cics t/s security user experiences · • 2000+/- cics users • 5 production cicss • 5...
TRANSCRIPT
![Page 1: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/1.jpg)
CICS T/S Security User Experiences
WAVV 2002
Tony Thigpen(formally of Volusia County Schools)
Grady KilpatrickVolusia County Schools
![Page 2: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/2.jpg)
Volusia County Schools
• 2000+/- CICS users• 5 Production CICSs• 5 Development CICSs• 2 Systems test CICSs• Converted to CA-Top Secret 3.0 in fall 1999
– Hear more: CICS/TS User Experience• Monday 10:30, User 1
• Were using CA-Top Secret 2.3
![Page 3: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/3.jpg)
CICS/TS Security Options
• BSM• ESM
– CA-Top Secret– BIM-Alert/CICS– Others?
![Page 4: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/4.jpg)
BSM
• Limited function with CICS/TS– Transaction security only– No RSL support
• Only for CICS/TS, not CICS 2.3– Must duplicate security changes during
conversion
![Page 5: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/5.jpg)
![Page 6: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/6.jpg)
SIT Security Settings
• DFLTUSER• ESMEXITS• PLTPISEC• PLTPIUSR• RESSEC • SEC• SECPRFX• XCMD• XDCT
• XAPPC• XFCT• XJCT• XPCT• XPPT• XPSB• XTRAN• XTST• XUSER
![Page 7: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/7.jpg)
ACIDs• The ACID (Accessor ID) is the USERID• Several ACIDs within CICS
– The ACID of the CICS region job• * $$ JOB ... SEC=(userid,password)• // ID USER=userid,PWD=password
– The ACID of the CICS user signed on• IUI User• CESN
– The default ACID when there is no CICS user signed on
• DFLTUSER=– The ACID for PLTPI processing
• PLTPIUSR=
![Page 8: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/8.jpg)
Quirks
• CEMT INQ TRANS(*) only displays transactions you have access to
• SPI interface requires additional security settings for the user
• The statistics transaction requires many additional security permissions
![Page 9: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/9.jpg)
CA-Top Secret
• Security options that affect CICS– OTRAN– SPI– CONS
![Page 10: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/10.jpg)
CA-Top Secret
• Basic setup– Resources should be in their own Zone– Profiles are a division in the resource zone– Different types of resources in different
Divisions within the resource zone
![Page 11: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/11.jpg)
CA-Top Secret Resources
• CREATE(RESOURCE) TYPE(ZONE)– CRE(VCSPROFS) TYPE(DIVISION)– CRE(TRAN) TYPE(DIVISION)– CRE(SPI) TYPE(DIVISION)– CRE(PROG) TYPE(DIVISION)– CRE(LIBR) TYPE(DIVISION)– CRE(FILE) TYPE(DIVISION)
![Page 12: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/12.jpg)
CA-Top Secret Profiles
• CREATE(VCSPROFS) TYPE(DIVISION)– CRE(EVERYONE) TYPE(PROFILE)– CRE(EVERYMIS) TYPE(PROFILE)– CRE(PROFSYS) TYPE(PROFILE)– CRE(PROFPGM) TYPE(PROFILE)– CRE(PROFOPR) TYPE(PROFILE)– CRE(PROFCICS) TYPE(PROFILE)– CRE(PROFSUB) TYPE(PROFILE)
![Page 13: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/13.jpg)
CA-Top Secret Profiles
• A single user will have access to multiple profiles• Set up model users for each type of user
– CRE(BASEOPR) TYPE(USER) DEPT(OPER)– ADDTO(BASEOPR) PROFILE
(PROFOPR,EVERYMIS,EVERYONE)– ADDTO(BASEOPR) VSEMCON
• When creating the a new operations user, use BASEOPR as a model
• Requires the use of the “ALLMERGE” option• Some options (like MISCx) are not copied from
model
![Page 14: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/14.jpg)
OTRAN
• CREATE(TRANIBM) TYPE(DEPT)– ADDTO(TRANIBM) OTRAN(CEBR)– PERMIT(PROFPGM) OTRAN(CEBR)– PERMIT(PROFSYS) OTRAN(CEBR)
ACC(ALL)– PERMIT(PROFCICS) OTRAN(CEBR)
ACC(COLLECT)
![Page 15: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/15.jpg)
OTRAN QUIRKS
• Some transactions do SPI commands– PERMIT(EVERYONE) OTRAN(SPYL)
ACCESS(EXECUTE,INQUIRE)
![Page 16: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/16.jpg)
SPI
