When using TCP/IP, the Communications Bridge behaves differently then when LU6.2 is used. When LU6.2 is used, there is a conversational connection with CICS and the userid is presented in the FMH5 header and ATTACHSEC security can be used to validate the user and start the server transaction. If TCP/IP is used, there is no conversation and no FMH5 header. The TICM will start the server transaction using the userid passed in from the client in the Common Format Buffer message header or, if not set, it will use the userid with which the TICM was started. The TICM exit TIRTSEC can also be used to perform security validation based on the userid in the CFB header.
In the client side exit (WRSECTOKEN), the client_userid can be pushed through to the CFB header using the bClntMgrSecurity=TRUE setting if SecurityUsedEnhanced is defined. This works fine with LU6.2 as the Client Manager and Communications Bridge will remove the userid from the CFB header and push it through to the FMH5 header. But, with TCPIP the userid is just removed from the CFB header and so when it arrives at CICS, it is missing. The TICM will start the requested server using the default userid.
In order to prevent the above removal of the password from the CFB header, there is a change that is required to the Communications Bridge setup. There is an undocumented parameter in the iefcbn.srv file for each server definition - IN_THE_CLEAR. The extract below shows the default setting for this parameter.
# Target System Definitions...
SERVERNAME = CICS
DESCRIPTION = CICS
TRANSPORT = 2
COMMDLL = IOTCP76N
IP_HOSTNAME = xxx.xxx.xxx.xxxx
IP_DESTPORT = 3102
IP_IMSDIRECTCONN = N
IN_THE_CLEAR = 0
# End of Target System Definitions
The parameter IN_THE_CLEAR needs to be set to 1 in order for the userid to be populated in the CFB header when using TCPIP. You will need to set this parameter manually by editing the file. With it set to 1 if security is set to enhanced and the client manager security flag is set to TRUE, then the userid will be populated. The TICM will then start the requested server using the userid from the client. Security validation (userid and password) can be performed in TIRSECV when the server starts.
If it is necessary to perform full security validation in the TIRTSEC exit before starting the requested CICS server, then it is not possible to use SecurityUsedEnhanced as this will always have a blank password in the CFB header. For the password to be passed into the TIRTSEC, then the following settings are required
- SecuirtyUsedStandard and bClntMgrSecurity=FALSE must be defined in the WRSECTOKEN user exit on the client.
- The client manager security setting for the Comms Bridge server definition should be set to NONE i.e.
- The IN_THE_CLEAR parameter from the CICS server as defined in the iefcbn.srv server configuration file should be set to 1 or completely removed,
- The client_userid and client_password special attributes must be set in the client application logic.