Considerationsfor usingsecuritycheckingwithDBCTLare:
v Thedifferenttypesof securitycheckingyoumay need v Migration
WhenusingCICSwithDBCTL,youmaywanttouseoneor moreofthefollowing optional securityfacilities:
v “PSBauthorizationcheckingbyCICS”
v “ResourceaccesssecuritycheckingbyDBCTL.”Thiscompriseschecksat:
– Connecttime
– PSBschedulingtime.
Formoreinformation, seealsotheinformationondefining resourcesecurity checkingforPSBs inCICSRACFSecurityGuide.
v “DBCTLpasswordsecuritychecking”onpage118,for/LOCKand/UNLOCK commands.
v “Migrationconsiderations forsecuritywithDBCTL”onpage118
OftheresourcesyoucanprotectusingIMSsecurity,youneedbeconcernedonly withPSBs,databases,andcommands.
PSB authorization checking by CICS
At PSBschedulingtime,CICSinvokessecuritycheckingto findoutwhetherthe terminal userisauthorizedto accessthePSB.Theactualcheckiscarriedoutby anexternalsecuritymanager,whichcan beRACForyourown securityprogram.
AlthoughPSBschedulingrequestsaresentto DBCTLfor processing,CICSdoes PSBauthorizationchecking.SeetheCICSCustomizationGuidefor programming informationonwritingyourown securityprogram.
Resource access security checking by DBCTL
DBCTLviewsalltheresourcesthatcanbeaccessed byoneparticularCICS system orBMPasasingleentity.Resourcesinthis contextmeansoneormore PSBs.Thesetof PSBsthatoneCICSorBMPcan accessaregroupedtogetherin anentitycalledanapplicationgroup.Eachapplicationgrouphasaname—its AGN,andtheAGNsaredefinedinmatrixdatasets.
Application groups,andthenamesof theresourceswithinthosegroups,areplaced intablesinDBCTL’ssecuritymatrixdataset(s)usingtheIMSsecuritymaintenance utility.You canusetheIMSonlinechangefacilitytobringnew securitytables online.
TheAGN thatCICSintends touseisspecifiedintheDRAstartuptablereferenced byCICSwhenitattempts toconnectto DBCTL.YoucanassignthesameAGNto differentCICSsystems,ifyou needto.
DBCTLresourceaccesssecuritycheckingprovidesthefollowing:
v Checkingat connecttime
WhenCICSoraBMPconnectsto DBCTL,DBCTLinitiatesa checktofindoutif CICSortheBMPisauthorized.ThecheckiscarriedouteitherbyRACFin conjunctionwithDBCTLorbyauserexitroutine(DFSISIS0):
1. RACFandDBCTL Thischeckhastwo parts:
– RACFcheckswhethertheuseridsuppliedintheJOBstatementofthe CICSstartupjob(orinthestartedprocedure table),or BMPJCL,is authorizedtoaccesstheAGN suppliedbyCICSortheBMPduringthe connectrequest.
– Iftheabovecheck issuccessful,DBCTLcarriesoutthesecond partof the check.ThisinvolvesverifyingthatthesuppliedAGN isinthematrixdata setsused forthisDBCTLstartup.
2. Userexit routine(DFSISIS0),whichgivesor refusesauthorizationbysetting theappropriatereturncode.
IfyouuseDBCTLconnect-timechecking,youmustalso useDBCTLPSB schedule-timechecking.Thatis,youcanusebothof thesechecks,or neither,butyoucannotuseonlyoneof them.
SeetheIMSSystemAdministrationGuideortheIMS/ESAAdministration Guide:Systemforguidanceonspecifyingsecurity,andtheIMSUtilities Reference:Databasemanualmanualfor guidanceonthesecurity maintenanceutility.
v Checkingat PSBschedulingtime
Thisiscompletelyunrelated toandindependent ofthePSBauthorization checkingbyCICS,whichisdescribedin“PSBauthorizationcheckingbyCICS”
onpage115.
ThischeckiscarriedoutbyDBCTLandinvolvesverifyingthatthePSBbelongs totheAGN specifiedduringtheconnection process.
Relationships between AGNs, PSBs, and DBCTL ID in security checking
Figure34summarizestherelationshipsbetweenAGNs,PSBs,andtheDBCTLIDin securitychecking.
