CICS Installation Checklist

CICS Installation Checklist

Use this checklist when you are installing and implementing CA Top Secret security using CICS.

• CAIENF Considerations

  The CA Top Secret CICS interface requires the CA Common Services for z/OS CAIENF (Event Notification Facility) service to be installed and activated. CAIENF/CICS performs CA Top Secret CICS intercepts and drives CA Top Secret CICS during security‑related events. Without CAIENF, CA Top Secret CICS does not function.

  To ensure that CAIENF and CA Top Secret are installed correctly, you should review the following:

  • Confirm that the TSSENFDC JCL to define CA Top Secret to the CAIENF database was run.
  • List the CAIENF database by running the CAS9DB ENF utility with the LISTDB() DETAIL control statement. Output should show KO50DCM2, CAS9DCM0, and CAS9DCM2.
  • Verify that the CICS MODE(ON) and the CICSREL(xx) options have been coded in the CAIENF startup parameters. All releases of CICS that will use CA Top Secret need to be specified, such as CICSREL(63).
  • Ensure that CA Top Secret and CAILIB are in the linklist. If CAILIB is not in the linklist, then it must be pointed to in the CICS startup procedure with a CENFLIB DD card.
• Administrative Considerations:
  • Define a region control ACID for the CICS region and associate it with the appropriate MASTFAC parameter. For example:

    	TSS CREATE(cicsnn) NAME('new CICS region acid')
    	                   FACILITY(BATCH,STC)
    	                   PASSWORD(NOPW,0)
    	                   MASTFAC(cicsprod)
    	                   NOVOLCHK
    	                   NODSNCHK
    	                   NORESCHK
    	                   NOSUBCHK
    	                   NOLCFCHK
    

    	TSS ADDTO(cicsnn) MASTFAC(cicsprod)
    

    If you execute CICS as an STC, the procedure must be added to the STC table and assigned an ACID. For example:

    	TSS ADDTO(STC) PROCNAME(yourproc) ACID(cicsnn)
    

  • Define a default user acid. Be careful when assigning attributes, specifically the bypass attributes (NORESCHK, NODSNCHK, NOLCFCHK, and so on) because these can cause a security exposure.
• System Initialization Table (SIT)

  You must specify SEC=YES in the SIT or the Facilities Matrix. For CA Top Secret resource protection allow the following to default or code YES for: XTRAN, XPCT, XFCT, XPPT, XTST, XPSB, XJCT, and XDCT.

• Convert SNT RDM to TSS Commands

  Submit CAKSNMIG Utility. Edit the output as appropriate. Submit edited output through batch TSO. See the “Defining CICS to CA Top Secret” chapter for more information.

• CA Top Secret Supplied Transactions and Programs

  The following CA Top Secret transactions are defined via updates to your CICS TRANSACTION and PROGRAM definitions:

  • TSS command
  • TSEU User Executed Transaction Utility
  • TSS Application Interface
  • TSSTRACK Utility

  Note: Update the CICS TRANSACTION and PROGRAM definition statements to use these CA Top Secret‑supplied transactions.

  All CA Top Secret programs listed in the PROGRAM statements must reside in the CICS DFHRPL library.

  Whenever an upgrade to CA Top Secret is applied, be sure to update the affected modules for the programs defined in the CSD in the appropriate library in the DFHRPL.

• TSSTRACK Utility

  Allocate the Audit Tracking file to the CICS region.

• ISC/MRO Considerations

  Review to the chapter, “Security for a Multi-System Environment,” prior to implementing security under an MRO and/or ISC environment.

• Starting Your CICS Region
  • Verify that your CICS region ACIDs have the NORESCHK or NOLCFCHK attributes or have been PERMITted to the appropriate transactions.
  • At this point CA Top Secret and CAIENF are installed and active.
  • The following messages are displayed in succession:

    	15.04.24 STC06025 TSS6093I ‑ TSS/CICS Initialization Phase 0 started.
    	15.04.25 STC06025 TSS6094I ‑ TSS/CICS Initialization Phase 0 complete.
    	15.05.33 STC06025 +DFHXS0206 ‑ CA‑ENF Installing the CICS interface.
    	15.05.38 STC06025 TSS6000I ‑ TSS/CICS Initialization Phase 1 started.
    	15.05.38 STC06025 TSS6099I ‑ TSS/CICS Initialization Phase 1 complete.
    	15.05.38 STC06025 TSS6002I ‑ TSS/CICS Initialization Phase 2 started.
    	15.05.40 STC06025 TSS6095I ‑ TSS/CICS Signon Manager Subtask is active.
    	15.05.41 STC06025 TSS6096I ‑ TSS/CICS Attaching 005 Signon Server.
    	15.05.42 STC06025 TSS6088I ‑ TSS/CICS Core Manager Subtask is active.
    	15.05.42 STC06025 TSS6088I ‑ TSS/CICS Core Manager Subtask is active.
    	15.05.46 STC06025 TSS6089I ‑ TSS/CICS Program Manager Subtask is active.
    	15.05.46 STC06025 TSS6003I ‑ TSS/CICS Initialization Phase 2 complete.
    	15.05.46 STC06025 TSS6007I ‑ TSS/CICS Security Activated.
    

  • Once the TSS6007I Security Activated message is displayed, the CA Top Secret CICS interface is installed and active in the region.
  • If you do not receive the TSS6093I ‑ TSS/CICS Initialization Phase 0 started message, the product has failed to install, probably because CAKSCINT is not available, the DCM is not installed, or CICSREL parm was not updated.
• CDDE BMS=STANDARD or GREATER

  The CA Top Secret CICS interface must be run with BMS=STANDARD (or GREATER) since the interface uses the BMS SEND TEXT command.