CICS/VSE internal security, apart from resource security, is defined at two levels:
Security profiles consist of one or more numeric keys, chosen from the digits 1 through 24. When a protected resource is defined, it is associated with one of these values. A user who has a matching key is allowed to access that resource, provided that the link also has a matching key (user security is a subset of link security).
If you do not need to specify security for individual users, you can let all user security profiles default to the link profile. For this, you specify ATTACHSEC(Local) on the CEDA DEFINE CONNECTION6 command. You define the link security profile by specifying OPERRSL on the same command. Let this option default if you want the link to access only unprotected resources.
An alternative way to specify link security is to define an SNT entry for the link. Specify RSLKEY to define the link security profile. The user ID you give to the link has to be matched to SECURITYNAME on the CEDA DEFINE CONNECTION6 command.
To enable protected access to CICS/VSE resources, specifications are needed in each remote system.
To enable security checking of CICS® Transaction Server for Windows users by CICS/VSE, Attach security must be specified as V in the CICS Transaction Server for Windows TCS definition of the CICS/VSE system. All user IDs must be defined in the CICS Transaction Server for Windows signon table (SNT).
In the communications definition (CD) stanza, the entry for the CICS/VSE system should specify RemoteSystemSecurity=IDENTIFY, which is consistent with either IDENTIFY or VERIFY in the SNA Services connection profile. All user IDs, whether or not they use intercommunication, must be in the user definition (UD) stanza.
In the connection profile for the CICS/VSE system, the conversation security access list must contain the user IDs and passwords of all users that are to access the CICS/VSE system. The connection profile should specify SecurityLevel=IDENTIFY or VERIFY, depending on the security required.
An AS/400® user profile, containing a user ID and password, is required for each CICS/400 user who accesses protected CICS/VSE resources. In the AS/400 configuration list, the entry for the CICS/VSE system should specify Secure Loc(*YES), which is the equivalent of ATTACHSEC=Verify in the CICS/VSE CONNECTION definition.
For CICS/VSE resource security, entries are needed in the SNT for all remote users. Each entry must match a corresponding entry in a remote system’s SNT or equivalent.7The level of security on a link depends on the ATTACHSEC option of the CEDA DEFINE CONNECTION8 command.
If you are using an external security manager, you probably need only the default entry in the CICS SNT. This covers both link and users.
Because the mirror transaction accesses all resources for the users, CICS/VSE does not apply resource security checking unless you specify RSLC(YES) or RSLC(EXTERNAL) on the CEDA DEFINE TRANSACTION for the mirror transaction.
For further guidance, see the CICS/VSE Version 2 Release 3 Intercommunication Guide. Note that bind-time security is not supported.
Implementation of security for CICS Transaction Server for Windows, CICS on Open Systems, or CICS/400 access to CICS/VSE resources is similar to that for CICS/VSE--CICS/VSE intercommunication.
For ATTACHSEC=VERIFY|IDENTIFY, in addition to the requirements for ATTACHSEC=LOCAL, the user’s SNT operator class must match the RSL key for the resource. Additional checks may be needed, depending on the definitions of mirror and routed transactions.