Thetwolevels ofsecuritymeanthatif anewPSBisintroduced,therearetwokinds of tablethatyoumust update:
v TheRACFtable thatdefinestheCICSPSBresource class v Thesecuritymanagement utilityAGNdefinition.
If theAGNischangedintheDRAstartupparametertable,updatethefollowing tables:
v TheRACFtable thatdefinestheAGNresource class v Thesecuritymanagement utilityAGNdefinition
Parameters for DBCTL resource access security
You specifythekindof securitycheckingyou wantbyusingeithertheDBCTL system generationmacroSECURITYor theDBCTLstartupparameterISIS.See theIMSSystemDefinitionReferencemanualmanualorIMS/ESAInstallation Volume 2:SystemDefinitionandTailoringfor furtherguidanceonthis parameter.
For guidanceontheRACFaspectsof implementingDBCTLsecurity,seethe ResourceAccessControlFacility(RACF)SecurityAdministrator’sGuide.
DRA AGN= parameter
CICS BMP JOB EXEC parameters DBCTL
Connection of interface
CICS A AGN=01 (DFSISIS or RACF)
PSB1 CICSA AGN01
PSB2 CICSB AGN02
. BMP AGN03
. . .
. .
CICS B AGN=02
PSB schedule
PSB2 time
PSB3
. PSB 1 AGN01
. PSB 2 AGN01
. PSB 2 AGN02
PSB 3 AGN02 PSB 4 AGN03
. .
BMP AGN=03 . .
PSB4
Figure34.RelationshipsbetweenAGNs,PSBsandDBCTLIDinsecuritychecking
DBCTL password security checking
You canprotectDBCTLagainstunauthorized/LOCKand/UNLOCKcommandsfor certainPSBs (referredto as“programs” intheIMSpublications)anddatabases by establishingpasswordsforthesePSBsanddatabases.TheIMSsecurity
maintenanceutilityisusedto placethedefinitions neededintoDBCTL’smatrixdata sets:
)( PROGRAM PSB11 PASSWORD PWP11 )( PROGRAM PSB12
PASSWORD PWP12 )( DATABASE DB21 PASSWORD PWD21 )( DATABASE DB22 PASSWORD PWD22
Note: Theparenthesesshownintheaboveexampleareusedbythesecurity maintenanceutilitytorecognizeinput commands.
Security considerations for using BMPs with DBCTL
In mostcases, PSBauthorizationcheckingbyCICSprovidessufficientsecurity.The fact thatCICSandDBCTLruninthesameMVS image,andthattheconnection parameters(intheDRAstartuptable)have tobeinanauthorizedlibraryshould usuallyallowyouenoughcontrolovertheconnectionprocess,andyouwillnot need toimplementtheDBCTLsecuritycheckingdescribedin“Resourceaccess securitycheckingbyDBCTL”onpage 115.However,theseconsiderationsdonot applyif youareusingBMPswithDBCTL.ToprovidesecuritycontrolforBMPs,use DBCTLresourceaccesssecuritychecking.ThisisbecauseDBCTLresources,such asPSBs,canbeaccessedbyprogramsthatoperateindependentregions.To MVS,thesedependentregionsarenormalMVSjobs thatanyonecaninitiateusing theMVS jobentrysubsystem.This meansthata userwhoisnotauthorizedto accessadatabaseusingaRACF-protectedCICStransactioncouldaccessthat databasebysubmittingaBMPregionwiththecorrectparametersintheEXECUTE statement.(See“MakingDBCTLresourcesavailable”onpage67forinformationon starting BMPJCLusinga DBCTLoperatorcommand.)
Migration considerations for security with DBCTL
Before migrating,reviewthesecurityfacilitiesavailableanddecidewhichones you wantto useina CICS-DBCTLenvironment—inparticular,whetheryouneedto use theadditionalDBCTLchecks.
Security migration scenarios
Figure35andFigure36onpage 119showconsiderations formigratinginstallations thatalreadyuse PSBsecuritychecking.
CICS PSB authorization checking
Figure35onpage 119shows migrationfroma CICSsystem withlocalDL/Ito a CICSsystem withDBCTL.In thissituation,youcanretain allexisting
security-related definitions.
Figure36showsmigrationfroma multiregionoperation(MRO)installationwitha CICSdatabase-owningregion(DOR)andlocalDL/ItoDBCTL, whichreplaceslocal DL/I andtheDOR.Ifyoualreadyuse PSBsecuritycheckingintheCICS
application-owningregions(AORs),you donotneedanysecurity-related changes.
