How do I stop the default logonid in CICS getting a violation for CQRY?

Document ID : KB000044617
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How do I stop the default logonid in CICS getting a violation for CQRY? 

error - dfhac2003 cics1 security violation has been detected term id = ABC1 trans id =cqry user id = dftcics 

 

Answer:

IBM uses transaction that start with C. CQRY is a type 3 transaction per IBM. The transaction is used to query a terminal on its capabilities based of the TYPETERM definitions in the DFHCSD. This is done before a user logs on. 

CA recommends in CICS that all IBM transaction should be on the SAFELIST in the ACF2 parms for CICS, except for the critical ones that should be protected via the PROTLIST and then ACF2 rules. CA ships: 

  SAFELIST RESOURCE=TRANS,ENTRY=C*** CICS STANDARD TRANS

  PROTLIST RESOURCE=TRANS,ENTRY=CEBR TEMPORARY STORAGE BROWSE 

  PROTLIST RESOURCE=TRANS,ENTRY=CECI COMMAND INTERPRETER 

  PROTLIST RESOURCE=TRANS,ENTRY=CEDA RESOURCE DEFINITION ONLINE

  PROTLIST RESOURCE=TRANS,ENTRY=CEDF EXECUTION DIAGNOSTIC FACILITY 

  PROTLIST RESOURCE=TRANS,ENTRY=CEMT MASTER TERMINAL TRANS 

  PROTLIST RESOURCE=TRANS,ENTRY=CSMT MASTER TERMINAL TRANS 

So the bottom line is that CQRY needs to be added to the SAFELIST in the ACF2/CICS parms.