Checking that a CICS security configuration example is working by using the SRR
Configuration examples for various scenarios exist in the security documentation. This task explains how to use security request recording (SRR) to check that one of security documentation configuration examples uses the expected security.
Before you begin
Before you begin this task, you must complete several other tasks:
- Installed the CICS Explorer® or CECI
- Configuring security request recording (SRR)
- Completed the configuration example
You must have:
- Authority to run the CICS Explorer or issue CECI commands.
- Authority to issue the SET SECRECORDING command.
- Authority to run program DFHSRR to obtain a report for SRR.
- Authority to read the CSV output file produced by the DFHSRR program.
- An application that uses the configuration example.
About this task
In this task, you configure the SRR to record the security requests for an application.
This task assumes that you know the entry point of the application by using the configuration example. This information can include the user ID of the person that is testing the configuration.
Procedure
Results
The CSV file shows all of the authorization requests for resources that are used by the application, and the CICS® region in which these resources are used. It also shows the task user ID and any link user ID used when access is authorized to these resources.
Check that the user IDs used are what you would expect based on the configuration examples that you are testing. Also, check that the resources used by the application and the access that is granted is what you are expecting.
In the following simple example, signed on user ID PENFOLD uses CECI to LINK to a program called BR14 on a remote region over an IPIC link as described in Configuration example: Securing CICS-to-CICS with an IPIC connection within a sysplex. The region user ID of the local region is CRPTST1. The program BR14 just issues an EXEC CICS RETURN statement.
| A | B | C | D | E | F | G |
|---|---|---|---|---|---|---|
| matchid | odapplid | odtransid | odtaskid | odstarttime | applid | transid |
| IPICEX1 | IYK2ZDL1 | CECI | 60 | 2022-02-22 13:40:30.369069 | IYK2ZDL1 | CECI |
| IPICEX1 | IYK2ZDL1 | CECI | 60 | 2022-02-22 13:40:30.369069 | IYK2ZDL1 | CECI |
| IPICEX1 | IYK2ZDL1 | CECI | 60 | 2022-02-22 13:40:30.369069 | IYK2ZDL1 | CECI |
| IPICEX1 | IYK2ZDL1 | CECI | 60 | 2022-02-22 13:40:30.369069 | IYK2ZDL2 | CSMI |
| IPICEX1 | IYK2ZDL1 | CECI | 60 | 2022-02-22 13:40:59.785414 | IYK2ZDL2 | CSMI |
| H | I | J | K | L | M | N | O |
|---|---|---|---|---|---|---|---|
| taskid | userid | link_userid | edf_userid | resource_type | profile | class | access |
| 60 | PENFOLD | TRANSATTACH | CECI | TCICSTRN | READ | ||
| 60 | PENFOLD | PROGRAM | DFHEITAB | MCICSPPT | READ | ||
| 60 | PENFOLD | PROGRAM | DFHECID | MCICSPPT | READ | ||
| 57 | PENFOLD | CRPTST1 | TRANSATTACH | CSMI | TCICSTRN | READ | |
| 57 | PENFOLD | CRPTST1 | PROGRAM | BR14 | MCICSPPT | READ |
| P | Q | R | S | T | U | V | W |
|---|---|---|---|---|---|---|---|
| response | reason | saf_resp | saf_rsn | esm_resp | esm_rsn | failing_userid | diagnostics |
| OK | 0 | 0 | 0 | 0 | X'00800000' | ||
| OK | EXEMPT=PROGRAM | X'00040000' | |||||
| OK | EXEMPT=PROGRAM | X'00040000' | |||||
| OK | 0 | 0 | 0 | 0 | X'00800000' | ||
| OK | 0 | 0 | 0 | 0 | X'00800000' |