CICS
Local DL/I
DBCTL
Databases Databases
CICS
Figure35.CICSwithlocalDL/ItoCICSwithDBCTL
CICS AOR CICS AOR CICS AOR CICS AOR
CICS DOR
Local DL/I
DBCTL
Databases Databases
Figure36.MROinstallationwithCICSDORwithDBCTLreplacinglocalDL/I
Figure37showsPSBRACFcheckingbeingdone intheCICSDOR.
If youwantthis kindof checkingafterreplacingtheDORwithDBCTL,it mustbe done intheCICSAORsthatuseDBCTL,asshowninFigure38.
Decidewhetheryouwanttokeep yourprevioussetupwithrespecttogrouping PSBs,andusingornotusingprefixes.
Review theCICSsysteminitialization parametersSEC,XPSB,andPSBCHKfor each CICSAOR.Depending onanychangesyoumaketotheseparameters,you may alsoneedto changethecorrespondingRACFdefinitions (CDTclassnames, RDEFINE,andPERMIT).
DBCTL resource access security checking
Follow thestepsbelowonly ifyouhave decidedto usetheadditional DBCTL checks.
1. DBCTLsystemgeneration
Selecttheappropriatemacrosandparameters:
v IMSGENPSWDSEC=...
v SECURITYTYPE=...,PASSWD=...,RCLASS=...
2. Application groupname(AGN)
For multipleCICSsystemsconnectedtoDBCTL, firstdecidewhetheryouwant to usethesame,ordifferent,AGNs.
SpecifytheappropriateAGN intheDRAstartupparameter tablefor eachCICS, or bya BMPJCLparameter(AGN=).
3. Allocate MATRIXdataset,and
If youwantto useonlinechange,youmust alsodefineMATRIXAand MATRIXB.
CICS AOR 1
no PSB RACF checking
CICS AOR 2
no PSB RACF checking
CICS DOR
with PSB RACF checking
Local DL/I
Database
Figure37.LocalDL/Ienvironment—PSBRACFcheckinginCICSDOR
CICS AOR 1
with PSB RACF checking
CICS AOR 2
with PSB RACF checking
DBCTL Database
Figure38.DBCTLenvironment—PSBRACFcheckinginCICSAOR
For furtherguidanceonspacecalculations, seethesectiononestablishingIMS securityintheIMSSystemAdministrationGuideortheIMS/ESAAdministration Guide:System.
4. DefineAGNsandtheirPSBsusingtheIMSsecuritymaintenanceutility, DFSISMP0.
NotethatyoucanrunDFSISMP0onlyafterDBCTLsystem generationhas completed.
5. For passwordsecuritychecking, definethePSBs (orprograms)and/or databasesandthepasswordstobeusedwith/LOCKand/UNLOCKinthe MATRIX dataset.
6. SpecifythevalueoftheDBCTLstartupparameter ISIS.Valuesareasfollows:
ISIS=0 - no checks
ISIS=1 - checks using RACF
ISIS=2 - checks using an installation exit (DFSISIS0)
RACF preparations
1. CICSP/QCICSPSB definitions.
v CICSwithlocalDL/Ito CICSwithDBCTL(Figure35onpage 119)—no modificationsrequired.
v MROinstallationwithCICSDORwithDBCTLreplacinglocalDL/I(Figure36 onpage 119)—dependingonwhetheryoudecided todifferentiateornot,you mayhave toadjusttheRDEFINEsandPERMITsaccordingly.
2. SpecifyRDEFINEforAGNsinRACFCLASSAIMS.
3. SpecifyPERMITforCICSUSERIDs.
BeforeCICSora BMPcanconnectto DBCTL,theUSERIDfromtheJOB statementof theCICSstartupjobortheBMPJCLmustbeauthorizedtoaccess itsAGN.
4. You maywantto writeasimpleprogramtolistexistingRACFprofilesfor
PCICSPSBandQCICSPSBandconstructthecontrolstatementsneededforthe IMSsecuritymaintenanceutility.Thegroupstructurefor PSBswithinRACF (QCICSPSB) willprobably bethesameasthatrequiredwithin DBCTLAGN groups,plus theadditional groupsneededfor BMPs.