Authorizing the CICS and CICSPlex SM libraries

The SDFHAUTH, SEYUAUTH, SDFHLINK, SEYULINK libraries and the libraries for your product license modules (SDFHLIC, SDFHVUE for Value Unit Edition, and SDFHDEV for Developer Trial) must be APF-authorized.

The SDFHLPA and SEYULPA libraries do not need to be APF-authorized, because any module in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) is treated by the system as though it came from an APF-authorized library. However, you must ensure that you properly protect any data set in the LPALST to avoid system security and integrity exposures, just as you would protect any APF-authorized library.

  1. APF-authorize these libraries by adding them to the list of APF-authorized libraries in the appropriate PROGxx or IEAAPFxx member in SYS1.PARMLIB. These libraries must be APF-authorized to enable certain modules, such as DFHSIP, to run in supervisor state.
  2. If your lists of APF-authorized libraries are specified in the dynamic format in a PROGxx member, refresh the APF list dynamically by using the SETPROG or SET PROG=xx command.
  3. If your lists of APF-authorized libraries are specified in the static format in IEAAPFxx members, schedule an MVS™ IPL for the APF-authorization to take effect.
  4. When you prepare your startup job stream, provide a STEPLIB DD statement for the SDFHAUTH and SEYUAUTH libraries. The SEYUAUTH library loads the message files, therefore it is required for both basic CICS® functions and if you are using any CICSPlex® SM or CICS Explorer® functions. When you define your STEPLIB DD statement, remember that all other libraries concatenated with the SDFHAUTH and SEYUAUTH libraries must also be APF-authorized. If any of the libraries in a STEPLIB concatenation are not authorized, MVS regards all of them as unauthorized.
  5. The SDFHLOAD and SEYULOAD libraries contain only programs that run in problem state, and must not be authorized. You must include the SDFHLOAD library in the CICS DFHRPL library concatenation. An example of this library DD statement is in the sample job stream in A sample CICS startup job. For offline utilities the SDFHLOAD and SEYULOAD libraries are included in the STEPLIB concatenation of the job but again they must not be authorised. For example the CICS translator will abend with abend code U0101 if SDFHLOAD is authorized.

Although, in general, CICS runs in problem state, the CICS initialization program, DFHSIP, must run in supervisor state for part of its execution. The CMAS startup program, EYU9XECS, also requires APF authorization.

For a module to run in supervisor state, it must be link-edited as an authorized module into a partitioned data set, which must also be defined to the operating system as APF-authorized. For CICS-supplied modules, the link-editing has been done for you. The CICS-supplied DFHSIP module is link-edited with the authorized attribute, using SETCODE AC(1), and is installed in the SDFHAUTH library.

For information about maintaining lists of APF-authorized libraries, see the z/OS MVS Initialization and Tuning Guide.

For information about authorizing access to CICS data sets, see Authorizing access to CICS data sets.