Securing asynchronous hold queues by using RACF

When RACF® security checking is enabled for an asynchronous hold queue, the authorization logic verifies and validates the security header and authorizes the user ID under the TPIPE name.

When a Resume TPIPE call is received, RACF security checking is performed only if a Resume TPIPE resource class (RIMS or Rxxxxxxx) exists and the tpipe name specified on the call is defined in the resource class.

Regardless of whether RACF security is enabled, you can use the OTMA Resume TPIPE Security user exit (OTMARTUX). If both the OTMARTUX user exit and RACF are used, the RACF security is always called first. In such a case, the OTMARTUX user exit can override the results of the RACF procedure.

To enable Resume TPIPE security:

Procedure

  1. If one does not already exist, define a Resume TPIPE resource class (RIMS or Rxxxxxxx) by using the RCLASS keyword on the SECURITY system definition macro.
    During IMS startup, if no Resume TPIPE resource class is defined to IMS, IMS issues message DFS3187I. After IMS is running, no further warnings are issued to alert you to the absence of a Resume TPIPE resource class.
  2. In the Resume TPIPE resource class, specify the tpipe names of the asynchronous hold queues to be protected and the user IDs that are authorized to access the queues.
  3. Specify an appropriate level of RACF security for OTMA by using either the OTMASE startup parameter or the /SECURE OTMA command.
    The appropriate levels of OTMA security that you can specify are FULL, CHECK, or PROFILE. If a security level of PROFILE is specified, the resume tpipe request message must specify either FULL or CHECK.
  4. Code the resume tpipe request messages to access the RACF-protected asynchronous hold queues. The resume tpipe request messages must include:
    • The tpipe name in the control data section of the OTMA prefix
    • A user ID in the security section of the OTMA prefix
    • If the OTMA security level is PROFILE, a security flag setting of either FULL or CHECK