DFHIRP, the CICS® interregion communication program, performs two security checks against users that want to:
The discussion about logon security checking in this section applies only to EXCI connections that are defined as SPECIFIC. The MRO logon security check is not performed for generic connections.
The MVS™ client program is treated just the same as another CICS region as far as MRO logon and connect (bind-time) security checking is concerned. This means that when the client program logs on to the interregion communication program, IRP performs logon and bind-time security checks against the user ID under which the client program is running. In the remainder of this section, we refer to this as the batch region's user ID.
To enable your client program to log on successfully to IRP, and to connect to the target server region, first ensure that you define the batch region's user ID in a user profile to RACF®. When you have defined the batch region's user ID to RACF, you can then give the batch region the appropriate logon and bind-time authorizations.
Failure to authorize the batch region's user ID to the DFHAPPL profile of the specific user ID logging on to IRP causes Allocate_Pipe processing to fail with RESPONSE(SYSTEM_ERROR) REASON(IRC_LOGON_FAILURE). The subreason field-1 for a logon security check failure returns decimal 204.
See Defining DFHAPPL FACILITY class profiles for an EXCI region for information about FACILITY class profiles for an EXCI client program.
Failure to authorize the batch region's user ID to the CICS server region's DFHAPPL.applid profile causes Open_Pipe processing to fail with RESPONSE(SYSTEM_ERROR) REASON(IRC_CONNECT_FAILURE). The subreason field-1 for a bind-time security check failure returns decimal 176.
See the CICS RACF Security Guide for information about the MRO logon and bind-time security checks, and for examples of how to define the RACF DFHAPPL profiles.
Define the user_name part of the DFHAPPL profile name as follows:
Define FACILITY class profiles, with appropriate authorizations, for each user name specified in a client program if the program has INITIALIZE_USER commands for more than one user name.
For example, if the user_name defined on an INITIALIZE_USER command is DCEUSER1, define the DFHAPPL profile in the FACILITY class as follows:
RDEFINE FACILITY (DFHAPPL.DCEUSER1) UACC(NONE)
If the batch region's user ID is CLIENTA, authorize the batch region to log on to IRP as follows:
PERMIT DFHAPPL.DCEUSER1 CLASS(FACILITY) ID(CLIENTA)
ACCESS(UPDATE)