If you intend to use an MVS™ system console as a CICS® terminal, you may need authorization to use the MVS MODIFY command. This is done using the OPERCMDS resource class.
We recommend that you specify automatic preset security on the console's CICS terminal definition, so that the console user obtains the correct level of authority without explicitly performing a CICS signon (which exposes the password).
If preset security is not defined, console users must sign on to get authority different from the default user. In this case, the password can generally be seen on the console and system log. However, if CICS has been defined as an MVS subsystem in a JES2 system, you can use the HIDEPASSWORD=YES option of the DFHSSIxx member in SYS1.PARMLIB, which enables CICS to intercept the command and overwrite the password with asterisks. For details about defining CICS as an MVS subsystem, see the CICS Transaction Server for z/OS® Installation Guide.
MODIFY jobname,CESN [USERID=userid][,PS=password]
[,NEWPS=newpassword][,GROUPID=groupid]
[,LANGUAGE=language-code]
REPLY nn,
with
nothing after the comma, where nn is the number of the message
corresponding to the reply.You can authorize TSO users to use the TSO CONSOLE command. (For information on this command, see z/OS TSO/E System Programming Command Reference.) These users must be defined to CICS as consoles, using the CONSNAME option of the DEFINE TERMINAL command, or be supported by autoinstall for consoles, as described in the CICS Resource Definition Guide.
When the password parameter is omitted from the CESN command, RACF® can produce a security violation message, ICH408I. CESN cannot distinguish a user defined with OIDCARD, NOPASSWORD from a user defined with a PASSWORD who intentionally omits the password. To establish whether to prompt for a PASSWORD or to reject the signon (a user defined with OIDCARD cannot sign on at a console), the signon must be attempted. If the signon fails, message ICH408I is produced, and CICS interprets the return code from RACF to determine whether the PASSWORD or OIDCARD authenticator is required.
These users can sign on using CESN, or you may prefer to use preset security (the normal preset security for CICS terminals, or automatic preset security for consoles). When the TSO user uses the CONSOLE command, that user's userid, by default, becomes a console name. (But it can be changed to be any name using the CONSNAME(name) option on the TSO CONSOLE command). This console name can then be used as a CICS terminal if there is a corresponding TERMINAL definition (or one can be autoinstalled) with the CONSNAME option in CICS. If another name has been specified, that name is the one CICS uses to communicate with the console. For example, it is possible for one TSO user to use a name that is the same as another TSO user's ID.