CICS Installation Verification for Communications | Configuring CICS Terminals and Printers |
This chapter describes the security aspects of CICS Option. It explains:
CICS Option provides optional security for individual transactions and resources. In a development environment it is required only if you need to access the properties of a user, such as operator ID, or in communications with a host CICS system. It is off by default.
CICS Option controls access to transactions and resources through three mechanisms:
CICS Option also provides a mechanism for implementing your own password encryption and decryption strategy.
Transaction security allows you to control access to individual transactions.
To enable security for a transaction, you must do two things:
If you assign security key number 1 to a transaction, any user can run the transaction; all users own security key 1 by default. Figure 8-1 illustrates security key checking applied to a transaction.
Figure 8-1: Transaction key checking
You can control access by a transaction to the following types of resource:
To enable resource security, do the following:
Figure 8-2 illustrates the process of resource key checking.
Figure 8-2: Resource key checking
You must create an entry for the user in the Sign-on Table (SNT) if the user requires:
Each entry in the SNT specifies the following:
When you create a CICS Option Resource Definition File, its SNT already contains an entry for the system administrator, with username SYSAD and password SYSAD. (You must enter this password in upper case.)
User SYSAD has system administrator privileges and owns all security and resource keys.
You should change SYSAD's password to something more secure as soon as possible.
CICS Option supplies a user-replaceable module, dfhucryp.gnt in location \mfe\mfcics\bin. This is used by CICS Option to perform encryption and decryption of user passwords. The installed module does not actually perform any encryption; that is, the encrypted password is the same as the unencrypted password. You can replace this module with one that implements a password encryption and decryption strategy appropriate for your site.
Also a simple encryption and decryption scheme is implemented in the module dfhucry1.gnt. Its source (.cbl) form is supplied in the directory \mfe\mfcics\source. It uses the number of 1 bits in the user ID as a shift count and a pair of encipher and decipher tables.
The interface to dfhucryp.gnt is a standard call interface, requiring a single parameter:
CALL "DFHUCRYP" USING CRYPT-PARAMETER-AREA.
01 CRYPT-PARAMETER-AREA. 05 CRYPT-FUNCTION PIC XX COMP-X. 88 CRYPT-ENCRYPT-88 VALUE 1. 88 CRYPT-DECRYPT-88 VALUE 2. 05 CRYPT-RESULT PIC XX COMP-X. 88 CRYPT-SUCCESSFUL-88 VALUE 0. 88 CRYPT-FAILED-88 VALUE 1. 05 CRYPT-USER-ID PIC XX(8). 05 CRYPT-ENCRYPTED-PASSWORD PIC XX(8). 05 CRYPT-DECRYPTED-PASSWORD PIC XX(8).
where:
CRYPT-FUNCTION |
specifies the function as encrypt (=1) or decrypt
(=2).
The encrypt function takes the decrypted password as input and outputs the encrypted password, possibly referring to the user ID field. The decrypt function takes the encrypted password as input and outputs the decrypted password, possibly referring to the user ID field. |
CRYPT-RESULT |
This field is used to signal the success (=0) or failure (=1) of the function. Since a failure is treated as a password mismatch in all validation functions, the error return can be used to screen out unacceptable passwords during the SNT update process. |
CRYPT-USER-ID |
The user ID associated with the password being encrypted or decrypted. |
CRYPT-ENCRYPTED-PASSWORD |
The encrypted password. This field is used as an input field by the decrypt function and as an output field by the encrypt function. |
CRYPT-DECRYPTED-PASSWORD |
The decrypted password. This field is used as an output field by the decrypt function and as an input field by the encrypt function. |
The only restrictions on the encryption and decryption scheme you choose are as follows:
You should bear in mind that the routine is called on entry to the resource definition maintenance functions and at every attempt to sign on to CICS Option. A slow scheme can, therefore, result in poor performance.
If you alter your password encryption and decryption scheme, you must re-encrypt the encrypted passwords stored in the Sign-on Table (SNT). A utility program called dfhpcryp.gnt is supplied to assist in this conversion.
To run dfhpcryp.gnt:
CICS Option is now ready to run with the new encryption and decryption scheme.
The backups taken during this process are important in case you want to return to the old encryption and decryption scheme for any reason.
Copyright © 1999 MERANT International Limited. All rights reserved.
This document and the proprietary marks and names
used herein are protected by international law.
CICS Installation Verification for Communications | Configuring CICS Terminals and Printers |