Implementation of the LU6.2 attach-time security in
CICSTS31.CICS conforms
strictly to the architecture. In particular, note the following:
- The introduction of SNA profile support and the conformance to SNA attach-time
security processing may cause migration problems.
- Profile support means that badly coded profiles sent in an attach FMH-5
cause certain attach requests to be rejected.
- The checks to prevent problems in the access security subfields of an
FMH-5 are:
- Check for unrecognized subfield
- Check for invalid length subfield
- Check for multiple subfields of the same type
- The full 10-character userid and password are accepted. Any trailing blanks
((X'40') are removed before being passed to the security manager, which either
rejects the attach request, or converts the userid and password into 8- character
form before proceeding.
- If an attach request does not contain security parameters in the FMH-5,
it is rejected, unless USEDFLTUSER(YES) has been specified on the CONNECTION definition. In that case, the
security capabilities of the default user apply.
- Valid SNA profiles received are treated as the ESM groupid with which
the userid in the FMH-5 will be associated after the userid in the FMH-5 is
signed on.
- When a SNA profile is received and the connection had ATTACHSEC=PERSISTENT,
it is validated to conform to the architecture. It is not used to further
qualify users in the signed-on-from list. This also applies to persistent
signed-on flows received on a connection that has ATTACHSEC=MIXIDPE specified.