Security in CICS and its effect on CICS ONC RPC operations

During the operation of CICS® ONC RPC, various CICS commands are used to make security checks with an external security manager (ESM). The checks will always give positive results if SEC=NO is specified as a system initialization parameter. The checks will always give negative results if SEC=YES was specified, but the ESM abended while CICS was operating. The following discussion of the use made of CICS security commands assumes that SEC=YES is specified, and that the ESM is active.

Figure 64 shows how CICS security interacts with the operation of CICS ONC RPC.

Figure 64. How CICS security interacts with CICS ONC RPC operations
 This diagram shows CRPC issuing EXEC CICS START() USERID() for CRPM. CRPM issues EXEC CICS START() USERID() for CRPA. CRPA issues EXEC CICS VERIFY PASSWORD and EXEC CICS QUERY SECURITY causing the Resource Checker to be called.

The figure shows that the alias will link to the user-supplied resource checker program if one is configured, but the use of the resource checker program is not recommended. You should use the CICS security facilities, and make the appropriate definitions in the ESM.

Using RACF Secured Sign-on

RACF® Secured Sign-on support allows clients to gain security access to CICS facilities by sending a PassTicket (that is, a one-time-only password). This avoids the security hazard of a password being transmitted across the network in clear text.

For further information, see Resource Access Control Facility: System Programmer's Guide, Version 2 Release 2. This includes details of the algorithm that the RPC client must use to generate the PassTicket. This algorithm includes the DES algorithm.

PassTicket generation

The algorithm that generates the PassTicket is a function of:

To generate the PassTicket, the client must:

Related concepts
ONC RPC concepts
CICS ONC RPC security
Related tasks
Writing the resource checker
[[ Contents Previous Page | Next Page Index ]]