IBM Z and LinuxONE IBM Z

  • 1.  CICS RACF SECURITY

    Posted Tue July 20, 2021 05:04 PM

    Can you post instructions for CICS RACF security

     

    Regards

     

    Vincent J. Caffarello

    Software Engineer IV

     

    Vertex Inc.

    Phone: 484-595-2595 Mobile: 267-446-9932 

    2301 Renaissance Blvd, King of Prussia, PA 19406

    Email: Vincent.Caffarello@vertexinc.com

     



  • 2.  RE: CICS RACF SECURITY

    Posted Wed July 21, 2021 10:23 AM
    Hallo Vincent,

    what about the ibm knowledge center?

    Please read carefully all the chapters in section "Securing" 
    of "CICS Transaction Server for z/OS".

    e.g. for CICSTS V5.5 see https://www.ibm.com/docs/en/cics-ts/5.5?topic=securing

    Everything is described there in detail from protecting CICS Resources to
    Authentication mechanisms.



    ------------------------------
    Magnus Duemke
    ------------------------------



  • 3.  RE: CICS RACF SECURITY

    Posted Thu July 22, 2021 11:29 AM
    Edited by Paul Newton Thu July 22, 2021 11:30 AM
    Hi Vinnie, 

    While Magnus provided the professional documentation, I plan to post a step-by-step to get started as it relates to Dallas Z ISV RDP systems early next week.

    In RACF security terminology, CICS is a resource manager. Resource manager security can be enabled or disabled. Dallas Z ISV RDP provided CICS security is disabled.

    Why?

    CICS manages many resources where enabling security requires decisions about which specific CICS resources to secure. Many of the CICS resources need not be secured because securing all resources would increase CICS security administration related to which of your company CICS developers are allowed to access which of the many protected CICS resources.

    Recommendation:
    Enable CICS RACF security requiring
    1) Signon to CICS using RACF assigned ID and password
    2) Execution of protection of specific CICS supplied transactions
    3) Enable all ISV application transactions

    Above recommendation is an excellent starting point for assisting with future decisions such as protecting other CICS managed resources, protecting specific ISV application transactions, and enabling company CICS developers to access specifically protected CICS supplied transactions such as CEDA, CEMT, etc.

    ------------------------------
    Paul Newton
    ------------------------------



  • 4.  RE: CICS RACF SECURITY

    Posted Sat July 24, 2021 09:02 AM
    Edited by Paul Newton Sat July 24, 2021 09:04 AM
    Please review 'Notes' at end before executing Step-by-Step Actions

    Recommendation:
    Allocate PDS/E for the CICS security setup JCL and REXX routines that follow
    Example 'IBMUSER.CICS.SECURITY.SETUP'

    Step-by-Step Actions assuming CICSTS55

    Action #1
    //* submit the following JCL
    //CICSUSER JOB 1
    //TSO EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
    AG DUMMY
    ADDUSER CICSUSER RESTRICTED OWNER(SYS1) DFLTGRP(DUMMY)
    SETR CLASSACT(GCICSTRN)
    SETR CLASSACT(TCICSTRN)

    Action #2
    Copy DFH550.CICS.SDFHSAMP(DFH$CAT1) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)

    Action #3
    Copy DFH550.CICS.SDFHSAMP(DFH$CAT2) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)

    Action #4
    Edit IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)
    change
    SET ACCESSLIST = grp1 +
    grp2 +
    grp3
    to
    SET ACCESSLIST = GROUP1 +
    GROUPZ
    save

    Action #5
    TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)

    Action #6
    TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)

    Action #7
    //* submit the following JCL
    //TCICSTRN JOB 1
    //RACF EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
    RDEFINE TCICSTRN * UACC(READ)

