IBM Z and LinuxONE - IBM Z - Group home

CICS Security - ADCD and Dallas Z ISV RDP

  
In RACF security terminology, CICS is a resource manager. Resource manager security can be enabled or disabled. Dallas Z ISV RDP provided CICS security is disabled.

Why?

CICS manages many resources where enabling security requires decisions about which specific CICS resources to secure. Many of the CICS resources need not be secured because securing all resources would increase CICS security administration related to which of your company CICS developers are allowed to access which of the many protected CICS resources.

Recommendation:
Enable CICS RACF security requiring
1) Signon to CICS using RACF assigned ID and password
2) Execution of protection of specific CICS supplied transactions
3) Enable all ISV application transactions

Above recommendation is an excellent starting point for assisting with future decisions such as protecting other CICS managed resources, protecting specific ISV application transactions, and enabling company CICS developers to access specifically protected CICS supplied transactions such as CEDA, CEMT, etc.

Please review 'Notes' at end before executing Step-by-Step Actions

Detailed Actions:
Allocate PDS/E for the CICS security setup JCL and REXX routines that follow
Example 'IBMUSER.CICS.SECURITY.SETUP'

Step-by-Step Actions assuming CICSTS55

Action #1
//* submit the following JCL
//CICSUSER JOB 1
//TSO EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
AG DUMMY
ADDUSER CICSUSER RESTRICTED OWNER(SYS1) DFLTGRP(DUMMY)
SETR CLASSACT(GCICSTRN)
SETR CLASSACT(TCICSTRN)

Action #2
Copy DFH550.CICS.SDFHSAMP(DFH$CAT1) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)

Action #3
Copy DFH550.CICS.SDFHSAMP(DFH$CAT2) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)

Action #4
Edit IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)
change
SET ACCESSLIST = grp1 +
grp2 +
grp3
to
SET ACCESSLIST = GROUP1 +
GROUPZ
save

Action #5
TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)

Action #6
TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)

Action #7
//* submit the following JCL
//TCICSTRN JOB 1
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE TCICSTRN * UACC(READ)

Action #8
Edit DFH550.SYSIN(DFH$SIP1)
DFLTUSER=CICSUSER << add
GMTRAN=(CESN,DISCONNECT) << add
SEC=YES << change from NO
XPCT=NO, << add
XTRAN=YES, << add
XFCT=NO, << add
XCMD=NO, << add
XJCT=NO, << add
XDCT=NO, << add
XPPT=NO, << add
XPSB=NO, << add
XTST=NO, << add
XRES=NO, << add
XUSER=NO, << add
XAPPC=NO, << add
XDB2=NO, << add
XHFS=NO, << add
save

Action #9
From SDSF
/C CICSTS55
/S CICSTS55,START=INITIAL

Backout Plan:
If problem, backout is simple
Edit DFH550.SYSIN(DFH$SIP1)
DFLTUSER=CICSUSER << remove
GMTRAN=(CESN,DISCONNECT) << remove
SEC=NO << change from YES
Save

Restart CICSTS55

Notes:

PDF below provides details about securing additional CICS managed resources
https://www.ibm.com/docs/en/SSGMCP_5.5.0/pdf/security-guide_pdf.pdf
Significant detail about the above Step-by-Step is in the above pdf

Issue was discovered with DFH$CAT2
Review line 182 that begins with ADDMEM
+ needed at end of line to be a valid continuation

Review RACF commands in DFH$CAT1 and DFH$CAT2
RACF PERMIT and RALT commands can be used to adjust the applied CICS security

In rare cases routine CICS maintenance will add a new CICS supplied transaction.
If the new CICS supplied transaction is involved with CICS initialization, then
CICS initialization will fail. Remedy is simple. Review CICS log output where
the name of the transaction resulting in initialization failure is written
requiring a RACF command.
RALT GCICSTRN CAT1 ADDMEM(new-transaction)
SETR REFRESH RACLIST(GCICSTRN)
.. start CICS

HLQ DFH550 is associated with CICSTS55
HLQ DFH560 is associated with CICSTS56

If you want any specific ID to have authority to execute all CICS transactions -
connect racf-id group(sys1)

CICS Development Team member contributed the following comments:

Apologies for the bug in DFH$CAT2 it will be fixed with future PTF maintenance.

As you may be aware, we are in the process of refreshing the CICS Security Documentation -
see https://www.ibm.com/docs/en/cics-ts/6.1_beta?topic=securing-new-doc
with the aim to make it more usable, while it is in the CICS Transaction Server 6.1 documentation the bulk of it is valid for earlier releases.
Hope you, and anyone else, finds it useful - we would of course be grateful for and comments, good or bad.

We are currently in the process re-working the CICS Security Documentation so you may find some of the information at
https://www.ibm.com/docs/en/cics-ts/6.1_beta?topic=securing-new-doc
of use. Let's be honest, that is the whole point of it! :-)

Although this is in the CICS/TS 6.1 BETA documentation most of it is valid for all current releases.

Naturally any comments on it are welcome.

Comments

Fri August 20, 2021 11:15 AM

Marc, thank you for reviewing and pointing out the correction needed .... corrected connect syntax above

Fri August 20, 2021 02:49 AM

Do not use GRPACC on the connect command (it's something from the past). The syntax of the connect command is: connect racf-id group(group-id) owner(group-id)