You can control which users, among those who are running non-APF-authorized programs, can OPEN the VTAM® ACB associated with a CICS® address space (CICS region). This ensures that only authorized CICS regions can present themselves as VTAM applications that provide services with this APPLID, thus preventing unauthorized users from impersonating real CICS regions. (Note that the CICS region userid needs the OPEN access, not the issuer of the SET VTAM OPEN command.)
To enable CICS to start up with external security, you must first have authorized the CICS region userid to open the CICS region’s VTAM ACB with the applid specified on the APPLID system initialization parameter.
For each APPLID, create a VTAMAPPL profile, and give the CICS region userid READ access. For example:
RDEFINE VTAMAPPL applid UACC(NONE) NOTIFY(userid)
PERMIT applid CLASS(VTAMAPPL) ID(cics_region_userid) ACCESS(READ)
The correct CICS APPLID to specify in the VTAMAPPL class is the specific APPLID, as specified in the CICS system initialization parameters. If you are using XRF (that is, if CICS is started with XRF=YES in effect), you must define two VTAMAPPL profiles -- one each for both the active and alternate CICS region's specific APPLID (the second operand on the CICS APPLID startup option).
SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
For information about creating VTAMAPPL profiles for CICS region applids, see the CICS RACF® Security Guide For information about the XXRSTAT exit, see the CICS Customization Guide.
[[ Contents Previous Page | Next Page Index ]]