Hi - we have been using the following IBM provided CARLA to check CICS is validating Transactions - since we have upgraded to CICS Transaction Server 6.2.0 the check has been providing the following 

C O M P L I A N C E   T E S T   R E S U L T S   complex PROD     standard USER                        
Rule set ISCC0106      CICS Trans class active                                                        
External RACF Classes should be active for CICS transaction checking.                                 
                                                                                                      
20 Non-Compliant object XXX1   class_tr                                                               
                                                                                                      
   Non-Compliant test b.1.Resc_Class_Active Each CICS transaction resource class pair must be active. 
   cics_region(ACTIVE=Yes) result=No value=                                                           
   for CLASS_TRN                                                                                      
                                                                                                      

Carla being used:

Domain CICS_resource_classes,                                            
  SELECT(CICS_REGION),                                                   
  SUMMARY(CICS_REGION(CLASS_TRN system complex ver))                     
RULE ISCC0106 domain(CICS_resource_classes),                             
  DESC("External RACF Classes should be active for CICS transaction chec 
king."),                                                                 
  CAPTION("CICS Trans class active") SEV(2)                              
  TEST b.1.Resc_Class_Active,                                            
    CICS_REGION(CLASS_trn:class.class.active=yes),                       
    DESC("Each CICS transaction resource class pair must be active.")    
ENDRULE                        

Has there been an update to the CARLA to work with that CICS Version or is this an issue on our end ?                                         

------------------------------
Brett Williams
------------------------------

Hi Brett, 

since you do not mention that your company has also upgraded the zSecure version, it is unlikely that this issue is caused by an update to CARLa, as this control is still using the same CARLa code to check the settings of your CICS regions after the upgrade to CICS Transaction Server 6.2.0.

When I interpret the involved CARLa code, it reports that the configured class for "Attached Transaction security" (CLASS_trn) is supposed to be active, but according to the compliance check this configured CLASS_trn class is currently not active and as a result raises the non-compliant result. 

Did you check whether the Attached Transaction security class is configured and active for the reported CICS region on your system?

You can run option RE.C.R (Resource - CICS - Regions) in zSecure Audit to report the current settings of your defined CICS regions (provided that you use a current CKFREEZE data set as input) that shows the configured names of CICS classes and whether they are active.

By the way, your statement "the following IBM provided CARLA to check CICS is validating Transactions" is not accurate. We do not support a rule_set with the name of ISCC0106. Thus, you must be using a customized version of a standard control. 

Hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue August 26, 2025 07:54 PM
From: Brett Williams
Subject: CICS Carla compliance check

Hi - we have been using the following IBM provided CARLA to check CICS is validating Transactions - since we have upgraded to CICS Transaction Server 6.2.0 the check has been providing the following 

C O M P L I A N C E   T E S T   R E S U L T S   complex PROD     standard USER                        
Rule set ISCC0106      CICS Trans class active                                                        
External RACF Classes should be active for CICS transaction checking.                                 
                                                                                                      
20 Non-Compliant object XXX1   class_tr                                                               
                                                                                                      
   Non-Compliant test b.1.Resc_Class_Active Each CICS transaction resource class pair must be active. 
   cics_region(ACTIVE=Yes) result=No value=                                                           
   for CLASS_TRN                                                                                      
                                                                                                      

Carla being used:

Domain CICS_resource_classes,                                            
  SELECT(CICS_REGION),                                                   
  SUMMARY(CICS_REGION(CLASS_TRN system complex ver))                     
RULE ISCC0106 domain(CICS_resource_classes),                             
  DESC("External RACF Classes should be active for CICS transaction chec 
king."),                                                                 
  CAPTION("CICS Trans class active") SEV(2)                              
  TEST b.1.Resc_Class_Active,                                            
    CICS_REGION(CLASS_trn:class.class.active=yes),                       
    DESC("Each CICS transaction resource class pair must be active.")    
ENDRULE                        

Has there been an update to the CARLA to work with that CICS Version or is this an issue on our end ?                                         

------------------------------
Brett Williams
------------------------------

The Carla code we are using is CKAGCR21 - only change made is RULE ISCC0106 [note this has been working fine until the CICS upgrade]

Checked RE.C.R and can confirm 

TRN TRNclass

Yes TCICSTRN

We are using zSecure Admin 3.1.0 

Hi Brett, 

since you do not mention that your company has also upgraded the zSecure version, it is unlikely that this issue is caused by an update to CARLa, as this control is still using the same CARLa code to check the settings of your CICS regions after the upgrade to CICS Transaction Server 6.2.0.

