Defining CICS to CA Top Secret › CICSplex Support

CICSplex Support

CICSplex requires running a CMAS address space that is simply a modified CICS region, although it is not usually signed on to directly. Under most circumstances, IBM recommends that this CMAS region run unsecured, although there might be circumstances when signing on to it is required for diagnostic functions.

Internally, this region has its own transactions defined, some of which are prefixed TS, and thereby conflict with the CA Top Secret transactions for administration and debugging. To avoid problems, we recommend that the CMAS region is associated with a unique TYPE=CICS facility. You can then decide whether you want to run this facility with SEC=NO or to secure it.

Setting up CICSPLEX with Security Active

If you do secure it, you must allow the transactions prefixed TS to run unrestricted. This can normally be done by adding the prefix to the TRANID bypass list, (which can already be the case).

Ensure that:

• The transactions are not defined to the PROT list.
• The CPSMOBJ, GCPSMOBJ, and CPSMXMP resource classes are defined in CA Top Secret
• The CPSMOBJ(OPERATE.) and CPSMOBJ(MONITOR.) access are owned and permitted

To activate CICSPLEX security

1. Define a facility.

   FACILITY(USERn=NAME=CPSMFAC,TYPE=CICS)
   

2. Create a region ACID:

   TSS CREATE(acid) TYPE(USER)
                    NAME(name)
                    DEPARTMENT(dept)  
                    FACILITY(STC,BATCH)
                    MASTFAC(CPSMFAC)  
                    PASSWORD(NOPW,0)
                    NORESCHK NODSNCHK NOVOLCHK
   

3. Define the STC proc to the STC table with the region ACID that was created in step 2:

   TSS ADDTO(STC) PROCNAME(CPSMPROC)
                  ACID(acid)
   

4. In SIT or SIT overrides, set SEC(YES).
5. To define the CPSMOBJ GCPSMOBJ CPSMXMP resources to the RDT, issue the following commands:

   TSS ADDTO(RDT) RESCLASS(CPSMOBJ)
                  RESCODE(xx)
                  ACLST(ALL,UPDATE,CONTROL,READ,NONE)
                  DEFACC(READ)
   

   TSS ADDTO(RDT) RESCLASS(GCPSMOBJ)
                  RESCODE(xx)
                  ACLST(ALL,UPDATE,CONTROL,READ,NONE)
                  DEFACC(READ)
   

   TSS ADDTO(RDT) RESCLASS(CPSMXMP)
                  RESCODE(xx)
                  ACLST(ALL,UPDATE,CONTROL,READ,NONE)
                  DEFACC(READ)
   

6. If CICSplex administrator authorities are being checked, IBMFAC(BBM.) should be protected and permitted:

   TSS ADDTO(DEPTACID) IBMFAC(BBM.)
   TSS PERMIT(acid) IBMFAC(BBM.)
   

7. Own and permit CPSMOBJ(OPERATE.), CPSMOBJ(MONITOR.), and CPSMOBJ(CONFIG.):

   TSS ADDTO(dept)	CPSMOBJ(OPERATE.)
   TSS PERMIT(acid)	CPSMOBJ(OPERATE.)
   TSS ADDTO(dept)	CPSMOBJ(MONITOR.)
   TSS PERMIT(acid)	CPSMOBJ(MONITOR.)
   TSS ADDTO(dept)	CPSMOBJ(CONFIG.)
   TSS PERMIT(acid)	CPSMOBJ(CONFIG.)
   TSS ADD(dept)	CPSMOBJ(TOPOLOGY)
   TSS PER(acid)	CPSMOBJ(TOPOLOGY)
   TSS ADD(dept)	CPSMOBJ(WORKLOAD)
   TSS PER(acid)	CPSMOBJ(WORKLOAD)
   TSS ADD(dept)	CPSMOBJ(BAS)
   TSS PER(acid)	CPSMOBJ(BAS)
   TSS ADD(dept)	CPSMOBJ(ANALYSIS)
   TSS PER(acid)	CPSMOBJ(ANALYSIS)
   

Updating Access to CPSMOBJ(TOPOLOGY)

The acid may need READ and UPDATE access to CPSMOBJ(TOPOLOGY). To update the access:

• Ensure that the facility definition is uniform between the parmlib initialization value and references in the TSS database.

  Once aligned, valid messages appear.

• Ensure that the region default ACID and PLTPI default ACID have access to facility. (Only for new ACIDS and a new FACILITY.)
• Ensure that the consoles have access to CPSMFAC and are cross authorized to the CPSMACID. (Only for new ACIDS and a new FACILITY.)
• Assign the STC for CAS and CMAS to the CPSMACID.
• Ensure that all the transactions used by PLTPI are authorized.

Authorizing Access to the Temporary Storage Pools

You can control access of temporary storage (TS) servers to the TS pools in the coupling facility. Each TS server can be started as a job or started task. The name of the TS queue pool for a TS server is specified at server startup. Each TS pool can only have one TS server running on each z/OS image in the sysplex. Two security checks are made against the TS server's userid (the userid the job or started task is running under). To ensure that the server passes these checks, execute the following commands:

TSS ADD(deptacid) IBMFAC(IXLSTR)
TSS ADD(deptacid) IBMFAC(DFHXQ)

TSS PERM(regionacid) IBMFAC(IXLSTR.DFHXQLS.TSPRODQS) ACC(ALL)
TSS PERM(regionacid) IBMFAC(DFHXQ.TSPRODQS) ACC(ALL)