Defining Attach-time Security

Security for a Multi-System Environment › Defining Attach-time Security

Defining Attach-time Security

Attach‑time security allows incoming requests to attach to requested transactions. The session must be established. In addition to the link security check, a second check is made on behalf of the signed‑on user or the CICS region ACID, depending on the attach‑security specification.

The level of attach‑time security required for a remote system is specified in the ATTACHSEC parameter (for RDO) or the USERSEC parameter (for RDM), as shown in the following figure.

RDO definition              RDM definition
DEFINE                      DFHTCT TYPE=SYSTEM
CONNECTION(sysidnt)            ,SYSIDNT=name
GROUP(groupname)   .                                     .
ATTACHSEC({Local|              ,USERSEC=\{Local|
          Identify|             Identify|
          Verify|               Verify|
          Persistent|           Persistent|
          Mixidpe\}             Mixidpe\}

Attach Time Security Levels

There are five levels of attach‑time security:

LOCAL: Any requests from the remote system are checked only for Link authority. Set this parameter if CA Top Secret is not securing the remote region. LOCAL is the default.
IDENTIFY: Any requests from the remote system are checked not only for link authority, but also for the user who initiated the request. Set this parameter if CA Top Secret is securing the remote region.
VERIFY: Every attach request requires a user identifier and a user password.
PERSISTENT: Requires a user identifier and user password with the first attach request for a new user. Any subsequent attach requests for the same user only requires a user identifier. The first attach signs the user on, even if the attach is not authorized to attach the transaction. Set this parameter if CA Top Secret is securing the destination region (LU6.2 only).
MIXIDPE: Specifies that the signon level for the remote user is determined by parameters sent with the attach request. The possibilities are: no signon, signon with password, signon without password. Set this parameter if CA Top Secret is securing the destination region ACID (LU6.2 only).

Note: You cannot specify VERIFY, PERSISTENT, or MIXIDPE on MRO links. These are LU6.2 (ISC) only.

Monitoring Type 71 RACF Event Notifications (ENF)

The ENF 71 function under z/OS enables communication between administrators and applications. Beginning with z/OS 1.11 and CICS 4.1, CICS monitors type 71 RACF ENF signals. CA Top Secret immediately sends an ENF signal to CICS when a security administrator makes the following changes:

Suspends a signed-on remote user or a signed-on user who is not directly using a physical terminal or console
Adds or removes the profile for a signed-on remote user or a signed-on user who is not directly using a physical terminal or console
When the profile addition or removal occurs and CICS receives a new attach request for a user ID, CICS performs an implicit signon for the user ID and uses the new profile information. Existing tasks for the user continue with the profile that was valid when the task was attached.
Deletes a signed-on remote user or a signed-on user who is not directly using a physical terminal or console

Note: CICS is not notified when a user ID expires.

The ENF signal immediately notifies CICS of the change to the user’s security record (overriding any setting specified in the USRDELAY system initialization parameter). CICS can then refresh or remove the user's security record in a remote CICS region.

Example: Monitoring Type 71 RACF ENF Signals

In this example, an administrator issues the following command to suspend USER01 for five days:

TSS ADDTO(USER01) SUSPEND FOR(5)

Issuing the command immediately notifies CICS of the change.

Local Security Considerations

When ATTACHSEC(LOCAL) is specified for a connection, no individual user information is passed to the remote region; only link security is checked when the transaction processes. This setting should not be used for:

Resources that require information about the individual local user to make security decisions about their use
Authorized job submission
TSSCAI calls

Remote Security Considerations

The attach‑time parameters IDENTIFY, VERIFY, PERSISTENT, and MIXIDPE provide full remote security. This level of user security processing is the standard CICS security method of propagating the user's security information from one region to another in a CICS MRO or ISC environment. CICS transmits the userid of the signed‑on user along with the remote request. When the remote request arrives in the AOR, CICS retrieves the userid and issues a signon request on behalf of the user.

Note the following information:

Additional security file I/O occurs while processing these remote signon requests.
If you alter the authority of a signed‑on remote user, CICS continues to use the security values acquired at the previous remote signon until one of the following conditions occur:
- A period of time (specified in the DFHSIT parameter USRDELAY) has elapsed since the previous attach request from this user.
- Signon occurs with a new GROUP entry.
- The link to the remote CICS region has been broken.
- The administrator performs a TSS REFRESH in the remote region address space.
- The CICS system has been recycled.
- An issued command suspends a signed-on ACID, adds a profile to a signed-on ACID, removes a profile for a signed-on ACID, or deletes a signed-on ACID, triggering a type 71 RACF ENF signal that notifies CICS of a change to the ACID's security record.
Some CICS releases use SYSIDNT (as defined in the SIT) to run transactions in connected regions. When this is true, the SYSIDNT must be defined as an ACID and permitted to the facility of the connected region.
Note: To determine if you must allow for this situation, see the CICS Interregion Communication Guide for your appropriate CICS release.

You should code this ACID with a non‑expiring password. The following example shows that no permission is needed just to add the facility with which the SYSID is associated:
```
TSS CREATE('SYSID') NAME('CICS SYSID ACID')
                    FACILITY(CICS)
                    PASSWORD(XXXX,0)
                    DEPARTMENT(deptacid)
```