Authorizing access to a CICS region’s VTAM ACB

You can control which users, among those who are running non-APF-authorized programs, can OPEN the VTAM® ACB associated with a CICS® address space (CICS region). This ensures that only authorized CICS regions can present themselves as VTAM applications that provide services with this APPLID, thus preventing unauthorized users from impersonating real CICS regions. (Note that the CICS region userid needs the OPEN access, not the issuer of the SET VTAM OPEN command.)

To enable CICS to start up with external security, you must first have authorized the CICS region userid to open the CICS region’s VTAM ACB with the applid specified on the APPLID system initialization parameter.

For each APPLID, create a VTAMAPPL profile, and give the CICS region userid READ access. For example:

  RDEFINE VTAMAPPL applid UACC(NONE)  NOTIFY(userid)
  PERMIT applid CLASS(VTAMAPPL) ID(cics_region_userid) ACCESS(READ)

The correct CICS APPLID to specify in the VTAMAPPL class is the specific APPLID, as specified in the CICS system initialization parameters. If you are using XRF (that is, if CICS is started with XRF=YES in effect), you must define two VTAMAPPL profiles -- one each for both the active and alternate CICS region's specific APPLID (the second operand on the CICS APPLID startup option).

Notes:
  1. The VTAMAPPL class must be active and RACLISTed for this protection to be in effect; for example:
        SETROPTS CLASSACT(VTAMAPPL) RACLIST(VTAMAPPL)
  2. If a CICS region is not to use VTAM, you do not need to authorize the CICS region userid for the CICS applid.
  3. If you do not control the opening of a CICS region’s VTAM ACB, a new VTAM application started with the same applid as that of a running CICS region has the following effect:
    • The running CICS region performs a FORCECLOSE of its VTAM ACB and issues message DFHZC0101.
    • The running CICS region either terminates or continues, depending on your use of the XXRSTAT exit. (The default is to terminate.) If the CICS region continues, Start of changeit no longer uses VTAMEnd of change.
    • The new application opens the VTAM ACB with the specified applid.
    • If the first running CICS region used VTAM persistent sessions, the new application recovers any VTAM sessions that persist from that CICS region.

For information about creating VTAMAPPL profiles for CICS region applids, see the CICS RACF® Security Guide For information about the XXRSTAT exit, see the CICS Customization Guide.

[[ Contents Previous Page | Next Page Index ]]