Controlling security during system startup for DB/DC and DCCTL

The EXEC parameters in the IMS and DCC startup procedures provide a way to control the kind of security checking that is done during the current execution. The parameters act as switches for the different types of security that are specified in the system definition macros.

They also determine what flexibility the MTO has to override the choice of security checking. You must coordinate the setting of these parameters with both overall security design and operational procedures. The EXEC parameters for security are RCLASS, SECCNT, TRN, SGN, RCF, ISIS, ASOT, ALOT, AOI1, AOIS, and TCORACF.

The default values for the IMS and DCC procedures all specify no security. You must reset them to enable security.

The security functions and the EXEC parameters that you use to specify them are shown in the following table. Some of the EXEC parameters in the table override or replace related parameters specified in the system definition macros.

You must match the level of the security tables with the suffix identifier for the nucleus. Operational restrictions for the MTO are described in Security considerations for the master terminal.

Related reading: For detailed information on the JCL parameters and their parameter values, see IMS Version 15.2 System Definition.

Table 1. EXEC parameters to control IMS security
Choice of security function EXEC parameter Parameter value for security choice Notes
Disable Enable
Identification of IMS to RACF® as a resource class RCLASS do not specify RCLASS specify a name on RCLASS and also specify RCF=  
Number of security violations before MTO is notified SECCNT 0 1, 2, 3  
Transaction authorization TRN N Y, F 1, 2, 11
Signon verification SGN N D, E, F, M, W, X, Y, Z, G, 1, 2, 3, 8
RACF security for transaction authorization or signon verification RCF N A, B, C, R, S, T, Y 4, 5, 8
RAS dependent region security ISIS 0, 1, 2, N A, C, R 6, 9
Autosignoff ASOT 0 or 1440 10-1439 7
Autologoff ALOT 0 or 1440 10-1439  
Security checking for CMD calls AOI1 N A, C, R, S 8
Security checking for ICMD calls AOIS S A, C, N, R 8
RACF check of TCO-issued commands TCORACF N Y 8, 10
Notes:
  1. With value N, on the /NRESTART command, the MTO can optionally invoke checking.
  2. With value Y, the security function is active unless overridden by the MTO.
  3. Value M indicates multiple signons for a single user ID. Value Z is equivalent to Y + M; value G is equivalent to F + M.
  4. The RACF licensed program is used in conjunction with Command Authorization, Transaction Authorization, or Signon Verification exit routines.
  5. If a null value is specified, the choice is the default to that given in system definition.
  6. The ISIS keyword parameter allows you to choose the type of dependent region security you want, RAS, and which security facilities, RACF , and exit routines, the security type will use.
  7. On a terminal defined with ETO, when the last autologon user's last queue is completed, the autologon user immediately signs off without waiting for the autosignoff timeout interval.
  8. Because this specification is not included in a checkpoint record, you can change its value each time IMS is initialized.
  9. ISIS parameter values of 0, 1, or 2 are tolerated for compatibility. Internally, these values are converted to ISIS=N.
  10. If TCOUSID or SIGNTCO is specified in the DFSDCxxx PROCLIB member, TCORACF is set to Y.
  11. Perform a cold start of the IMS system for the changes to take effect.