Security in CICS and its effect on CICS ONC RPC operations

During the operation of CICS® ONC RPC, various CICS commands are used to make security checks with an external security manager (ESM).

The checks will always give positive results if SEC=NO is specified as a system initialization parameter. The checks will always give negative results if SEC=YES was specified, but the ESM abended while CICS was operating. The following discussion of the use made of CICS security commands assumes that SEC=YES is specified, and that the ESM is active.
  • When a transaction whose user ID is userid1 issues EXEC CICS START USERID(userid2), a surrogate-user check is made with the ESM to see that userid1 is authorized to use userid2. The check is made only if XUSER=YES is specified as a system initialization parameter.

    This command is issued when the connection manager starts the server controller, and each time the server controller starts an alias transaction. In the first case, the user ID used is the one supplied to the connection manager as CRPM Userid on panel DFHRP02. In the second case, the user ID used is the one output from Decode.

  • EXEC CICS VERIFY PASSWORD is issued by the alias before it links to the CICS program that services the client request. A check is made with the ESM that the user ID and password are an acceptable combination.
  • EXEC CICS QUERY SECURITY is used by the alias to check that the user ID under which it is executing is authorized to use the CICS program. The check is made only if XPPT=YES is specified as a system initialization parameter.
  • During the operation of the CICS program, security checks are made each time the program tries to access a protected resource. The check is made only if RESSEC(YES) is specified in the definition of the alias transaction, and the system initialization parameter controlling security checking for the resource type is set to YES.
  • During the operation of the CICS program, security checks are made each time the program tries to use a command from the CICS SPI (system programming interface). The check is made only if CMDSEC(YES) is specified in the definition of the alias transaction, and if XCMD=YES is specified as a system initialization parameter.
Figure 1 shows how CICS security interacts with the operation of CICS ONC RPC.
Figure 1. How CICS security interacts with CICS ONC RPC operations
This diagram shows CRPC issuing EXEC CICS START() USERID() for CRPM. CRPM issues EXEC CICS START() USERID() for CRPA. CRPA issues EXEC CICS VERIFY PASSWORD and EXEC CICS QUERY SECURITY causing the Resource Checker to be called.

The figure shows that the alias will link to the user-supplied resource checker program if one is configured, but the use of the resource checker program is not recommended. You should use the CICS security facilities, and make the appropriate definitions in the ESM.