    Action #8
    Edit DFH550.SYSIN(DFH$SIP1)
    DFLTUSER=CICSUSER << add
    GMTRAN=(CESN,DISCONNECT) << add
    SEC=YES << change from NO
    XPCT=NO, << add
    XTRAN=YES, << add
    XFCT=NO, << add
    XCMD=NO, << add
    XJCT=NO, << add
    XDCT=NO, << add
    XPPT=NO, << add
    XPSB=NO, << add
    XTST=NO, << add
    XRES=NO, << add
    XUSER=NO, << add
    XAPPC=NO, << add
    XDB2=NO, << add
    XHFS=NO, << add
    save

    Action #9
    From SDSF
    /C CICSTS55
    /S CICSTS55,START=INITIAL

    Backout Plan
    If problem, backout is simple
    Edit DFH550.SYSIN(DFH$SIP1)
    DFLTUSER=CICSUSER << remove
    GMTRAN=(CESN,DISCONNECT) << remove
    SEC=NO << change from YES
    Save

    Restart CICSTS55

    Notes:

    PDF below provides details about securing additional CICS managed resources
    https://www.ibm.com/docs/en/SSGMCP_5.5.0/pdf/security-guide_pdf.pdf
    Significant detail about the above Step-by-Step is in the above pdf

    Issue was discovered with DFH$CAT2
    Review line 182 that begins with ADDMEM
    + needed at end of line to be a valid continuation

    Review RACF commands in DFH$CAT1 and DFH$CAT2
    RACF PERMIT and RALT commands can be used to adjust the applied CICS security

    In rare cases routine CICS maintenance will add a new CICS supplied transaction.
    If the new CICS supplied transaction is involved with CICS initialization, then
    CICS initialization will fail. Remedy is simple. Review CICS log output where
    the name of the transaction resulting in initialization failure is written
    requiring a RACF command.
    RALT GCICSTRN CAT1 ADDMEM(new-transaction)
    SETR REFRESH RACLIST(GCICSTRN)
    .. start CICS

    HLQ DFH550 is associated with CICSTS55
    HLQ DFH560 is associated with CICSTS56

    ------------------------------
    Paul Newton
    ------------------------------



  • 5.  RE: CICS RACF SECURITY

    Posted Mon July 26, 2021 01:01 PM
    Hi Paul, apologies for the bug in DFH$CAT2 is it been reported or would you like me to get that sorted?

    As you may be aware, we are in the process of refreshing the CICS Security Documentation - see https://www.ibm.com/docs/en/cics-ts/6.1_beta?topic=securing-new-doc with the aim to make it more usable, while it is in the CICS Transaction Server 6.1 documentation the bulk of it is valid for earlier releases. Hope you, and anyone else, finds it useful - we would of course be grateful for and comments, good or bad.

    ------------------------------
    Andy Clifton
    ------------------------------



  • 6.  RE: CICS RACF SECURITY

    Posted Tue July 27, 2021 05:21 AM
    Hello,

    @Paul Newton
    thank you for this update info for cics 6.1, i havent read it yet.

    But i agree in general, the most important - and probably the hardest - part is to ensure
    that every associated uerid of a cics task is somehow authenticated and trusted
    by RACF or any other ESM.

    For instance, if you have a qmgr-connection in your cics region, 
    you might only want to permit the cics region userid for MQQUEUE authority.
    This is done by activating the switch profile for facility class MQADMIN/MXADMIN
    and permitting the cics region user with ACCESS(READ) in the RESLEVEL profile.

    In this particular case, every "trusted user" of every cics task 
    is permitted to access some queues, although none of these "trusted users"
    was permitted by the racf admin explicitly.


    ​​​

    ------------------------------
    Magnus Duemke
    ------------------------------



  • 7.  RE: CICS RACF SECURITY

    Posted Mon July 26, 2021 12:49 PM
    Hi Paul,
    We are currently in the process re-working the CICS Security Documentation so you may find some of the information at https://www.ibm.com/docs/en/cics-ts/6.1_beta?topic=securing-new-doc of use. Let's be honest, that is the whole point of it! :-)

    Although this is in the CICS/TS 6.1 BETA documentation most of it is valid for all current releases. Naturally any comments on it are welcome.

    Best Regards

    ------------------------------
    Andy Clifton
    ------------------------------