Implementing RACF Security for CICS

course content details

	CICS overview

In this unit we will provide an overview of CICS for the student who has little or no CICS experience or training. We will focus on those aspects of CICS that are of interest from a security point-of-view, highlighting the security concerns within a CICS environment. By doing the online lab exercise the student will become familiar with the lab environment and start a CICS region. Those students new to CICS will be exposed to some CICS provided transactions needed in later labs and will use the sample transactions that will later be subject to RACF security.

	RACF overview

In this unit we will provide some RACF background for the student who has little or no prior RACF experience or training. This is from the point-of-view of CICS only. We will focus on RACF as it pertains to CICS and minimize discussion of RACF facilities that have no interaction with CICS (such as the RACF global table and OPERATIONS attribute). In this lab, you will use the RACF commands and/or panels to gain some basic skills in RACF. You will log onto TSO as a delegated security administrator and then display various RACF profiles for a user, a group, a data set, and a transaction. In exercises later in this course, you will actually define RACF user profiles, group profiles, data set profiles, and CICS.

	Protecting the CICS region

In this topic we will discuss where security controls can be implemented to control access to CICS system data sets and application data sets from accidental and intentional access. We will see that we must give the CICS address space a user ID so that we can give CICS permission to open the data sets it needs. The student will identify what security can be implemented for the CICS address space, and define the RACF profiles needed to implement security for the CICS address space. This is the first of a series of exercises through which you will implement security for your team's CICS environment, much like you will need to be able to do in the real world after you've completed this course. The lab exercise instructions will ask you to define profiles to control access to CICS's data sets, and define a user profile for CICS so that you can give CICS permission to OPEN its data sets. You will also be asked to create a profile so that VTAM can protect the APPLID value used by your CICS region.

	Sign-on security

In this unit we will describe the process that CICS and RACF go through when a user signs on to CICS. The various RACF definitions that have to be made to implement security for sign-on will be discussed. In this lab you will gain experience setting up CICS and RACF for sign-on security. You will define user profiles required by CICS when security is activated for a CICS region and authorize these userids to sign on to your CICS region. You will make changes to CICS system initialization parameters to activate security within your CICS region. You'll also define several user profiles to represent a small user population, authorize these users to sign on to your CICS region and then test these userids that you've defined to verify that they are each able to sign on successfully to your CICS system.

	Transaction Security

After completing this unit, you should be able to describe the authorization checking process that RACF uses to control access to transactions. You will be able to make definitions in the System Initialization Table (SIT) to activate CICS for transaction security. We will explain how profiles to protect transactions can be defined in the member and grouping general resource classes. You will learn how to define RACF profiles to control access to transactions The lab exercise will have you defining the RACF resource profiles needed to control access to transactions and make the appropriate changes to the SIT to activate transaction security.

	CICS resource and SPI command security

After completing this unit, the student should be able to explain the security facilities available for CICS resources, and explain when resource-level security is needed. We will explain the definitions in CICS and RACF to setup resource level security. Also, in this unit, we will explain what control is provided for SPI command security and how to make the definitions in CICS and RACF to implement SPI command security. In this online lab exercise you will make definitions in CICS and RACF to implement security for CICS resources and SPI command security.

	CICS Intercommunication Bind and Link Security

Now that you have learned how to set up security for a single system, we will build upon that experience to extend the security controls to encompass the typical environment in which a number of CICS regions are connected to form, a complex of multiple CICS regions. In many cases, one or more of these CICS regions can be connected to another node or system that supports APPC (also known as LU6.2) communication, but may well not be a CICS system running on a zSeries processor. This unit will introduce this heterogeneous communication environment and the security controls available within CICS. In this lab exercise you will gain hands-on experience setting up security for a CICS Multi-region operation (MRO) environment. You will learn to make the additional definitions that are specific to the security mechanisms that CICS provides for interconnected CICS systems using Inter-region communication (IRC). You will establish Bind Security controls to ensure that only the two CICS regions that you intend to establish a connection are capable of doing so. You will make the necessary definition to establish Link Security controls between these two systems to allow each system to limit the transactions and resources accessible to the other.

	CICS Intercommunication Conversation Security

This unit will take Bind and Link Security one step further and address Conversation Security. We will also explore the security issues that arise when CICS is communicated to by non-CICS systems, such as AS/400, IMS, APPC, and so forth. We will learn what facilities are available to provide security for these environments. In the lab exercise you will make the appropriate definitions in CICS and RACF to implement User Security between any two CICS regions, such as between a TOR and an AOR. Securing CICSPLex SM This topic describes how to implement security for CICSPlex System Manager (CICSPlex SM). Planning for Implementation After completing this unit, you should be able to develop a plan to implement security in CICS systems using RACF CICS and DB2 Security In this unit, we will explore the security interface between CICS, RACF, and DB2. We will concentrate on the security facilities available in CICS and RACF and will not attempt to teach DB2 security.

	CICS and DB2 security

In this unit, we will explore the security interface between CICS, RACF, and DB2. We will concentrate on the security facilities available in CICS and RACF and will not attempt to teach DB2 security.