PreviousCICS Installation Verification for Communications Configuring CICS Terminals and PrintersNext"

Chapter 8: Configuring CICS for Security

This chapter describes the security aspects of CICS Option. It explains:

8.1 Overview

CICS Option provides optional security for individual transactions and resources. In a development environment it is required only if you need to access the properties of a user, such as operator ID, or in communications with a host CICS system. It is off by default.

CICS Option controls access to transactions and resources through three mechanisms:

CICS Option also provides a mechanism for implementing your own password encryption and decryption strategy.

8.2 Transaction Security

Transaction security allows you to control access to individual transactions.

To enable security for a transaction, you must do two things:

If you assign security key number 1 to a transaction, any user can run the transaction; all users own security key 1 by default. Figure 8-1 illustrates security key checking applied to a transaction.

Figure 8-1: Transaction key checking

8.3 Resource Security

You can control access by a transaction to the following types of resource:

To enable resource security, do the following:

  1. Specify that a transaction is to perform resource security checking, by checking Resource Security in the Advanced page of the PCT Properties dialog box for the transaction. (By default, transactions do not perform resource security checking.)

  2. Specify a set of resource keys in the resource table entry (for example, the FCT entry for a file). Each resource key is a number in the range 1 through 24.

  3. Specify a set of resource keys in a user's SNT entry. A user can access a resource if one or more of the resource keys for the resource matches a resource key specified in that user's SNT entry.

Figure 8-2 illustrates the process of resource key checking.

Figure 8-2: Resource key checking

8.4 Sign-on Table (SNT) Entries

You must create an entry for the user in the Sign-on Table (SNT) if the user requires:

Each entry in the SNT specifies the following:

8.4.1 The User SYSAD

When you create a CICS Option Resource Definition File, its SNT already contains an entry for the system administrator, with username SYSAD and password SYSAD. (You must enter this password in upper case.)

User SYSAD has system administrator privileges and owns all security and resource keys.

You should change SYSAD's password to something more secure as soon as possible.

8.5 Password Encryption and Decryption

CICS Option supplies a user-replaceable module, dfhucryp.gnt in location \mfe\mfcics\bin. This is used by CICS Option to perform encryption and decryption of user passwords. The installed module does not actually perform any encryption; that is, the encrypted password is the same as the unencrypted password. You can replace this module with one that implements a password encryption and decryption strategy appropriate for your site.

Also a simple encryption and decryption scheme is implemented in the module dfhucry1.gnt. Its source (.cbl) form is supplied in the directory \mfe\mfcics\source. It uses the number of 1 bits in the user ID as a shift count and a pair of encipher and decipher tables.

8.5.1 The Interface to the Password Module

The interface to dfhucryp.gnt is a standard call interface, requiring a single parameter:

     05  CRYPT-FUNCTION                PIC XX COMP-X.
         88  CRYPT-ENCRYPT-88             VALUE 1.
         88  CRYPT-DECRYPT-88             VALUE 2.
     05  CRYPT-RESULT                  PIC XX COMP-X.
         88 CRYPT-SUCCESSFUL-88           VALUE 0.
         88 CRYPT-FAILED-88               VALUE 1.
     05  CRYPT-USER-ID                 PIC XX(8).


CRYPT-FUNCTION specifies the function as encrypt (=1) or decrypt (=2).

The encrypt function takes the decrypted password as input and outputs the encrypted password, possibly referring to the user ID field.

The decrypt function takes the encrypted password as input and outputs the decrypted password, possibly referring to the user ID field.

CRYPT-RESULT This field is used to signal the success (=0) or failure (=1) of the function. Since a failure is treated as a password mismatch in all validation functions, the error return can be used to screen out unacceptable passwords during the SNT update process.
CRYPT-USER-ID The user ID associated with the password being encrypted or decrypted.
CRYPT-ENCRYPTED-PASSWORD The encrypted password. This field is used as an input field by the decrypt function and as an output field by the encrypt function.
CRYPT-DECRYPTED-PASSWORD The decrypted password. This field is used as an output field by the decrypt function and as an input field by the encrypt function.

8.5.2 Choosing an Encryption and Decryption Scheme

The only restrictions on the encryption and decryption scheme you choose are as follows:

You should bear in mind that the routine is called on entry to the resource definition maintenance functions and at every attempt to sign on to CICS Option. A slow scheme can, therefore, result in poor performance.

8.5.3 Replacing the Password Encryption and Decryption Scheme

If you alter your password encryption and decryption scheme, you must re-encrypt the encrypted passwords stored in the Sign-on Table (SNT). A utility program called dfhpcryp.gnt is supplied to assist in this conversion.

To run dfhpcryp.gnt:

  1. Take a backup copy of:

  2. Compile the new encryption module to .gnt.

  3. Copy the new dfhucryp.gnt to dfhucryu.gnt. The new encryption scheme should only replace the existing dfhucryp.gnt module after the original dfhucryp.gnt has been run.

  4. Ensure that no part of CICS Option is active.

  5. Run the dfhpcryp.gnt utility.

  6. When dfhpcryp.gnt completes, rename dfhucryu.gnt to dfhucryp.gnt.

  7. Back up the modified Resource Definition File.

CICS Option is now ready to run with the new encryption and decryption scheme.

The backups taken during this process are important in case you want to return to the old encryption and decryption scheme for any reason.

Copyright © 1999 MERANT International Limited. All rights reserved.
This document and the proprietary marks and names used herein are protected by international law.

PreviousCICS Installation Verification for Communications Configuring CICS Terminals and PrintersNext"