Securing the OMEGAMON for CICS (3270)
The OMEGAMON for CICS component provides an OMEGAMON for CICS (3270) interface security facility. This section covers implementing security for OMEGAMON for CICS (3270).
To prevent unauthorized use of commands, the OMEGAMON for CICS (3270) is shipped with the internal security feature as the default. For an added level of security, however, you can set up an interface between OMEGAMON for CICS (3270) and an external security package, for example, RACF®, CA-ACF2, or CA-TOP SECRET.
- External security for logon and internal security for commands
- External security for logon and external security for commands
- External security for logon and both internal security and external security for commands (using internal security with the locking feature)
Whether you use internal security, external security, or a combination of the two, you can customize the OMEGAMON for CICS (3270) security table to the needs of your installation.
- Control Statements
- Locate and edit the KCIJPSEC job. The
RTE_X_SECURITY_EXIT_LIB
parameter in the LPAR configuration profile is pointing to the location. The default is RKANSAMU. The needed control statements are found in the KCIJPSEC job. Edit this job and change the defaults for internal security or to specify external security. For more information about this job, see How to: Use KOBSUPDT security exits with PARMGEN in the OMEGAMON shared documentation.
- Update Program
- When you have edited the control statements and pressed F3, you are presented with the JCL that starts the KOBSUPDT program, which updates the OMEGAMON for CICS (3270) security table.
- Exit Routine
- At initialization, OMEGAMON for CICS (3270) accesses
the user security exit routine, which provides the interface to the external
security package. The name of this routine must be specified by the user.The following samples are provided:
- KOCARACF and KOCBRACF for RACF
- KOCAACF2 for CA-ACF2
- KOCATOPS for CA-TOPSECRET.
When OMEGAMON for CICS (3270) is initialized, it determines whether an exit routine has been installed for an external security package.
If the exit routine exists, it gets control for those commands that have been marked for external security and determines authorization through the external security package.
If external security allows the command, OMEGAMON for CICS (3270) does not check internal security.
RACF routine
To validate a user, the user exit routine checks on the RACF resource class that is defined by the ICHERCDE macro.
<Allows /PWD to work>
RDEFINE cccccccc INITIAL UACC(READ)
<Defines security level 0 as unaccessible>
RDEFINE cccccccc INITIAL0 UACC(NONE)
<Defines security level 1 as unaccessible>
RDEFINE cccccccc INITIAL1 UACC(NONE)
<Defines security level 2 as unaccessible>
RDEFINE cccccccc INITIAL2 UACC(NONE)
<Defines security level 3 as unaccessible>
RDEFINE cccccccc INITIAL3 UACC(NONE)
<Locks USER02 to level 2 power>
PERMIT INITIAL2 CLASS(classnme) ID(USER02) ACC(READ)
The variable classnme is the resource class name you defined in Modifying RACF rules.
CA-ACF2 routine
The user exit routine checks the CA-ACF2 resource class to validate a user.
<Allows /PWD to work for USER01>
ACFNRULE KEY(INITIAL) TYPE(cls) ADD(UID(****************USER01) ALLO
<Locks USER02 to security level 0 commands>
ACFNRULE KEY(INITIAL0) TYPE(cls) ADD(UID(****************USER02) ALLO
<Locks USER03 to security level 1 commands>
ACFNRULE KEY(INITIAL1) TYPE(cls) ADD(UID(****************USER03) ALLO
<Locks USER04 to security level 2 commands>
ACFNRULE KEY(INITIAL2) TYPE(cls) ADD(UID(****************USER04) ALLO
<Locks USER05 to security level 3 commands>
ACFNRULE KEY(INITIAL3) TYPE(cls) ADD(UID(****************USER05) ALLO
The variable cls is the generalized resource class name you defined in Modifying CA-TOP SECRET rules.
The UID operand is installation-specific in format and content. For information about UID, contact your security administrator.
CA–TOP SECRET routine
Use the INITIAL n resource to define a internal security level if you are using CA–TOP SECRET.
Using external security
OMEGAMON for CICS (3270) supports external security for all modes of operation. For information on the implementation, see Using internal security for commands.
External security is supported for both logon and command use. When using external security, you can logon to OMEGAMON for CICS (3270) only if they are allowed to access the INITIAL resource name. A resource name of INITIAL0, INITIAL1, INITIAL2, or INITIAL3 might be used to allow logon to OMEGAMON for CICS and set the internal security level to 0, 1, 2, or 3, respectively.
- The user exit module name is specified in the security table.
- An external security exit routine is located and loaded.
- External security is specified for the issued command in the security table (using the COMMAND control statement with the keyword setting EXTERNAL=YES ).
- For VTAM®, ISPF, or TSO modes, the library
that contains the KOBVTAM load module is APF-authorized.
If any commands are specified for external security checking and an exit routine is not found, OMEGAMON for CICS (3270) recognizes a possible security exposure and disables those commands with an internal security level of 0 for the session. Those commands with a level of 1, 2, or 3 are allowed to run after you enter the internal password, as described in Using internal security for commands.
Logging on using external security
This section explains special considerations for logging on to OMEGAMON for CICS (3270)using external security.
