Using an MVS system console as a CICS terminal

If you intend to use an MVS™ system console as a CICS® terminal, you may need authorization to use the MVS MODIFY command. This is done using the OPERCMDS resource class.

We recommend that you specify automatic preset security on the console's CICS terminal definition, so that the console user obtains the correct level of authority without explicitly performing a CICS signon (which exposes the password).

If preset security is not defined, console users must sign on to get authority different from the default user. In this case, the password can generally be seen on the console and system log. However, if CICS has been defined as an MVS subsystem in a JES2 system, you can use the HIDEPASSWORD=YES option of the DFHSSIxx member in SYS1.PARMLIB, which enables CICS to intercept the command and overwrite the password with asterisks. For details about defining CICS as an MVS subsystem, see the CICS Transaction Server for z/OS® Installation Guide.

The format of the CESN command, when entered from a console, is as follows:
MODIFY jobname,CESN [USERID=userid][,PS=password]
       [,NEWPS=newpassword][,GROUPID=groupid]
       [,LANGUAGE=language-code]
If any of the data entered on the CESN command is invalid, or if the password is missing or expired, CICS prompts the user to enter the missing or invalid data by issuing a system message that requires a response (a WTOR message). Provide a response using the REPLY command. When CICS prompts for a password, it uses a security routing code to ensure that the response is not recorded on the console or in the system hardcopy log. To terminate the sign-on process, a REPLY command with a null operand is required. That is, enter:
  REPLY nn,
with nothing after the comma, where nn is the number of the message corresponding to the reply.

You can authorize TSO users to use the TSO CONSOLE command. (For information on this command, see z/OS TSO/E System Programming Command Reference.) These users must be defined to CICS as consoles, using the CONSNAME option of the DEFINE TERMINAL command, or be supported by autoinstall for consoles, as described in the CICS Resource Definition Guide.

When the password parameter is omitted from the CESN command, RACF® can produce a security violation message, ICH408I. CESN cannot distinguish a user defined with OIDCARD, NOPASSWORD from a user defined with a PASSWORD who intentionally omits the password. To establish whether to prompt for a PASSWORD or to reject the signon (a user defined with OIDCARD cannot sign on at a console), the signon must be attempted. If the signon fails, message ICH408I is produced, and CICS interprets the return code from RACF to determine whether the PASSWORD or OIDCARD authenticator is required.

These users can sign on using CESN, or you may prefer to use preset security (the normal preset security for CICS terminals, or automatic preset security for consoles). When the TSO user uses the CONSOLE command, that user's userid, by default, becomes a console name. (But it can be changed to be any name using the CONSNAME(name) option on the TSO CONSOLE command). This console name can then be used as a CICS terminal if there is a corresponding TERMINAL definition (or one can be autoinstalled) with the CONSNAME option in CICS. If another name has been specified, that name is the one CICS uses to communicate with the console. For example, it is possible for one TSO user to use a name that is the same as another TSO user's ID.

Furthermore, if the CONSOLE command is used to allow TSO operators to sign on to CICS with the CESN transaction, their passwords may be exposed on the TSO screen and in the MVS system log. These potential exposures can be removed by defining the terminal as having preset security. We recommend that you use automated preset security for the following reasons:
To define automatic preset security, specify USERID(*EVERY) to ensure that the correct user ID is signed on for every command, or USERID(*FIRST) to sign on the console using the userid that first issues a MVS MODIFY command to CICS, and retain this for subsequent commands.