Start of change

Security considerations

This section describes the Web User Interface security requirements for CICS® security, Secure Sockets Layer (SSL) support, and access to MVS™ data sets.

CICS security considerations

If your Web User Interface server region is running with CICS security active, you need to define the security access required:

Table 25 summarizes the access required by the various userids.

You may wish to use CICS transaction security (see the CICS RACF Security Guide) to limit the users who are allowed to control the Web User Interface server via the COVC transaction.

See the CICSPlex® System Manager Web User Interface Guide for information about how to control users of the Web User Interface and to limit what resources they are allowed to access.

Security access for the CICS Web Interface

If CICS transaction security is in use the CICS DFLTUSER (for a CICS Transaction Server for OS/390® version 1.3 or later system) or the CWBM transaction userid (for a pre-CICS Transaction Server for OS/390 version 1.3 system) must be given access to the COVP, COVU, and COVE transactions.

Security access for the administrator

The userid that starts the Web User Interface (terminal user of COVC or PLTPIUSR, if started automatically via PLTPI) must have access to the COVC and COVG transactions.

If CICS surrogate user security checking is active in the Web User Interface server region, the userid that started the Web User Interface (terminal user of COVC or PLTPIUSR, if started automatically via PLTPI) must have READ access to wui-userid.DFHSTART in the SURROGAT class for all Web User Interface users.

Security access for the end-user and users of the View Editor

The Web User Interface end-user needs access to the COVA transaction and CICSPlex SM.

Users of the View Editor need access to the COVA transaction, CICSPlex SM and the View Editor profile. For more information about access to the View Editor, see the CICSPlex System Manager Web User Interface Guide.

All users who are successfully signed onto the Web User Interface have access to all of the customizable view and menu help pages, if the customizable view and menu help is served by the Web User Interface.

Summary

Table 25 summarizes the security accesses required by users of the Web User Interface.

Table 25. Security accesses required by users of the Web User Interface
User Roles CICS Web Interface Administrator End-user View Editor
Transactions COVP COVE COVU COVG COVC COVA COVA
CICS surrogate user security Yes
View Editor profile Yes
CICSPlex SM and CICS security As appropriate for individual users As appropriate for individual users

Secure Sockets Layer support

If you are using a CICS Transaction Server for OS/390 version 1.3 or later system, you can provide secure connections by using the Secure Sockets Layer (SSL) support to provide encryption on the connection. For information about SSL support, see the CICS Internet Guide. Also, see Specify the Web User Interface server initialization parameters for information about the TCPIPSSL and TCPIPSSLCERT, Web User Interface server initialization parameters, that you need to specify for SSL support.

Note:
Web User Interface SSL support uses server authentication only. User authentication is by the external security manager (ESM) user ID and password.

Authorizing access to MVS data sets

In addition to standard CICS and CICSPlex SM requirements, the CICS region userid must have the authority to access the data sets associated with the DDnames described in Table 26.

Table 26. Security access required for MVS data sets
DDnames Access required
EYUWUI READ
DFHHTML READ
EYUCOVI (and clones) READ
EYUWREP UPDATE
EYULOG UPDATE
EYUCOVE (and clones) UPDATE
End of change [[ Contents Previous Page | Next Page Index ]]