The variables below are used to control CICS and IMS security processing. They correspond to CICS and IMS intialization parameters for the mainframe, with a prefix of ES_ESM.
Use this variable to determine whether CICS processing should honor the CMDSEC option specified on a transaction's PLT definition.
| Setting | Result |
|---|---|
| ASIS | The CMDSEC option of a transaction's resource definition will be honored. That is, command security checking is performed only when CMDSEC is set to YES on the transaction resource definition. |
| ALWAYS | CICS processing always performs command security checking irrespective of the CMDSEC setting on the transaction definition. |
Use this variable to choose the desired level of security checking for PLTPI processing.
| Setting | Result |
|---|---|
|
NONE |
No security will be performed for PLTPI processing |
|
ALL |
Resource security check and Command security check will be performed |
|
RESSEC |
Only Resource security check will be performed |
|
CMDSEC |
Only Command security check will be performed |
Use this variable to override the default behaviour CESN transaction response for invalid user credentials. Default behaviour reports "Your userid is invalid" or "Your password is invalid". Setting this variable to any value will cause CESN to produce an invalid credential message instead.
e.g. ES_CESN_NO_OS390=secured
Use this to specify the userid under the authority of which PLT programs will run during CICS initialization. The userid must have appropriate authorization (as determined by the PLTPISEC parameter) to access all the resources used by the programs. Enterprise Server will check that the CICS region has authority to act as a surrogate for the userid specified.
If you do not specify PLTPIUSR, the user specified when starting the enterprise server/CICS region is used. Where this is the case, this user must have appropriate authorization on the resources used by the PLT programs.
Use this variable if RACF is to be used for command authorization.
| Setting | Result |
|---|---|
| A | Includes options T, C, and S. |
| C | Specifies that RACF is to be used for ETO terminal command authorization. |
| N | Specifies that no sign-on, transaction, or command authorization is to be performed by RACF. |
| S | Specifies that RACF is to be used for static and ETO terminal command authorization. Includes option C. |
| T | Specifies that RACF is to be used for sign-on and transaction authorization. |
| Y | Includes options T and C. |
Use this parameter to determine whether CICS processing should honor the RESSEC option specified on a transaction's PLT definition.
| Setting | Result |
|---|---|
| ASIS | The RESSEC option of a transaction's resource definition will be honored. That is, resource security checking is performed only when RESSEC is set to yes on the PLT definition. . |
| ALWAYS | CICS processing always performs resource security checking irrespective of the RLS security setting on the transaction definition. |
Use this to determine whether or not CICS processing should prefix the resource names when making security queries.
| Setting | Result |
|---|---|
| NO | No prefixes are used |
| YES | Resource names are prefixed with the CICS region user ID. |
| prefix | This string will be used as the prefix for resource names. It can be 1 to 8 upper case alphanumeric characters and it must start with an alphabetic character. |
Use this to determine whether or not CICS processing will perform surrogate user checks.
| Setting | Result |
|---|---|
| NO | No surrogate user checking is performed. |
| YES | Perform surrogate user checking wherever such checks are permitted. |
Use this to prevent security being enforced for TS or TD queues that are not defined in your security repository.
| Setting | Result |
|---|---|
| Any value | Security will not be enforced for TS and TD queues that are not defined as entities within the security repository. |
Note: If you do not set this variable, and you enable security for your enterprise server, you must declare each TS or TD that your transactions will access in your security repository.
Use this to associate a user ID with a job when submitting for processing through the internal reader from CICS.
| Setting | Result |
|---|---|
| Any value | The user ID that started the ES region is used in the job submission. |
| No Value | The CICS default user CICSUSER, or as specified by ES_USR_DFLT_CICS, is used in the job submission. |