Security considerations for MSC

For those transactions that are processed in another system, perform as much security checking as is required for the primary message. RACF® can be used to protect IMS resources in an MSC network.

Signon verification, combined with transaction authorization and password checking, allows you to control the processing at input time. The resource definition to RACF must declare the transaction name, even when the transaction is not processed in the system where the security tables are built.

Security controls in an MSC network are performed independently in each local and remote IMS. An intermediate IMS in an MSC environment, which is neither local nor remote for a given transaction, does not perform any security checking for that transaction.

RACF can provide transaction authorization checking when a destination system receives a message to process. The amount of checking that RACF provides depends on the MSCSEC= parameter in the DFSDCxxx IMS.PROCLIB member and on feedback from the DFSMSCE0 exit routine. The DFSMSCE0 user exit can optionally override or accept the system DFSDCxxx member security, on a message by message basis.

Transactions received in a remote IMS on an MSC link are passed to the transaction authorization module for authorization checking, but because the password is not passed across the link, transaction authorization checking fails if a password is required. Transactions that do not require a password can be accepted.

To allow a transaction to be scheduled in a remote destination IMS, you can authorize its processing with resource access security (RAS). To use RAS security, the transaction must be defined to RACF as authorized for use by the dependent region.

If the RACF security environment is not available in the destination system (as when a /SIGN ON command is entered with RACF), the security environment will be dynamically created to allow the transaction authorization to proceed.