Although, in general, CICS runs in unauthorized state, the CICS initialization
program, DFHSIP, needs to run in authorized state for part of its execution.
For this reason, the version of the DFHSIP module supplied on the distribution
tape is link-edited with the “authorized” attribute (using the linkage-editor
SETCODE AC(1) control statement), and is installed in CICSTS31.CICS.SDFHAUTH.
This library must be defined to the operating
system as APF-authorized.
To prevent unauthorized or accidental modification of
CICSTS31.CICS.SDFHAUTH,
make this library RACF-protected. Without such protection, the integrity and
security of your MVS system are at risk. To control the unauthorized start-up
of a CICS system using DFHSIP, also consider implementing the following:
- If DFHSIP is in a library that has been placed in the MVS link list, protect
DFHSIP with a profile in the PROGRAM resource class. Give READ access to
this profile only to those users who are allowed to execute CICS.
- If DFHSIP has been placed in the link pack area (LPA), it cannot be protected
by the PROGRAM resource class. Instead, control the start-up of CICS by controlling
the loading of any suffixed DFHSIT load module. Ensure that no DFHSIT load
module is included in the LPA, then control the loading of DFHSIT by creating
a generic 'DFHSIT*' profile in the PROGRAM resource class. Give READ
access to this profile only to those users who are allowed to execute CICS.
Also give RACF protection to SYS1.CICSTS31.CICS.SDFHLINK and to SYS1.CICSTS31.CICS.SDFHLPA;
and the other libraries (including CICSTS31.CICS.SDFHLOAD) that make up the STEPLIB
and DFHRPL library concatenations.
See Authorizing access to CICS data sets for more information about protecting CICS data
sets and creating suitable data set security profiles.
Note: The source statements
of your application programs are sensitive; consider having RACF protect the
data sets containing them.