Using MRO logon and bind-time security

DFHIRP, the CICS® interregion communication program, performs two security checks against users that want to:

  1. Log on to IRP (specific connections only)
  2. Connect to a CICS region (also referred to as bind-time security).

Generic EXCI connections

The discussion about logon security checking in this section applies only to EXCI connections that are defined as SPECIFIC. The MRO logon security check is not performed for generic connections.

The MVS™ client program is treated just the same as another CICS region as far as MRO logon and connect (bind-time) security checking is concerned. This means that when the client program logs on to the interregion communication program, IRP performs logon and bind-time security checks against the user ID under which the client program is running. In the remainder of this section, we refer to this as the batch region's user ID.

To enable your client program to log on successfully to IRP, and to connect to the target server region, first ensure that you define the batch region's user ID in a user profile to RACF®. When you have defined the batch region's user ID to RACF, you can then give the batch region the appropriate logon and bind-time authorizations.

1. Logon authorization
Authorize the batch region's user ID to the DFHAPPL.user_name RACF FACILITY class profile, with UPDATE authority. The user_name part of the profile name is the user name defined on the INITIALIZE_USER command.

Failure to authorize the batch region's user ID to the DFHAPPL profile of the specific user ID logging on to IRP causes Allocate_Pipe processing to fail with RESPONSE(SYSTEM_ERROR) REASON(IRC_LOGON_FAILURE). The subreason field-1 for a logon security check failure returns decimal 204.

See Defining DFHAPPL FACILITY class profiles for an EXCI region for information about FACILITY class profiles for an EXCI client program.

2. Bind-time authorization
Authorize the batch region's user ID to the DFHAPPL.applid RACF FACILITY class profile of the target CICS server region, with READ authority.

Failure to authorize the batch region's user ID to the CICS server region's DFHAPPL.applid profile causes Open_Pipe processing to fail with RESPONSE(SYSTEM_ERROR) REASON(IRC_CONNECT_FAILURE). The subreason field-1 for a bind-time security check failure returns decimal 176.

See the CICS RACF Security Guide for information about the MRO logon and bind-time security checks, and for examples of how to define the RACF DFHAPPL profiles.

Defining DFHAPPL FACILITY class profiles for an EXCI region

Define the user_name part of the DFHAPPL profile name as follows:

Related concepts
Introduction to the external CICS interface
Related tasks
The EXCI CALL interface
The EXCI EXEC CICS interface
Link security
User security
Surrogate user checking
[[ Contents Previous Page | Next Page Index ]]