If security is active (SEC=YES is specified in the system initialization
parameters), CICS performs bind security auditing. The following conditions
are considered bind failures, and cause RACF to write an SMF record, and to
issue a message:
- Session key does not match partner's.
- Session segment is locked.
- Session segment has expired.
- Session key is null.
- Session segment does not exist.
- Session segment retrieval was unsuccessful.
- Session bind was unsuccessful.
The following conditions are considered bind successes, and cause RACF
to write an SMF record, but
not to issue a message:
- Session was successfully bound.
- Session key will expire in less than six days.
An SMF record is written if either of the following is true:
- The profile's audit option is set (AUDIT(ALL(READ))).
- SETROPTS LOGOPTIONS(ALWAYS(APPCLU)) is set.
Two things happen when an SMF audit record is written:
- Message ICH700051 is sent to the userid specified in the profile's
notify option. It is suggested that you specify the TSO userid of a RACF administrator
who is responsible for the APPCLU class.
- The security console (any MVS™ console with a routing code of 9) receives
message ICH415I, which contains text similar to message ICH70005I.
These audit records can be extracted from SMF and listed using the following
sample RACF Report Writer control statements:
//RACFRW EXEC PGM=IKJEFT01
//SORTWKxx DD your sort files
//SYSPRINT DD SYSOUT=*
//SYSTPRT DD SYSOUT=*
//RSMFIN DD DSN=your smf dumped data, DISP=SHR
//SYSTIN DD *
RACFRW TITLE('Bind Security Reports') GENSUM
SELECT PROCESS
EVENT APPCLU
LIST SORT(DATE,TIME)
END
//
The RACF Report Writer is described in the z/OS Security Server RACF Auditor's Guide.