authorization for IRP logon because the EXEC CICS LINK interface uses a generic connection to which the logon security check
does not apply.
Failure to authorize the user ID of the batch region to the DFHAPPL profile of the specific user
ID logging on to IRP causes Allocate_Pipe processing to fail with RESPONSE(SYSTEM_ERROR)
REASON(IRC_LOGON_FAILURE). The subreason field-1 for a logon security check failure returns decimal
204.
Bind-time authorization
- Authorize the user ID of the batch region to the DFHAPPL.applid
RACF FACILITY class
profile of the target CICS server region, with READ authority.
Failure to authorize the user ID of the batch region to the DFHAPPL.applid
profile of the CICS
server region causes Open_Pipe processing to fail with RESPONSE(SYSTEM_ERROR)
REASON(IRC_CONNECT_FAILURE). The subreason field-1 for a bind-time security check failure returns
decimal 176.
See Bind security for information about the MRO logon
and bind-time security checks, and for examples of how to define the RACF DFHAPPL profiles.