Since a CICS region begins its execution as a batch job or a started task, an CA Top Secret ACID must be associated with each CICS region. This ACID must be able to access the BATCH or STC facility, and must be authorized to all z/OS data sets used within the region, since these data sets are opened by CICS itself. This ACID is referred to as the CICS region control ACID. The ACID is associated with the region, via the USER=acidname parameter in the JCL for the CICS region initiated as BATCH job, or via the CA Top Secret STC table for a region initiated as a started task.
Examples: defining CICS control ACID
This examples defines a region acid and associates a CICS region acid (CICSP1) with the CICSPROD default facility:
TSS CREATE(CICSP1) NAME('CICS PRODUCTION REGION')
FACILITY(BATCH,STC)
PASSWORD(xxxx,0)
DEPARTMENT(deptacid)
MASTFAC(CICSPROD)
NORESCHK
NOLCFCHK
NODSNCHK
NOVOLCHK
NOSUBCHK
SOURCE(INTRDR)
This example defines a region acid and associates a CICS region acid (CICST1) with the CICSTEST default facility:
TSS CREATE(CICST1) NAME('CICS TEST REGION')
FACILITY(BATCH,STC)
PASSWORD(xxxx,0)
DEPARTMENT(deptacid)
MASTFAC(CICSTEST)
NORESCHK
NOLCFCHK
NODSNCHK
NOVOLCHK
NOSUBCHK
SOURCE(INTRDR)
You must specify BATCH as a facility if CICS is submitted as a job or if batch jobs are submitted by CICS. Batch job submission also requires the ASUBM FACILITY suboption. You only need to specify the STC facility if you plan to start CICS as a started task.
Prevents started tasks for the region ACID except through the internal reader.
Must be specified with the CICS region. Users cannot log on unless MASTFAC is added to their user or profile record. For information, see the chapter, “Implementing Security”.
The following bypass attributes limit the involvement of the region ACID in security checking. If you do not bypass the resources and transactions for the region ACID, then the region ACID will require the permission for every resource and transaction available to users of the region.
Defines the region ACID with a password. CA recommends all started task acids be defined in the STC table and OPTIONS(4) be set in the security parameter file so that when the STC is started, there is no password prompt but if someone tries to signon using that acid, the password must be entered.
Prevents DSN checking at OPEN time. If you do not specify NODSNCHK, all data set (FCTs), journals (JCTs), extra‑partition destinations (DCTs), libraries (STEPLIBs and DFHRPLs) and CICS system files (RDO, DUMP, TEMPSTOR, and so on) must be permitted to the region control ACID. With dynamic FCT and DSN checking, this explicit permission might not be desirable; it is recommended for production regions only.
If DSNCHECK is set in facility, RES must also be specified.
Bypasses LCF checking.
Bypasses security checking for owned resources, including OTRAN, PPT, and so on.
Allows jobs to be submitted to batch without the ACID authorizations normally required.
Used to prevent volume problems for tape journals against the region ACID.
Notes:
Web Initialization with Java for CTS 2.2 and above requires that you add OMVS security parameters to properly initialize the CICS region. Minimally, we recommend the following:
tss add(cicsnnt) group(omvsgrp)
dfltgrp(omvsgrp)
uid(0) home(/)
omvspgm(/bin/sh)
If OMVS parameters are not present, you experience a SEC6 ABEND during CICS initialization. Although CICS continues to initialize, full initialization of the web interface is curtailed and might not be secure. Ensure that the region ACID has fully defined its OMVS parameters and recycle the region.
OMVS information is also required on the CICS DFLTUSER ACID. It is not necessary to give superuser status to the DFLTUSER:
tss add(cicsuser) group(omvsgrp)
dfltgrp(omvsgrp)
uid(314159)
home(/)
omvspgm(/bin/sh)
Ensure that access permission is granted to the HOME and OMVSPGM directories.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|