When I interpret the involved CARLa code, it reports that the configured class for "Attached Transaction security" (CLASS_trn) is supposed to be active, but according to the compliance check this configured CLASS_trn class is currently not active and as a result raises the non-compliant result. 

Did you check whether the Attached Transaction security class is configured and active for the reported CICS region on your system?

You can run option RE.C.R (Resource - CICS - Regions) in zSecure Audit to report the current settings of your defined CICS regions (provided that you use a current CKFREEZE data set as input) that shows the configured names of CICS classes and whether they are active.

By the way, your statement "the following IBM provided CARLA to check CICS is validating Transactions" is not accurate. We do not support a rule_set with the name of ISCC0106. Thus, you must be using a customized version of a standard control. 

Hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue August 26, 2025 07:54 PM
From: Brett Williams
Subject: CICS Carla compliance check

Hi - we have been using the following IBM provided CARLA to check CICS is validating Transactions - since we have upgraded to CICS Transaction Server 6.2.0 the check has been providing the following 

C O M P L I A N C E   T E S T   R E S U L T S   complex PROD     standard USER                        
Rule set ISCC0106      CICS Trans class active                                                        
External RACF Classes should be active for CICS transaction checking.                                 
                                                                                                      
20 Non-Compliant object XXX1   class_tr                                                               
                                                                                                      
   Non-Compliant test b.1.Resc_Class_Active Each CICS transaction resource class pair must be active. 
   cics_region(ACTIVE=Yes) result=No value=                                                           
   for CLASS_TRN                                                                                      
                                                                                                      

Carla being used:

Domain CICS_resource_classes,                                            
  SELECT(CICS_REGION),                                                   
  SUMMARY(CICS_REGION(CLASS_TRN system complex ver))                     
RULE ISCC0106 domain(CICS_resource_classes),                             
  DESC("External RACF Classes should be active for CICS transaction chec 
king."),                                                                 
  CAPTION("CICS Trans class active") SEV(2)                              
  TEST b.1.Resc_Class_Active,                                            
    CICS_REGION(CLASS_trn:class.class.active=yes),                       
    DESC("Each CICS transaction resource class pair must be active.")    
ENDRULE                        

Has there been an update to the CARLA to work with that CICS Version or is this an issue on our end ?                                         

------------------------------
Brett Williams
------------------------------

Hi Brett, 

sorry for my delayed response, but I have been on vacation during the past 3 weeks. 

The CARLA code CKAGCR21 that you mention does not seem to be a SCKRCARL member name that we use for CICS compliance controls in version zSecure 3.1.0.

When I check our UI, in zSecure 3.1.0 it shows the following controls for the CICS_STIG with option AU.R.S:

                         zSecure Suite - Compliance - Contro Row 1 to 10 of 10Command ===> ________________________________________________ Scroll ===> CSR                                                                               Type RUN to execute, CONFIG to configure, RESET to remove all selections,     or OPTIONS to set the print/runtime options.                                  Valid line commands: S (Select), U (Unselect), V (View control member),       E (Edit customization member), R (Run control), C (Configure control)         ------------------------------------------------------------------------------  Control          Standard   Description                  Member   CKACUST  S_ ZCICR021         CICS_STIG  CICS SPI cmnd resources      CKAHCC21 <more>   __ ZCICR038         CICS_STIG  CICS trans class active      CKAHCI38 ________ __ ZCICR041         CICS_STIG  CICS PROPCNTL active         CKAHCC41 ________ __ ZCIC0010         CICS_STIG  CICS system data sets        CKAHCI10 <more>   __ ZCIC0020         CICS_STIG  Sensitive CICS Trans         CKAHCI20 <more>   __ ZCIC0030         CICS_STIG  Proper SIT parameters        C2RHCI30 CICPAUDT __ ZCIC0040         CICS_STIG  CICS region user IDs         CKAHCI40 ________ __ ZCIC0041         CICS_STIG  CICS default user            CKAHCI41 <more>   __ ZCIC0042         CICS_STIG  CICS Timeout                 CKAHCI42 C2RH@IDF __ ZCIC0042.1       CICS_STIG  CICS Timeout                 CKAHCI42 <more>   _

 I am not seeing CKAGCR21 that you are referring to. I think it might be the control named ZCICR21 stored in member CKAHCC21. What happens when you run that?

