Defining CICS to CA Top Secret › Installing CA Top Secret in CICS

Installing CA Top Secret in CICS

The CA Top Secret CICS interface requires the CA Common Services for z/OS CAIENF product to be installed and activated. CAIENF CICS installs CA Top Secret intercepts and drives CA Top Secret CICS during security‑related events. Without CAIENF, CA Top Secret CICS does not function. For CAIENF to operate properly, establish support for all the active CICS releases at your site by setting the CAIENF parameter file (ENFPARM).

Example: Intercept CICS Startup to Install the CA Security Interface

This example causes ENF to intercept CICS startup in CTS 3.1, CTS 3.2, CTS 4.1, CTS 4.2, CTS 5.1, and CTS 5.2 to install the CA security interface:

MODE(CICS,ON)
CICSREL(64,65,66,67,68,69)

64

Refers to CICS TS Release 3.1.

65

Refers to CICS TS Release 3.2.

66

Refers to CICS TS Release 4.1.

67

Refers to CICS TS Release 4.2.

68

Refers to CICS TS Release 5.1.

69

Refers to CICS TS Release 5.2

Note: For information about related parameters and ENF operation, see the CA Common Services for z/OS Getting Started.

After Installation

After CA Top Secret has been successfully installed:

• Set CA Top Secret control options for CICS security processing in the Facilities Matrix.
• Define the region control ACID for the CICS region and associate it with the appropriate MASTFAC parameter.
• Define CICS as a started task (STC) or a batch job in the CA Top Secret environment.

CICS Installation

To install CA Top Secret in your CICS system:

• Confirm that appropriate CICS components have been installed in your SMP/E environments for CA Top Secret and for CA Common Services for z/OS.
• Ensure that the ENF CICSREL parm includes initiation of support for the release of CICS in question.
• Ensure that the CAILOAD for CA Top Secret has been included in the system link list or in the STEPLIB of the CA Common Services ENF started task JCL.

  Failure to properly install and configure a CICS release in CA software often results in the absence of successful phase initiation messages for phase 0, phase 1, and phase 2 initiation messages at CICS start‑up. Assure that these messages indicate successful interface initiation.

• Verify that the SDT has been initialized if you are using Record or Screen Level Protection (RLP/SLP).
• Any program defined in the CSD job displays in the chapter, “CSD PROGRAM and TRANSACTION Sample Entries” and must be in the DFHRPL library. This is normally assured by adding the CA Top Secret CAILOAD to DFHRPL.

  Whenever you apply an upgrade to CA Top Secret, update the affected modules for the programs defined in the CSD and in the appropriate library in the DFHRPL.

  Optional exit programs may be assembled and linked to customize certain CICS security operations. For information, see the section "CA Top Secret CICS Exits”.

• Set CICS security parameters in the CICS tables or define CA Top Secret FACILITY sub-options for controlling CICS security processing in the Facility Matrix table.
• Activate your CICS region. A series of CA Top Secret messages display indicating the phase of initiation for the region; to view the region's security parameters, issue transaction TSEU=INSTALL. A list of these messages appear in the chapter, “CICS Installation Checklist.”

Modify the PLTPI Table for the TSSCPLT Initialization Check Program (Optional)

You can optionally execute the TSSCPLT program during the PLTPI processing phase to ensure that the CICS interface security has been properly initialized in a CICS region.

Typically, initialization failure occurs because of:

• Incorrect or incomplete installation of the CICS interface
• Failure to start the CAIENF started procedure on your system

TSSCPLT verifies that:

• CA Top Secret is installed on the LPAR
• CA Top Secret CICS control blocks are initialized
• CA Top Secret Data Control Module (DCM) has been properly installed into the CAIENF database

If TSSCPLT detects that the CICS interface:

• Has successfully initialized, it issues informational message TSS6160
• Has not properly initialized, it issues message TSS6161 and abends the region with a user abend code, U1800

To check CICS region initialization processing

1. Define a new or modify an existing PLTPI table to include the TSSCPLT program. CAI.CAKOJCL0(TSSCPLT) contains the sample PLTPI table definition:.

   DFHPLTxx TITLE ‘PLTPI-xx PLTPI TABLE’
   DFHPLT TYPE=INITIAL,SUFFIX=xx 
   DFHPLT TYPE=ENTRY,PROGRAM=DFHDELIM 
   DFHPLT TYPE=ENTRY,PROGRAM=TSSCPLT 
   DFHPLT TYPE=FINAL
   

   Notes:

   • The DFHPLT TYPE=ENTRY,PROGRAM=DFHDELIM entry is necessary to delimit PLTPI processing done between the first and second phases of PLTPI processing. The TSSCPLT program must execute in the second phase of PLTPI processing.
   • The SUFFIX=xx definition specifies the suffix of the PLTPI table that is created
2. Assemble and link-edit TSSCPLT.
3. Define a CICS RDO program definition for the TSSCPLT program. This was done automatically if you executed the TSSCSD job in the task "Update RDO Definitions". If you skipped this task, use the RDO command:

   DEFINE PROGRAM(TSSCPLT) GROUP(TOSGRP)DESCRIPTION(CA TSS CICS INITIALIZATION VERIFICATION) LANGUAGE(ASSEMBLER) RELOAD(NO) EXECKEY(CICS)RESIDENT(NO) USAGE(NORMAL) USELPACOPY(NO) STATUS(ENABLED) CEDF(NO) DATALOCATION(ANY)
   

4. Define the PLTPI table module to CICS with a program definition in the CICS RDO file.
5. Specify the table to CICS with the keyword:

   PLTPI=xx
   

   xx

   The suffix of the DFHPLTxx table module created in step 1.

   This keyword can be specified in:

   • The DFHSIT table (DFHSIT overrides the CICS execution JCL)
   • The CICS SYSIN file (if used)

For information on DFHPLT tables, see the IBM CICS Transaction Server for z/OS System Definition Guide.