IMS ETO Support Enhanced Transaction Verification

IMS ETO Support Enhanced Transaction Verification (ETV) provides two methods for replacing transaction authorization that was previously provided by the IMS Security Maintenance Utility (SMU).

The two ETV methods are:
  • A RACF®-based verification technique that can provide both Transaction/LTERM and Transaction/Password protection
  • An IMS ETO Support Matrix data set that can be used for Transaction/LTERM protection

The ETV methods are optional and can be used in addition to, or in place of, IMS RACF or IMS SMU security. Only one form of ETV can be used at a time.

Both forms of ETV checking (RACF or IMS ETO Support Matrix) use the IMS Transaction Authorization Exit (DFSCTRN0) to perform the validation. However, ETV cannot be used if there is an existing user version of DFSCTRN0. To use a user version of DFSCTRN0 along with ETV processing, you must rename the user version of DFSCTRN0 to DFSCTRN1.

For example:

  • At IMS startup, IMS ETO Support sets an intercept for its version of the DFSCTRN0 exit, and saves the address of any user DFSCTRN1 exit.
  • If the IMS ETO Support version of DFSCTRN0 denies access to the transaction, DFSCTRN1 is not invoked.
  • If IMS ETO Support determines access is allowed, DFSCTRN1 is called and all parameter input is the same as if IMS ETO Support was never called.

ETV works for both static and dynamic terminals. In order to avoid confusion from receiving different messages for the same error, it is recommended that all of your terminals be dynamic. The following example illustrates this situation (IMS exit DFSCTRN0 is used for ETV processing):

  • A user ID that fails authorization causes IMS message DFS2469W to be displayed
  • Dynamic terminals will receive the Tran not auth 0008 version of this message
  • Static terminals that do not issue an IMS /SIGN command will receive the SIGNON REQUIRED version of this message

Authorization is performed at initial transaction arrival and for IMS CHNG calls:

  • If multiple LTERMs are assigned to a NODE/USER, IMS ETO Support will perform authorization at initial transaction arrival using the first LTERM that is not either STOPPED or LOCKED.
  • ETV does not process transactions from APPC or OTMA devices.
  • If IMS rejects transaction authorization, the IMS ETO Support DFSCTRN0 exit does not get control.
  • If the IMS ETO Support DFSCTRN0 exit rejects transaction authorization, DFSCTRN1 does not get control.

ETV is controlled by IMS ETO Support TRANLTRM, TRANPSWD and ETOSMATRIX parameters. You can set these parameters using either the online transaction program (IZTRAN), or the batch update program (IZTUD1U0). They are dynamic and you can change them without requiring a restart of IMS.

Note: In order to use ETOS Matrix verification, the matrix DD (IZTMTRX) must be present in the IMS control region at startup.

RACF Enhanced Transaction Verification

The RACF version of ETV is controlled using the IMS ETO Support TRANLTRM and TRANPSWD parameters. You can set these parameters using either the online transaction program (IZTRAN), or the batch update program (IZTUD1U0). The parameters are dynamic and you can change them without requiring a restart of IMS.

The RCF= parameter in the DFSPBxxx member of IMS PROCLIB does not have any impact on ETV.

ETV uses the IMS control region user ID for its RACF calls. Because ETV can be used even if the IMS control region does not do any RACF checking (RCF=N), it does not use the typical IMS RCLASS names (such as TIMS/GIMS). Instead ETV uses the RACF FACILITY class for its RACF calls.

In order for RACF ETV to work properly, the IMS control region user ID cannot have the RACF privileged option set.

When RACF ETV is active, IMS ETO Support will perform verification at initial transaction arrival and for IMS CHNG calls. IMS ETO Support will build a 4-level resource name that it uses to call RACF to check for authorization. The format is: 

HLQ.TYPE.TRAN.ID

Descriptions of the 4 levels of a resource name:

HLQ
The HLQ (high-level qualifier) name is defined in the IMS ETO Support options data set. The name is used to allow multiple IMS regions running in the same complex to have unique RACF definitions. The name can be any 4-character descriptive word, for example: PROD, or TEST.
TYPE
The TYPE name represents the type of RACF resource name that is being tested. The following values are supplied by IMS ETO Support:
LTRM
This is the resource name used for checking Transaction/LTERM authorization.
PSWD
This is the resource name used for checking Transaction/password authorization.
TRAN
This is the IMS transaction code name that is being attempted.
ID
Depending on the TYPE field, the ID field contains one of the following:
  • If TYPE contains LTRM, the ID field contains the name of the LTERM that is attempting this transaction.
  • If TYPE contains PSWD, this field contains the password that was supplied by the terminal user, if any.

Sample RACF definitions

The following sample list shows the RACF rules that restrict transaction PART from all LTERMs other than USER1 and USER2:
 RDEF FACILITY PROD.LTRM.* UACC(READ)
 RDEF FACILITY PROD.LTRM.PART.* UACC(NONE)
 RDEF FACILITY PROD.LTRM.PART.USER1UACC(READ)
 RDEF FACILITY PROD.LTRM.PART.USER2UACC(READ)
Using the above sample RACF rules, the following conditions apply:
  • When transaction PART is attempted from LTERM USER1, IMS ETO Support builds resource name PROD.LTRM.PART.USER1.
  • Because this resource name is defined with UACC(READ), RACF allows access to the IMS control region user ID and IMS ETO Support allows this LTERM to process the transaction.
  • If LTERM USER9 attempts transaction PART, IMS ETO Support will perform the RACF call using resource name PROD.LTRM.PART.USER9.
  • RACF will reject access because this resource name matches RACF rule PROD.LTRM.PART.*, which has UACC(NONE).
The same type of rules apply to Transaction/PASSWORD definitions:
 RDEF FACILITY PROD.PSWD.* UACC(READ)
 RDEF FACILITY PROD.PSWD.PART.* UACC(NONE)
 RDEF FACILITY PROD.PSWD.PART.PWD1 UACC(READ)

In this example, PWD1 must be supplied as the Password by the terminal user.

IMS ETO Support provides a utility program (IZTSMU00) to convert your existing Security Maintenance Utility (SMU) control cards to the RACF statements.

MATRIX Enhanced Transaction Verification

The IMS ETO Support MATRIX version of ETV is controlled using the ETOSMATRIX parameter. You set this parameter using either the online transaction program (IZTRAN) or the batch update program (IZTUD1U0).

The ETOSMATRIX parameter is dynamic, so you can change it without requiring a restart of IMS. However, in order to activate this option you must have already added the IMS ETO Support Matrix DDNAME (IZTMTRX) in your IMS control region JCL at startup.

Note: The IMS ETO Support Matrix data set must also be APF authorized.

You can use IMS ETO Support Matrix ETV to perform Transaction/LTERM authorization. It uses a Matrix table loaded by the IMS control region at startup, and can be dynamically refreshed using the IMS ETO Support online transaction program (IZTRAN - option R).

The modules in the IMS ETO Support Matrix data set are created from the IMS Security Maintenance Utility (SMU) control cards using utility program IZTSMU.