The Carla code we are using is CKAGCR21 - only change made is RULE ISCC0106 [note this has been working fine until the CICS upgrade]

Checked RE.C.R and can confirm 

TRN TRNclass

Yes TCICSTRN

We are using zSecure Admin 3.1.0 

Hi Brett, 

since you do not mention that your company has also upgraded the zSecure version, it is unlikely that this issue is caused by an update to CARLa, as this control is still using the same CARLa code to check the settings of your CICS regions after the upgrade to CICS Transaction Server 6.2.0.

When I interpret the involved CARLa code, it reports that the configured class for "Attached Transaction security" (CLASS_trn) is supposed to be active, but according to the compliance check this configured CLASS_trn class is currently not active and as a result raises the non-compliant result. 

Did you check whether the Attached Transaction security class is configured and active for the reported CICS region on your system?

You can run option RE.C.R (Resource - CICS - Regions) in zSecure Audit to report the current settings of your defined CICS regions (provided that you use a current CKFREEZE data set as input) that shows the configured names of CICS classes and whether they are active.

By the way, your statement "the following IBM provided CARLA to check CICS is validating Transactions" is not accurate. We do not support a rule_set with the name of ISCC0106. Thus, you must be using a customized version of a standard control. 

Hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue August 26, 2025 07:54 PM
From: Brett Williams
Subject: CICS Carla compliance check

Hi - we have been using the following IBM provided CARLA to check CICS is validating Transactions - since we have upgraded to CICS Transaction Server 6.2.0 the check has been providing the following 

C O M P L I A N C E   T E S T   R E S U L T S   complex PROD     standard USER                        
Rule set ISCC0106      CICS Trans class active                                                        
External RACF Classes should be active for CICS transaction checking.                                 
                                                                                                      
20 Non-Compliant object XXX1   class_tr                                                               
                                                                                                      
   Non-Compliant test b.1.Resc_Class_Active Each CICS transaction resource class pair must be active. 
   cics_region(ACTIVE=Yes) result=No value=                                                           
   for CLASS_TRN                                                                                      
                                                                                                      

Carla being used:

Domain CICS_resource_classes,                                            
  SELECT(CICS_REGION),                                                   
  SUMMARY(CICS_REGION(CLASS_TRN system complex ver))                     
RULE ISCC0106 domain(CICS_resource_classes),                             
  DESC("External RACF Classes should be active for CICS transaction chec 
king."),                                                                 
  CAPTION("CICS Trans class active") SEV(2)                              
  TEST b.1.Resc_Class_Active,                                            
    CICS_REGION(CLASS_trn:class.class.active=yes),                       
    DESC("Each CICS transaction resource class pair must be active.")    
ENDRULE                        

Has there been an update to the CARLA to work with that CICS Version or is this an issue on our end ?                                         

------------------------------
Brett Williams
------------------------------

Hi Tom

CKAGCR21 is member name that was shipped with zSecure 2.3.0, for STIG 6.31, if memory serves, maybe later too.  If this ancient member was used with zSecure 3.1, would that explain Brett's question?

Hi Brett, 

sorry for my delayed response, but I have been on vacation during the past 3 weeks. 

The CARLA code CKAGCR21 that you mention does not seem to be a SCKRCARL member name that we use for CICS compliance controls in version zSecure 3.1.0.