VTAM, TSO, or ISPF mode logon panels
When you logon through VTAM, OMEGAMON for CICS (3270) presents a logon panel for the OMEGAMON® VTAM application program, KOBVTAM. The VTAM logon panel also is displayed for ISPF and TSO modes, because OMEGAMON for CICS (3270) uses the VTAM application program for these modes as well. The copyright panel you normally see at logon time has additional fields for USERID, PASSWORD, GROUP, and NEW PASSWORD.
- The exit routine can cause OMEGAMON for CICS (3270) to stop an unauthorized logon.
- The exit routine makes all security checks based on the user's logon ID and not on the OMEGAMON for CICS (3270) address space's authority.
If you are in an active VTAM session and you want to alter the external security level of authorization, you can use the relogon feature discussed in Accessing security from an active session.
Dedicated mode logon
Security in dedicated mode differs from the other modes because, at startup time, there is no user ID or password associated with the session. Therefore, the only security available by default is internal security. You must enter the /PWD command, using the re logon feature discussed in the following section in order to access external security.
Implementing external security
- Modify the rules in the external security package to interface with OMEGAMON for CICS (3270). See Modifying RACF rules, Modifying CA-ACF2 rules or Modifying CA-TOP SECRET rules.
- Customize the sample exit routine provided in &rhilev.&rte.RKANSAMU according to the procedure in Using OMEGAMON for CICS (3270) security exit routines. See Optional external security features for a description of the options you can use.
- Modify and update the security table to specify the commands to be verified by RACF, CA-ACF2, or CA-TOP SECRET and the name of the module that contains the exit routine. (No default setting is supplied for the module name.) Follow the steps in Updating the security table.
TSO/ISPF APF authorization requirements
APF authorization is required for TSO and ISPF modes to initialize with RACF. If this is not done, then a S282-10 abend code occurs.
Using OMEGAMON for CICS (3270) calling conventions
OMEGAMON for CICS (3270) uses the $UCHECK control block to pass information to the exit routine. The exit routine also uses $UCHECK to pass information back to OMEGAMON for CICS (3270). The $UCHECK control block is mapped by the $UCHECK macro. The macro is defined in the KOBGMAC member of thilev.TKANMAC library.
The U#CHPIA field in the $UCHECK control block points to the address of a 16-byte control block. The KOCPIA macro, defined in the thilev.TKANMAC library, maps this control block and gives you the CICS job name the user requested at logon. OMEGAMON for CICS (3270) maintains the control block for the entire life of the session and gives the installation a 512-byte work area for its own use.
Name | Description |
---|---|
Register 1 | Address of parameter list. |
Register 13 | Address of a standard save area. |
Register 14 | Return address. |
Register 15 | Entry point address (in). |
Register 15 | Return code (out). |
The Parameter list contains Word 1 – Address of control block.
Reviewing OMEGAMON for CICS (3270) calling flow
- At initialization, when OMEGAMON for CICS (3270) passes control to your
user exit routine, the initialization call is indicated by an I in the
U#CHTYP field. This indicates thatOMEGAMON for CICS (3270) requires a logon validation.
- If the user ID field length is non zero, the user ID and password information are available.
- If additional information or some form of retry is required, the routine
can request a reshow of the screen, and reset any field lengths to indicate
that no data is present (user ID, password, group, or new password).
To perform a reshow in VTAM mode:
- Set a message into the U#CHMSG field (120 bytes maximum length)
- Set the U@CHRSHO bit in U#CHRESP
- Return to the caller.
The message appears under the panel. Appropriate fields are filled in (original user ID and password), unless overridden (length = 0).
- When validation is complete, a return code of 0 from the user exit indicates that the user can be allowed to log on. Any other return code will cause the session to be aborted.
- Upon successful logon acceptance, the validation routine might perform resource validation and optionally assign a command security level (0, 1, 2, or 3) to the user. The default setting is 0. Place the appropriate number into the U#CHAUT4 field. To force the user to use only this level, also set the U@CH1LOK bit in U#CHAUT1.
- During command verification, OMEGAMON for CICS places a C
in the U#CHTYP field. At this point, the user authorization is verified.
The decision to allow or not allow a command on the first encounter cannot be
changed on subsequent attempts by the same user unless security is reset with the
/PWD command. However, on each attempt, the user exit is notified, an audit record
might be written, and a customized error message might be issued.These might be the return codes:
- RC = 0
- Indicates that the command is allowed (RACF and CA-ACF2).
- RC = 4
- Indicates that the command is unknown to RACF (RACF only). OMEGAMON for CICS (3270) allows the command to run. See Modifying RACF rules for instructions to define a command to RACF.
- RC = 8
- Indicates that the command is known to the security package and access is denied (RACF and CA-ACF2).
- At re-logon, OMEGAMON for CICS (3270) places an R in the U#CHTYP field to indicate a logon validation. The processing is the same as at initialization time, except that users cannot enter a new password or group because OMEGAMON for CICS (3270) does not display a logon panel.
- At termination, OMEGAMON for CICS (3270) passes a T to the user's exit routine. You can then do any termination cleanup required, such as freeing user control blocks and FREEMAINing any GETMAINed areas.