When you run the CICS(R) bridge, you can specify the level of authentication you want to take place. If requested, the bridge checks the user ID and password extracted from the WebSphere MQ request message before running the CICS program named in the request message.
The level of authentication you can use is described below:
A passticket can be used in place of a password to avoid the need to flow passwords in messages (see Security Server RACF(R) System Programmer's Guide). When generating a passticket an APPLID must be specified. If you are using a single bridge monitor, the APPLID is the CICS APPLID unless a different value was specified when the bridge was started. If you are using multiple bridge monitors for a queue, you must specify the APPLID to be used via the PASSTKTA=applid parameter at bridge startup.
If you have not specified a user ID in a message, or you have not provided a password, the CICS program started by the CICS bridge runs with the user ID set to the user ID used to start the bridge monitor, regardless of the option requested. If you want more than one level of authentication checking performed, run a monitor task for each level you need.
When a CICS DPL request is read by the bridge monitor it starts the transaction specified in the CICS bridge header (MQCIH) or, if this is blank, transaction CKBP. The user IDs under which the bridge monitor runs must have authority to start the various transactions that might be requested. The default transaction ID for the CICS bridge monitor is CKBR but you can change this or define additional transaction IDs if you want more granular access to queues and transactions. You can use CICS surrogate security to restrict which user ID and transaction combinations a bridge monitor transaction and user ID can start.
Table 65 and Table 66 summarize the level of authority of the bridge monitor and the bridge tasks, and the use of the MQMD user ID.
Monitor started by | At a signed on terminal | Monitor authority |
---|---|---|
From a terminal or EXEC CICS LINK within a program | Yes | Signed on user ID |
From a terminal or EXEC CICS LINK within a program | No | CICS default user ID |
EXEC CICS START with user ID | - | User ID from START |
EXEC CICS START without user ID | - | CICS default user ID |
The WebSphere MQ trigger monitor CKTI | - | CICS default user ID |
AUTH | Bridge task authority |
---|---|
LOCAL | CICS default user ID |
IDENTIFY | MQMD UserIdentifier |
VERIFY_UOW | MQMD UserIdentifier |
VERIFY_ALL | MQMD UserIdentifier |
The options IDENTIFY, VERIFY_UOW, and VERIFY_ALL need the user ID of the bridge monitor defined to RACF as a surrogate of all the user IDs used in request messages. This is in addition to the user ID in the message being defined to RACF. (A surrogate user is one who has the authority to start work on behalf of another user, without knowing the other user's password.)
For more information on surrogate user security, see the CICS RACF Security Guide.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csq83bx |