SIT Security Parameter Settings

Defining CICS to CA Top Secret › CICS Table Changes › SIT Security Parameter Settings

SIT Security Parameter Settings

SIT security parameter settings recognized by CA Top Secret are listed on the following pages. Any other settings are not recognized.

CMDSEC=

Indicates whether to accept the CMDSEC value.

ASIS: The CMDSEC value is honored for all transactions; corresponds to PCTCMDSEC=HONOR.
ALWAYS: The CMDSEC value is overridden for all transactions and SPI security checking is forced; corresponds to PCTCMDSEC=OVERRIDE.

EJBRPRFX=ejbrole‑prefix

Specifies a prefix that is used to qualify the security role defined in an enterprise bean's deployment descriptor. The prefix is applied to the security role when:

A role is defined to an external security manager.
CICS calls the external security manager to perform method authorization checks

An application invokes the following method:

isCallerInRole()

You can specify a prefix of up to 16 characters. The prefix must not contain a period (.) character. If you specify a prefix that contains lowercase characters, blanks, or punctuation characters, you must enclose it in apostrophes. If the prefix contains an apostrophe, code two successive apostrophes to represent it.

Note: The EJBROLEPRFX parameter is ignored if security role support is not enabled. To enable security role support you must specify SEC=YES and XEJB=YES.

Mixed case is not supported under CA Top Secret r8 and above or Facility sub option EJBRPRFX. However, you have mixed case support if you specify EJBROLEPRFX in the CICS SIT, and set FACMATRX=NO.

RESSEC=

Indicates whether to accept the RESSEC value.

ASIS: The RESSEC value is honored for all transactions.
ALWAYS: The RESSEC value is overridden for all transactions and resource security checking is forced.

Note: If FACMATRX=YES, RESSEC is set to OVERRIDE.

SEC=

Indicates whether CA Top Secret is active for this region.

YES: It is active for this region; corresponds to EXTSEC=YES.
NO: It is inactive; corresponds to EXTSEC=NO.

SNSCOPE=

Indicates whether a user is restricted from signing on multiple times within the designated scope. Valid values include:

NONE: (Default) No duplicate checking. This value is forced when SNSCOPE=CICS or SNSCOPE=NONE is found in the SIT during region initialization. This alteration is required so that the SIGNMULTI attribute can be enforced.
CICS: Duplicate signons disallowed within CICS region (with exceptions for region acid, DFLTUSER and PLTUSER, as well as for MRO signons). This value, when set, is altered to NONE by CA Top Secret. Enforcement of duplicate signon within a CICS region should be set by using SIGN(S) in the CICS region ACID MASTFAC facility.
MVSIMAGE: Duplicate signons disallowed for CICS regions in the same MVS image. Some anomalies might occur where CA Top Secret successfully signs the user on but the signon is later rejected by CICS due to this setting. So that there is no contradiction between CICS and CA Top Secret enforcement, SIGN(M) should be used on the associated CICS region ACID MASTFAC facility.
SYSPLEX: Duplicate signons disallowed for CICS regions in the same SYSPLEX. Some anomalies might occur where CA Top Secret successfully signs the user on, but the signon is later rejected by CICS due to this setting. So that there is no contradiction between CICS and CA Top Secret enforcement, SIGN(M) should be used on the associated CICS region ACID MASTFAC facility.

XAPPC=

Indicates whether APPC session security can be used.

YES: Uses session security
NO: Session security is not used.

XCMD=

Indicates whether EXEC CICS commands are checked by CA Top Secret.

YES: All SPI commands are checked.
NO: SPI commands are not checked.

SPI commands include both CEMT commands and EXEC CICS SPI commands from an application program.

XDB2=

Indicates whether XDB2 activities are checked.

CTSDB2

The DB2ENTRY AND DB2TRANS resource checks are performed under one of the following two conditions:

If CICS FACILITY FACMATRX=YES and XDB2=YES.
If CICS FACILITY FACMATRX=NO and CICS SIT XDB2=CTSDB2.

NO

Checking is not performed by CA Top Secret.

XDCT=

Indicates whether transient data entries are checked by CA Top Secret.

YES: Transient data entries for this region are checked.
NO: Transient data entries for this region are not checked.

XEJB=

Specifies whether support of security roles is enabled.

YES

CICS Support for security roles is enabled:

When an application invokes a method of an enterprise bean, CICS calls the external security manager to verify that the userid associated with the transaction is defined in at least one of the security roles associated with the method.
When an application invokes the following method:
```
	    isCallerInRole()
```

CICS calls the external security manager to determined whether the userid associated with the transaction is defined in the role specified on the method call.

NO

CICS support for security roles is disabled:

CICS does not perform enterprise bean method level checks, allowing any userid to invoke any enterprise bean method.
The following method always returns a value of TRUE:
```
	    isCallerInRole()
```

Note: To enable security role support, you must also specify SEC=YES.

XFCT=

Indicates whether File Control entries for the region are checked by CA Top Secret.

YES: File control entries for this region are checked.
NO: File control entries for this region are not checked.

XHFS = YES | NO

(CTS 3.2 and above) Specifies whether CICS performs security checking for Web Client access to HFS files.

XJCT=

Indicates whether journal entries are checked for this region by CA Top Secret.

YES: Journal control entries for this region are checked.
NO: Journal control entries for this region are not checked.

XPCT=

Indicates whether EXEC‑started transactions for this region are checked by CA Top Secret.

YES: Tranids specified on EXEC CICS START, INQ, SET, DISCARD, and COLLECT STATISTICS commands for this region are checked.
NO: Tranids specified on EXEC CICS START, INQ, SET, DISCARD, and COLLECT STATISTICS commands for this region are not checked.

XPPT=

Indicates whether program entries for this region are checked by CA Top Secret.

YES: Program entries for this region are checked.
NO: Program entries for this region are not checked.

XPSB=

Indicates whether PSB entries for this region are checked by CA Top Secret.

YES: Database PSB entries for this region are checked.
NO: Database PSB entries for this region are not checked.

XRES = YES | NO

(CTS 3.2 and above) CICS document templates (DOCTEMPLATE resource definitions).

XTRAN=

Indicates whether attached transaction entries for this region are checked by CA Top Secret.

YES: Transaction entries for this region are checked prior to execution.
NO: Transaction entries for this region are not checked prior to execution.

XTST=

Indicates whether temporary storage entries for this region are checked by CA Top Secret.

YES: Temporary storage keys for this region are checked.
NO: Temporary storage keys for this region are not checked.

XUSER=

Indicates whether surrogate user checking is performed by CA Top Secret.

YES: Performs surrogate user checking, including non‑terminal (background) level security.
NO: Does not perform surrogate user checking.

Note: Except for XAPPC and XUSER, XPARMS are in effect only when RESSEC=YES is specified on the transaction or PCTRESSEC=OVERRIDE is in effect.

Update the Signon Transaction Definition (PCT)

The signon transaction should be excluded from CICS SPURGE processing. SPURGE valid transactions are purged from the system by CICS during periods of stress. This is not desirable for signon, since this can lead to abends or overlays, if a signon is purged simultaneously with CA Top Secret returning the user's signon environment.

CESN should be copied from IBM‑supplied group to one capable of maintenance. Alter SPURGE attribute to No.