Implementing Security for IMS › Signon Security › Automatic Terminal Signon

Automatic Terminal Signon

CA Top Secret allows for the automatic signon of an IMS terminal. This is useful for applications requiring minimal security, or where the physical security surrounding a terminal is adequate for the sensitivity of the application. Automatic signon is also useful for receive‑only terminals, used for displaying secured information.

Automatic terminal signon is performed whenever a transaction is entered prior to performing an IMS signon, and there exists a CA Top Secret ACID with the same name as the IMS terminal.

The terminal name used depends on your environment and control option settings:

• VTAM terminals use the VTAM node name
• BTAM or LU6.2 terminals use IMS LTERM

Terminals with ACIDs defined automatically become eligible for automatic terminal signon. However, the ATS ACID must be:

• Allowed to the IMS facility
• PERMITted for the terminal, if the terminal is an owned resource

If there is no ACID defined with the same name as the terminal defined to CA Top Secret, the control option IMS is checked. If IMS(NOIMSATSDF) is specified, the transaction fails. If IMS(IMSATSDF) is specified, the FACILITY DEFACID is checked. If DEFACID(NONE) is specified, the transaction is failed and the user receives a message requesting that an explicit signon be performed. However, if the DEFACID exists, then CA Top Secret performs the security checks (4) through (8) as previously described for security checking. If these checks are successful, the ACID becomes associated with that terminal until signoff just as if an explicit signon had been performed, and processing of the transaction that was entered is initiated (subject to LCF transaction security).

Notes

• If the automatic terminal signon is successful, the user who entered the transaction will not be aware of the process.
• ETO terminals cannot use Automatic Terminal Signon since IMS will not allow users to enter a transaction or command until after an explicit signon has been done.

Configure Automatic Terminal Login

Security administrators can configure automatic terminal login on fixed terminals to avoid unnecessary user logins.

Note: If an ACID exists with the same ID as the PTERM and a transaction ID is entered at the terminal, CA Top Secret logs in automatically as the terminal ACID before the transaction is executed.

Follow these steps:

1. Code the terminals into the region's Stage 1 macros. For example:

      TYPE    UNITYPE=(3270,LOCAL),
                   MODEL=2,
                   FEAT=(PFK,NOCD),
                   UNIT=3277,
                   PTRSIZE=IGNORE
       SPACE 2
       :::::
       :::::
       :::::
       SPACE 2
    ** FIXED TERMINALS
    A61LO901 TERMINAL  NAME=A61LO901
             NAME L61LO901
    A61LO902 TERMINAL  NAME=A61LO902
             NAME L61LO902
    A61LO903 TERMINAL  NAME=A61LO903
             NAME L61LO903
       :::::
       :::::
       :::::
   

   The Stage 2 gen creates terminal descriptors in the PROCLIB member DFSDSCMx. The terminal descriptors are generated as comments in the PROCLIB member. For example:

   * U A61LO901 LTERM=L61LO901
   * U A61LO902 LTERM=L61LO902
   * U A61LO903 LTERM=L61LO903
   * U A61LO904 LTERM=L61LO904
   * U A61LO905 LTERM=L61LO905
   

   Note: If the static terminals are left as comments, the descriptor for the terminal defaults to ETO DFSUSER, forcing the user to log in to access the terminal.

2. Uncomment a terminal descriptor to enable automatic login on that terminal.