• CREATE(SPIALL) TYPE(DEPT)– ADDTO(SPIALL) SPI(AUTINSTM)– ADDTO(SPIALL) SPI(AUTOINST)– ADDTO(SPIALL) SPI(COLLECT)– ADDTO(SPIALL) SPI(CONNECTI)– ADDTO(SPIALL) SPI(DELETESH)– ADDTO(SPIALL) SPI(DSNAME)– And a LOT more may be needed
![Page 17: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/17.jpg)
SPI
– PERMIT(EVERYONE) SPI(EXITPROG) ACC(SET)
– PERMIT(EVERYONE) SPI(FILE) ACCESS(INQUIRE,SET)
– PERMIT(EVERYONE) SPI(PROG) ACCESS(INQUIRE)
– PERMIT(CNSL) SPI(PROG) ACCESS(ALL)
![Page 18: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/18.jpg)
CONSOLE
• CREATE(OPRCON) TYPE(DEPT)– CREATE(CNSL) TYPE(USER) SOURCE(CNSL)
FAC(CICSPROD,CICSTEST) PASSWORD(NOPW,0) OPIDENT(CNL)
– PERMIT(CNSL) OTRAN(CEMT) ACC(ALL)– ADDTO(CNSL)
TRANSACTION(CICSPROD,(CEMT))– ADDTO(CNSL)
TRANSACTION(CICSTEST),(CEMT))
![Page 19: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/19.jpg)
Datasets
• For Batch access, Datasets are protected by DSN
• For CICS access, VCS chose to not implement CICS Userid access– XFCT=NO
![Page 20: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/20.jpg)
The X’s
• XCMD• XDCT• XAPPC• XFCT• XJCT• XPCT
• XPPT• XPSB• XTRAN• XTST• XUSER
![Page 21: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/21.jpg)
Controlling the X’s
• Set in SIT• Set in CA-Top Secret TSSPARMS file
• Forces CA-Top Secret to override the SIT during CICS startup
• Easier here with multiple production/test CICSs
– FACILITY(CICSPROD=FACMATRX=YES)– FACILITY(CICSPROD=XCMD=YES)– FACILITY(CICSPROD=XFCT=NO)
![Page 22: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/22.jpg)
Facility
• CICS grouped by FACILITYs• Assign a FACILITY when defining the
ACID used by the CICS partition job– CREATE(CICSPRD) FACILITY(BATCH)
MASTFAC(CICSPROD) PASS(xxxxxxxx,0) DEPT(IBMUSERS) NOSUSPEND NOSUBCHK NOVOLCHK
![Page 23: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/23.jpg)
TSSPARMS
• AUTH(MERGE,ALLMERGE)• FACILITY(CICSPROD=DORMPW) • FACILITY(CICSPROD=WARNPW) • FACILITY(CICSTEST=DORMPW) • FACILITY(CICSTEST=WARNPW)• FACILITY(CICSPROD=SIGN(M))• FACILITY(CICSTEST=SIGN(M))
![Page 24: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/24.jpg)
TSSPARMS
• FAC(CICSPROD=FACMATRX=YES)• FAC(CICSPROD=XCMD=YES)• FAC(CICSPROD=XFCT=NO)• FAC(CICSPROD=PCTRESSEC=OVERRIDE)• FAC(CICSPROD=NOLUMSG)• FAC(CICSPROD=NOSTMSG)• FAC(CICSPROD=NORNDPW)
![Page 25: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/25.jpg)
TSSPARMS
• FAC(CICSPROD=BYPREM(CEMT=SET))• FAC(CICSPROD=BYPADD(CEMT=INQUIRE))• FAC(CICSPROD=BYPADD(SPI=SYSTEM))• FAC(CICSPROD=BYPREM(SPI=SET))• FAC(CICSPROD=BYPADD(SPI=INQUIRE))• FAC(CICSPROD=BYPADD(SPI=PWRSPOOL))
![Page 26: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/26.jpg)
TSSPARMS
• FAC(CICSPROD=BYPADD(TRANID=SESN))• FAC(CICSPROD=BYPADD(TRANID=M4SP))• FAC(CICSPROD=BYPADD(TRANID=SPYC))• FAC(CICSPROD=BYPADD(TRANID=SPYR))• FAC(CICSPROD=BYPADD(TRANID=SPYQ))• FAC(CICSPROD=BYPADD(TRANID=BMTP))• FAC(CICSPROD=BYPADD(PCT=SPYC))• FAC(CICSPROD=BYPADD(PCT=SPYI)
![Page 27: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/27.jpg)
Miscellaneous• Initial conversion was for VSE 2.4
– During upgrade to VSE 2.5 and 2.6, required some additional security additions
• STC (Started Task Command) only in OS/390 Manual– CA-TOP Secret Implementation: BATCH, STC, and APPC
Guide; Release 5.1; OS/390
• Initial conversion was with first GA version of CA-Top Secret– During every upgrade of TSS, additions to the control
file were required• Most times not documented
• Because we used PROFILES, changes were minor
![Page 28: CICS T/S Security User Experiences · • 2000+/- CICS users • 5 Production CICSs • 5 Development CICSs • 2 Systems test CICSs • Converted to CA-Top Secret 3.0 in fall 1999](https://reader036.vdocuments.site/reader036/viewer/2022081522/5f43ac60e60934309c546f9e/html5/thumbnails/28.jpg)
Information• Tony: [email protected]• Grady: [email protected]• Download this presentation and our CA-
Top Secret master configuration file for CICS/TS at:http://www.vse2pdf.com/coolstuff