Resource-level security for static responses using document templates

If you have implemented basic authentication or client certificate authentication, and you also want to control users' access to specific web pages, you can use web client authenticated user IDs to control access to individual CICS document templates that you are using to provide static responses.

About this task

For static responses delivered by CICS web support using a CICS document template specified in a URIMAP definition, resource security checking is enabled by default.

The XRES system initialization parameter controls resource security for CICS document templates. The default for this parameter is YES, meaning that resource security is active. If you do not want to use resource security checking for CICS document templates used for any purpose in your CICS region, you can deactivate it by setting this system initialization parameter to NO.

The transaction for all static responses is the default web listener transaction CWXN, or any alternative transaction that you have specified in place of CWXN using the TRANSACTION attribute on your TCPIPSERVICE definitions. For CICS document templates, you can also control resource security checking by the RESSEC attribute in the TRANSACTION resource definition. For CWXN, as supplied by CICS, RESSEC(YES) is specified, meaning that resource security is active. If you do not want to use resource security checking for static responses, the best way to deactivate it is to replace CWXN in your TCPIPSERVICE definitions with an alternative transaction that specifies the program DFHWBXN and has RESSEC(NO). This setting deactivates resource security checking for CICS document templates for static responses only. Note that the RESSEC attribute cannot control security checking for z/OS UNIX files specified by the HFSFILE attribute.

You can retrieve document templates from a variety of sources, including partitioned data sets, CICS programs, CICS files, z/OS UNIX System Services files, temporary storage queues, transient data queues, and exit programs. When resource security checking is carried out for a document template, CICS does not perform any additional security checking on the resource that supplies the document template, even if resource security is specified for that type of resource in the CICS region.

To set up resource-level security for static responses using CICS document templates:

Procedure

  1. Identify the authenticated user IDs used by web clients. These IDs must be the basis of your resource security checking. (You cannot supply an override using an analyzer program, as you can with application-generated responses.)
    Authenticated user IDs already have a user profile defined in your security manager.
  2. Identify all the CICS document templates that you are using to provide static responses.
  3. Implement security for CICS document templates in your CICS region, following the instructions in Resource security.
    You must define a profile to your security manager for each CICS document template that you are using to provide a static response, and give permissions to access appropriate CICS document templates to each authenticated user ID.
  4. Ensure that RESSEC(YES) is specified in the TRANSACTION resource definition of CWXN or in the alternative transaction that you have specified in place of CWXN.
    This step activates resource security checking for your static responses, so ensure that, whenever a web client supplies a user ID, you have set up the appropriate permissions.

What to do next

For any security checking to take place in a CICS region, set the SEC system initialization parameter to YES.