You can choose how to implement security for CICS initialization. You can use the DFHSIT security parameters or the equivalent CA Top Secret FACILITY suboptions to implement security for CICS initialization.
You can set a FACILITY suboption called FACMATRX to indicate whether you are using the DFHSIT security parameters or the CA Top Secret FACILITY suboptions.
The advantages of using CA Top Secret FACILITY suboptions for security implementation are:
By setting FACMATRX=YES, the security administrator can control the security parameters for CICS initialization with CA Top Secret regardless of the security parameter settings in the DFHSIT table. This provides greater control over enforced security checking by CA Top Secret for CICS.
Both the DFHSIT security parameters and their CA Top Secret equivalent FACILITY suboptions are listed next. For a description of how to use the DFHSIT security parameters, see the IBM CICS/ESA System Definition Guide. See the Control Options Guide for information on how to specify FACILITY suboptions.
DFHSIT Parameters FACILITY Suboptions
FACMATRX
SEC= EXTSEC=
XAPPC= XAPPC= XCMD= XCMD= XDB2= XDB2= XDCT= XDCT= XFCT= XFCT= XHFS= XHFS= XJCT= XJCT= XPCT= XPCT= XPPT= XPPT= XPSB= XPSB= XRES= XRES= XTRAN= XTRAN= XTST= XTST= XUSER= XUSER= CMDSEC= PCTCMDSEC= RESSEC= PCTRESSEC= XEJB= XEJB= EJBROLEPRFX= EJBRPFRX=
Disables resource checking, or selects and enables resource class checking, for CICS/DB2 keywords:
CICS performs security checking by substituting the SIT specified resource class for the keyword. During initialization, when XDB2 specifies a resource class, and FACMATRX=NO, CICS activates a profile for the specified class. It is the administrator's responsibility to assure that the resource class specified by XDB2 has been defined to CA Top Secret. When XDB2 specifies a valid resource class, the administrator is also expected to provide security for IBMFAC(DFHDB2.) as documented by IBM in the CICS RACF Security Guide.
The Event Notification Facility (CAIENF) automatically calls CA Top Secret when any CICS resource is accessed. CA Top Secret then processes the call based on the FACILITY control option parameters set by your site.
You can eliminate unnecessary overhead by selectively disabling calls for CICS resources that are not protected by CA Top Secret.
To disable CAIENF/CICS calls:
Specify FACMATRX=NO to disable this process. CA Top Secret then uses the XPARMs specified in the DFHSIT.
You can construct two types of resource lists:
The following table details the keywords that the Bypass and Protect Lists support:
|
Resource Keywords |
Top Secret Keywords |
Notes |
|---|---|---|
|
SYSID |
SYSID |
See the chapter, “Security for a Multi-System Environment.” |
|
TRAN |
LCF, OTRAN |
TRANS is an alias for TRAN. Transactions bypassed might be rejected because of secondary resource checks. |
|
TRANID |
LCF, OTRAN |
Transactions bypassed in TRANID will also bypass secondary resource checks. |
|
PCT |
PCT |
CICS started transaction and EXEC CICS commands: COLLECT STATISTICS TRAN DISCARD TRAN INQ TRAN INQ REQID SET TRAN CANCEL TRAN |
|
LOCKTIME |
LTIME LTLOGOFF |
The CA Top Secret LOCKTIME Bypass List has no effect on OPTIME implementation. |
|
FCT |
FCT |
Facility DSNCHECK=NO. |
|
DSNAME |
DSNAME |
Facility DSNCHECK=YES. |
|
PSB |
PSB |
For IMS PSB resources defined through ISC. |
|
SPI |
SPI |
For all SPI resource checking, including CEMT. |
|
CEMT |
CEMT |
For CEMT verbs such as SET, INQUIRE |
|
DCT |
DCT |
CICS intra‑ and extra‑partition transient data destinations. |
|
JCT |
JCT |
CICS system log and journals. |
|
PPT |
PPT |
CICS program names. |
|
TST |
TST |
CICS temporary storage destinations |
|
XRES |
XRES |
CICS Document templates |
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|