Chapter 8: Configuring CICS for Security

This chapter describes the security aspects of CICS Option. It explains:

The security features provided by CICS Option itself
How to enable transaction and resource security
Password encryption and decryption

8.1 Overview

CICS Option provides optional security for individual transactions and resources. In a development environment it is required only if you need to access the properties of a user, such as operator ID, or in communications with a host CICS system. It is off by default.

CICS Option controls access to transactions and resources through three mechanisms:

Transaction security
Resource security
Sign-on Table (SNT) entries

CICS Option also provides a mechanism for implementing your own password encryption and decryption strategy.

8.2 Transaction Security

Transaction security allows you to control access to individual transactions.

To enable security for a transaction, you must do two things:

Define a set of security keys for the transaction in its PCT entry. Each security key is a number in the range 1 through 64.
Specify a set of security keys in a user's SNT entry. A user can access a transaction if at least one of the transaction's security keys matches a security key specified in that user's SNT entry.

If you assign security key number 1 to a transaction, any user can run the transaction; all users own security key 1 by default. Figure 8-1 illustrates security key checking applied to a transaction.

Figure 8-1: Transaction key checking

8.3 Resource Security

You can control access by a transaction to the following types of resource:

Files
Transient data queues
Temporary storage queues
Journals
Other transactions

To enable resource security, do the following:

Specify that a transaction is to perform resource security checking, by checking Resource Security in the Advanced page of the PCT Properties dialog box for the transaction. (By default, transactions do not perform resource security checking.)
Specify a set of resource keys in the resource table entry (for example, the FCT entry for a file). Each resource key is a number in the range 1 through 24.
Specify a set of resource keys in a user's SNT entry. A user can access a resource if one or more of the resource keys for the resource matches a resource key specified in that user's SNT entry.

Figure 8-2 illustrates the process of resource key checking.

Figure 8-2: Resource key checking

8.4 Sign-on Table (SNT) Entries

You must create an entry for the user in the Sign-on Table (SNT) if the user requires:

A user ID and password. These are required if:
- The user has to sign on to CICS Option using the supplied transaction CESN.
- The user wants to modify resource definitions using the Resource Definition Facility if security is enabled.
Security keys and/or resource keys.

Each entry in the SNT specifies the following:

The ID with which a user signs on through the CESN transaction.
The user's CICS Option password.
The user's security and resource keys.

8.4.1 The User SYSAD

When you create a CICS Option Resource Definition File, its SNT already contains an entry for the system administrator, with username SYSAD and password SYSAD. (You must enter this password in upper case.)

User SYSAD has system administrator privileges and owns all security and resource keys.

You should change SYSAD's password to something more secure as soon as possible.

8.5 Password Encryption and Decryption

CICS Option supplies a user-replaceable module, dfhucryp.gnt in location \mfe\mfcics\bin. This is used by CICS Option to perform encryption and decryption of user passwords. The installed module does not actually perform any encryption; that is, the encrypted password is the same as the unencrypted password. You can replace this module with one that implements a password encryption and decryption strategy appropriate for your site.

Also a simple encryption and decryption scheme is implemented in the module dfhucry1.gnt. Its source (.cbl) form is supplied in the directory \mfe\mfcics\source. It uses the number of 1 bits in the user ID as a shift count and a pair of encipher and decipher tables.

8.5.1 The Interface to the Password Module

The interface to dfhucryp.gnt is a standard call interface, requiring a single parameter:

CALL "DFHUCRYP" USING CRYPT-PARAMETER-AREA.

 01  CRYPT-PARAMETER-AREA.
     05  CRYPT-FUNCTION                PIC XX COMP-X.
         88  CRYPT-ENCRYPT-88             VALUE 1.
         88  CRYPT-DECRYPT-88             VALUE 2.
     05  CRYPT-RESULT                  PIC XX COMP-X.
         88 CRYPT-SUCCESSFUL-88           VALUE 0.
         88 CRYPT-FAILED-88               VALUE 1.
     05  CRYPT-USER-ID                 PIC XX(8).
     05  CRYPT-ENCRYPTED-PASSWORD      PIC XX(8).
     05  CRYPT-DECRYPTED-PASSWORD      PIC XX(8).

where:

`CRYPT-FUNCTION`	specifies the function as encrypt (=1) or decrypt (=2). The encrypt function takes the decrypted password as input and outputs the encrypted password, possibly referring to the user ID field. The decrypt function takes the encrypted password as input and outputs the decrypted password, possibly referring to the user ID field.
`CRYPT-RESULT`	This field is used to signal the success (=0) or failure (=1) of the function. Since a failure is treated as a password mismatch in all validation functions, the error return can be used to screen out unacceptable passwords during the SNT update process.
`CRYPT-USER-ID`	The user ID associated with the password being encrypted or decrypted.
`CRYPT-ENCRYPTED-PASSWORD`	The encrypted password. This field is used as an input field by the decrypt function and as an output field by the encrypt function.
`CRYPT-DECRYPTED-PASSWORD`	The decrypted password. This field is used as an output field by the decrypt function and as an input field by the encrypt function.

8.5.2 Choosing an Encryption and Decryption Scheme

The only restrictions on the encryption and decryption scheme you choose are as follows:

It must be a reversible encryption scheme.
The implementation must conform to the interface described in the previous section.

You should bear in mind that the routine is called on entry to the resource definition maintenance functions and at every attempt to sign on to CICS Option. A slow scheme can, therefore, result in poor performance.

8.5.3 Replacing the Password Encryption and Decryption Scheme

If you alter your password encryption and decryption scheme, you must re-encrypt the encrypted passwords stored in the Sign-on Table (SNT). A utility program called dfhpcryp.gnt is supplied to assist in this conversion.

To run dfhpcryp.gnt:

Take a backup copy of:
- The Resource Definition File (dfhdrdat and dfhdrdat.idx)
- The current encryption module (dfhucryp.gnt)
Compile the new encryption module to .gnt.
Copy the new dfhucryp.gnt to dfhucryu.gnt. The new encryption scheme should only replace the existing dfhucryp.gnt module after the original dfhucryp.gnt has been run.
Ensure that no part of CICS Option is active.
Run the dfhpcryp.gnt utility.
When dfhpcryp.gnt completes, rename dfhucryu.gnt to dfhucryp.gnt.
Back up the modified Resource Definition File.

CICS Option is now ready to run with the new encryption and decryption scheme.

The backups taken during this process are important in case you want to return to the old encryption and decryption scheme for any reason.

CICS Installation Verification for Communications

Configuring CICS Terminals and Printers