To perform MRO connect security checking, DFHIRP checks that each CICS
region in the connection has read access to its partner's DFHAPPL.applid profile.
When CICS® Transaction Server for z/OS®, Version 3 Release 1 DFHIRP
is installed, all regions using earlier CICS releases in the MVS™ image use the
DFHAPPL.applid form of MRO connect security. In addition, the SECURITYNAME
parameter on the CONNECTION definition is not used for MRO and is ignored.
To authorize the MRO partner regions for bind security purposes, you must
define the appropriate DFHAPPL profiles in the RACF FACILITY class. This means
that each CICS region in an MRO interregion communication link must be given
access to its partner's DFHAPPL.
applid profile with READ access authority.
For example, for the CICS TOR running under userid CICSRTOR (with APPLID CICSATOR),
that connects to the AOR running under userid CICSRAOR (with APPLID CICSAAOR),
the RACF commands to authorize the connections are shown in
Figure 1.
You cannot specify to CICS whether or not you want connect security checking
for MRO connections—CICS always issues the RACROUTE calls.
Figure 1. Illustration of the
DFHIRP logon and connect security checks.
This illustration
shows a CICS terminal-owning region (TOR) and CICS application-owning region
(AOR) logging on to DFHIRP, and connecting to one another:
- The TOR has an APPLID of CICSATOR and a region user ID of CICSRTOR.
- The AOR has an APPLID of CICSAAOR and a region user ID of CICSRAOR.
During the logon process, DFHIRP calls RACF to check that:
- User ID CICSRTOR has UPDATE access to DFHAPPL.CICSATOR
- User ID CICSRAOR has UPDATE access to DFHAPPL.CICSAAOR
During the connection process, DFHIRP calls RACF to check that:
- User ID CICSRTOR has READ access to DFHAPPL.CICSAAOR
- User ID CICSRAOR has READ access to DFHAPPL.CICSATOR
The TOR and AOR shown in
Figure 1, running
under region userids CICSRTOR and CICSRAOR respectively, with APPLIDs CICSATOR
and CICSAAOR, require the following RACF definitions to authorize their logon
to DFHIRP:
- For the MRO logon and connect
process:
RDEFINE FACILITY (DFHAPPL.CICSATOR) UACC(NONE)
RDEFINE FACILITY (DFHAPPL.CICSAAOR) UACC(NONE)
PERMIT DFHAPPL.CICSATOR CLASS(FACILITY) ID(CICSRTOR) ACCESS(UPDATE)
PERMIT DFHAPPL.CICSAAOR CLASS(FACILITY) ID(CICSRAOR) ACCESS(UPDATE)
- For connection:
PERMIT DFHAPPL.CICSAAOR CLASS(FACILITY) ID(CICSRTOR) ACCESS(READ)
PERMIT DFHAPPL.CICSATOR CLASS(FACILITY) ID(CICSRAOR) ACCESS(READ)