Checking that a CICS security configuration example is working by using the SRR

Configuration examples for various scenarios exist in the security documentation. This task explains how to use security request recording (SRR) to check that one of security documentation configuration examples uses the expected security.

Before you begin

Before you begin this task, you must complete several other tasks:

You must have:

  • Authority to run the CICS Explorer or issue CECI commands.
  • Authority to issue the SET SECRECORDING command.
  • Authority to run program DFHSRR to obtain a report for SRR.
  • Authority to read the CSV output file produced by the DFHSRR program.
  • An application that uses the configuration example.

About this task

In this task, you configure the SRR to record the security requests for an application.

This task assumes that you know the entry point of the application by using the configuration example. This information can include the user ID of the person that is testing the configuration.

Procedure

  1. Select the Regions view in the CICS Explorer and select the region that represents the entry point of the applications. You can select more than one region when the entry point might be in more than one region.
  2. Right-click to select the actions menu and then select Add Security Request Recording.
  3. Identify and select the tab that is most appropriate for the type of security problem you are trying to diagnose.
  4. Specify the matchid for your request. The matchid is used in step 8 to identify this specific recording when you want to look at the output.
  5. Specify the maximum number of requests that you want to record.
  6. Specify in the tab as much information about the entry point that you know. Reference Figure 1 that shows where the only information known was the user ID.
    Figure 1. SRRADD window in CICS Explorer
    Example of the SRRADD window in CICS Explorer
  7. Run your application.
  8. Run the SRR report by using the matchid used in step 4.
  9. Open the CSV file generated by the report.
    For more information about using the SRR, see Diagnosing access issues with security request recording (SRR).

Results

The CSV file shows all of the authorization requests for resources that are used by the application, and the CICS® region in which these resources are used. It also shows the task user ID and any link user ID used when access is authorized to these resources.

Check that the user IDs used are what you would expect based on the configuration examples that you are testing. Also, check that the resources used by the application and the access that is granted is what you are expecting.

In the following simple example, signed on user ID PENFOLD uses CECI to LINK to a program called BR14 on a remote region over an IPIC link as described in Configuration example: Securing CICS-to-CICS with an IPIC connection within a sysplex. The region user ID of the local region is CRPTST1. The program BR14 just issues an EXEC CICS RETURN statement.

You can see the user ID that is used in Figure 2. The task user ID is PENFOLD both in the local and remote regions. Security checking on the remote region is also done against the link user ID CRPTST1.
Figure 2. Sample SRR spreadsheet view of the user ID details
A B C D E F G
matchid odapplid odtransid odtaskid odstarttime applid transid
IPICEX1 IYK2ZDL1 CECI 60 2022-02-22 13:40:30.369069 IYK2ZDL1 CECI
IPICEX1 IYK2ZDL1 CECI 60 2022-02-22 13:40:30.369069 IYK2ZDL1 CECI
IPICEX1 IYK2ZDL1 CECI 60 2022-02-22 13:40:30.369069 IYK2ZDL1 CECI
IPICEX1 IYK2ZDL1 CECI 60 2022-02-22 13:40:30.369069 IYK2ZDL2 CSMI
IPICEX1 IYK2ZDL1 CECI 60 2022-02-22 13:40:59.785414 IYK2ZDL2 CSMI
H I J K L M N O
taskid userid link_userid edf_userid resource_type profile class access
60 PENFOLD     TRANSATTACH CECI TCICSTRN READ
60 PENFOLD     PROGRAM DFHEITAB MCICSPPT READ
60 PENFOLD     PROGRAM DFHECID MCICSPPT READ
57 PENFOLD CRPTST1   TRANSATTACH CSMI TCICSTRN READ
57 PENFOLD CRPTST1   PROGRAM BR14 MCICSPPT READ
P Q R S T U V W
response reason saf_resp saf_rsn esm_resp esm_rsn failing_userid diagnostics
OK   0 0 0 0   X'00800000'
OK EXEMPT=PROGRAM           X'00040000'
OK EXEMPT=PROGRAM           X'00040000'
OK   0 0 0 0   X'00800000'
OK   0 0 0 0   X'00800000'