Signon security

Because FEPI is a terminal emulator, the back-end system “sees” the front-end as a terminal rather than a system; it cannot differentiate between FEPI emulation and a real device.

Thus, CICS® bind, link, and attach-time security are not applicable to FEPI connections. If security is enabled in the back-end system, in order for your FEPI application to access protected resources the emulated terminal must be signed on to the back-end. The alternative is that you do not use CICS security with FEPI; that is, you make all the back-end transactions accessed by FEPI available to the CICS default user. This option is clearly unacceptable; it means that you must either run a security risk or deprive your FEPI applications of access to sensitive data.

When signing on to a back-end system, FEPI applications can ask the external security manager (ESM) to supply a PassTicket. A PassTicket provides a secure way of signing on to back-end systems. They are valid for one use only and are time-stamped, so the potential damage caused by their being intercepted is minimal. Applications do not have to store passwords (or ask users to reenter them) in order to sign on to back-end systems, and passwords are not transmitted across the network. For information about implementing signon security, see Generating and using PassTickets for secure sign-on.