Before migrating, review the security facilities available and decide which ones you want to use in a CICS-DBCTL environment--in particular, whether you need to use the additional DBCTL checks.
Figure 35 and Figure 36 show considerations for migrating installations that already use PSB security checking.
Figure 35 shows migration from a CICS® system with local DL/I to a CICS system with DBCTL. In this situation, you can retain all existing security-related definitions.
Figure 36 shows migration from a multiregion operation (MRO) installation with a CICS database-owning region (DOR) and local DL/I to DBCTL, which replaces local DL/I and the DOR. If you already use PSB security checking in the CICS application-owning regions (AORs), you do not need any security-related changes.
Figure 37 shows PSB RACF® checking being done in the CICS DOR.
If you want this kind of checking after replacing the DOR with DBCTL, it must be done in the CICS AORs that use DBCTL, as shown in Figure 38.
Decide whether you want to keep your previous setup with respect to grouping PSBs, and using or not using prefixes.
Review the CICS system initialization parameters SEC, XPSB, and PSBCHK for each CICS AOR. Depending on any changes you make to these parameters, you may also need to change the corresponding RACF definitions (CDT class names, RDEFINE, and PERMIT).
Follow the steps below only if you have decided to use the additional DBCTL checks.
Select the appropriate macros and parameters:
For multiple CICS systems connected to DBCTL, first decide whether you want to use the same, or different, AGNs.
Specify the appropriate AGN in the DRA startup parameter table for each CICS, or by a BMP JCL parameter (AGN=).
If you want to use online change, you must also define MATRIXA and MATRIXB.
For further guidance on space calculations, see the section on establishing IMS™ security in the IMS System Administration Guide or the IMS Administration Guide: System.
Note that you can run DFSISMP0 only after DBCTL system generation has completed.
ISIS=0 - no checks
ISIS=1 - checks using RACF
ISIS=2 - checks using an installation exit (DFSISIS0)
Before CICS or a BMP can connect to DBCTL, the USERID from the JOB statement of the CICS startup job or the BMP JCL must be authorized to access its AGN.