When I check our UI, in zSecure 3.1.0 it shows the following controls for the CICS_STIG with option AU.R.S:

                         zSecure Suite - Compliance - Contro Row 1 to 10 of 10Command ===> ________________________________________________ Scroll ===> CSR                                                                               Type RUN to execute, CONFIG to configure, RESET to remove all selections,     or OPTIONS to set the print/runtime options.                                  Valid line commands: S (Select), U (Unselect), V (View control member),       E (Edit customization member), R (Run control), C (Configure control)         ------------------------------------------------------------------------------  Control          Standard   Description                  Member   CKACUST  S_ ZCICR021         CICS_STIG  CICS SPI cmnd resources      CKAHCC21 <more>   __ ZCICR038         CICS_STIG  CICS trans class active      CKAHCI38 ________ __ ZCICR041         CICS_STIG  CICS PROPCNTL active         CKAHCC41 ________ __ ZCIC0010         CICS_STIG  CICS system data sets        CKAHCI10 <more>   __ ZCIC0020         CICS_STIG  Sensitive CICS Trans         CKAHCI20 <more>   __ ZCIC0030         CICS_STIG  Proper SIT parameters        C2RHCI30 CICPAUDT __ ZCIC0040         CICS_STIG  CICS region user IDs         CKAHCI40 ________ __ ZCIC0041         CICS_STIG  CICS default user            CKAHCI41 <more>   __ ZCIC0042         CICS_STIG  CICS Timeout                 CKAHCI42 C2RH@IDF __ ZCIC0042.1       CICS_STIG  CICS Timeout                 CKAHCI42 <more>   _

 I am not seeing CKAGCR21 that you are referring to. I think it might be the control named ZCICR21 stored in member CKAHCC21. What happens when you run that?

The Carla code we are using is CKAGCR21 - only change made is RULE ISCC0106 [note this has been working fine until the CICS upgrade]

Checked RE.C.R and can confirm 

TRN TRNclass

Yes TCICSTRN

We are using zSecure Admin 3.1.0 

Hi Brett, 

since you do not mention that your company has also upgraded the zSecure version, it is unlikely that this issue is caused by an update to CARLa, as this control is still using the same CARLa code to check the settings of your CICS regions after the upgrade to CICS Transaction Server 6.2.0.

When I interpret the involved CARLa code, it reports that the configured class for "Attached Transaction security" (CLASS_trn) is supposed to be active, but according to the compliance check this configured CLASS_trn class is currently not active and as a result raises the non-compliant result. 

Did you check whether the Attached Transaction security class is configured and active for the reported CICS region on your system?

You can run option RE.C.R (Resource - CICS - Regions) in zSecure Audit to report the current settings of your defined CICS regions (provided that you use a current CKFREEZE data set as input) that shows the configured names of CICS classes and whether they are active.

By the way, your statement "the following IBM provided CARLA to check CICS is validating Transactions" is not accurate. We do not support a rule_set with the name of ISCC0106. Thus, you must be using a customized version of a standard control. 

Hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue August 26, 2025 07:54 PM
From: Brett Williams
Subject: CICS Carla compliance check

Hi - we have been using the following IBM provided CARLA to check CICS is validating Transactions - since we have upgraded to CICS Transaction Server 6.2.0 the check has been providing the following 

C O M P L I A N C E   T E S T   R E S U L T S   complex PROD     standard USER                        
Rule set ISCC0106      CICS Trans class active                                                        
External RACF Classes should be active for CICS transaction checking.                                 
                                                                                                      
20 Non-Compliant object XXX1   class_tr                                                               
                                                                                                      
   Non-Compliant test b.1.Resc_Class_Active Each CICS transaction resource class pair must be active. 
   cics_region(ACTIVE=Yes) result=No value=                                                           
   for CLASS_TRN                                                                                      
                                                                                                      

Carla being used:

Domain CICS_resource_classes,                                            
  SELECT(CICS_REGION),                                                   
  SUMMARY(CICS_REGION(CLASS_TRN system complex ver))                     
RULE ISCC0106 domain(CICS_resource_classes),                             
  DESC("External RACF Classes should be active for CICS transaction chec 
king."),                                                                 
  CAPTION("CICS Trans class active") SEV(2)                              
  TEST b.1.Resc_Class_Active,                                            
    CICS_REGION(CLASS_trn:class.class.active=yes),                       
    DESC("Each CICS transaction resource class pair must be active.")    
ENDRULE                        

Has there been an update to the CARLA to work with that CICS Version or is this an issue on our end ?                                         

------------------------------
Brett Williams
------------------------------