Please review '
Notes' at end before executing Step-by-Step Actions
Recommendation:Allocate PDS/E for the CICS security setup JCL and REXX routines that follow
Example 'IBMUSER.CICS.SECURITY.SETUP'
Step-by-Step Actions assuming CICSTS55Action #1//* submit the following JCL
//CICSUSER JOB 1
//TSO EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
AG DUMMY
ADDUSER CICSUSER RESTRICTED OWNER(SYS1) DFLTGRP(DUMMY)
SETR CLASSACT(GCICSTRN)
SETR CLASSACT(TCICSTRN)
Action #2Copy DFH550.CICS.SDFHSAMP(DFH$CAT1) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)
Action #3Copy DFH550.CICS.SDFHSAMP(DFH$CAT2) to IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)
Action #4Edit IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)
change
SET ACCESSLIST = grp1 +
grp2 +
grp3
to
SET ACCESSLIST = GROUP1 +
GROUPZ
save
Action #5TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT1)
Action #6TSO EX 'IBMUSER.CICS.SECURITY.SETUP(DFH$CAT2)
Action #7//* submit the following JCL
//TCICSTRN JOB 1
//RACF EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE TCICSTRN * UACC(READ)
Action #8 Edit DFH550.SYSIN(DFH$SIP1)
DFLTUSER=CICSUSER << add
GMTRAN=(CESN,DISCONNECT) << add
SEC=YES << change from NO
XPCT=NO, << add
XTRAN=YES, << add
XFCT=NO, << add
XCMD=NO, << add
XJCT=NO, << add
XDCT=NO, << add
XPPT=NO, << add
XPSB=NO, << add
XTST=NO, << add
XRES=NO, << add
XUSER=NO, << add
XAPPC=NO, << add
XDB2=NO, << add
XHFS=NO, << add
save
Action #9From SDSF
/C CICSTS55
/S CICSTS55,START=INITIAL
Backout PlanIf problem, backout is simple
Edit DFH550.SYSIN(DFH$SIP1)
DFLTUSER=CICSUSER << remove
GMTRAN=(CESN,DISCONNECT) << remove
SEC=NO << change from YES
Save
Restart CICSTS55
Notes:PDF below provides details about securing additional CICS managed resources
https://www.ibm.com/docs/en/SSGMCP_5.5.0/pdf/security-guide_pdf.pdfSignificant detail about the above Step-by-Step is in the above pdf
Issue was discovered with DFH$CAT2
Review line 182 that begins with ADDMEM
+ needed at end of line to be a valid continuation
Review RACF commands in DFH$CAT1 and DFH$CAT2
RACF PERMIT and RALT commands can be used to adjust the applied CICS security
In rare cases routine CICS maintenance will add a new CICS supplied transaction.
If the new CICS supplied transaction is involved with CICS initialization, then
CICS initialization will fail. Remedy is simple. Review CICS log output where
the name of the transaction resulting in initialization failure is written
requiring a RACF command.
RALT GCICSTRN CAT1 ADDMEM(new-transaction)
SETR REFRESH RACLIST(GCICSTRN)
.. start CICS
HLQ DFH550 is associated with CICSTS55
HLQ DFH560 is associated with CICSTS56
------------------------------
Paul Newton
------------------------------
Original Message:
Sent: Thu July 22, 2021 11:29 AM
From: Paul Newton
Subject: CICS RACF SECURITY
Hi Vinnie,
While Magnus provided the professional documentation, I plan to post a step-by-step to get started as it relates to Dallas Z ISV RDP systems early next week.
In RACF security terminology, CICS is a resource manager. Resource manager security can be enabled or disabled. Dallas Z ISV RDP provided CICS security is disabled.
Why?
CICS manages many resources where enabling security requires decisions about which specific CICS resources to secure. Many of the CICS resources need not be secured because securing all resources would increase CICS security administration related to which of your company CICS developers are allowed to access which of the many protected CICS resources.
Recommendation:
Enable CICS RACF security requiring
1) Signon to CICS using RACF assigned ID and password
2) Execution of protection of specific CICS supplied transactions
3) Enable all ISV application transactions
Above recommendation is an excellent starting point for assisting with future decisions such as protecting other CICS managed resources, protecting specific ISV application transactions, and enabling company CICS developers to access specifically protected CICS supplied transactions such as CEDA, CEMT, etc.
------------------------------
Paul Newton
Original Message:
Sent: Wed July 21, 2021 05:38 AM
From: Magnus Duemke
Subject: CICS RACF SECURITY
Hallo Vincent,
what about the ibm knowledge center?
Please read carefully all the chapters in section "Securing"
of "CICS Transaction Server for z/OS".
e.g. for CICSTS V5.5 see https://www.ibm.com/docs/en/cics-ts/5.5?topic=securing
Everything is described there in detail from protecting CICS Resources to
Authentication mechanisms.
------------------------------
Magnus Duemke
Original Message:
Sent: Tue July 20, 2021 04:37 PM
From: Vincent Caffarello
Subject: CICS RACF SECURITY
Can you post instructions for CICS RACF security
Regards
Vincent J. Caffarello
Software Engineer IV
Vertex Inc.
Phone: 484-595-2595 Mobile: 267-446-9932
2301 Renaissance Blvd, King of Prussia, PA 19406
Email: Vincent.Caffarello@vertexinc.com