How do RESSEC and CMDSEC impact CA ACF2 CICS resource validation in a CICS (CTS) environment?

Document ID : KB000053135
Last Modified Date : 18/04/2018
Show Technical Document Details
Introduction:

Description:

RESSEC and CMDSEC are (IBM) CICS parameters that specify what levels of resource security checking and command security checking are in effect for the CICS region.

In CICS you specify how you want a transaction to run using a TRANSACTION resource definition. The TRANSACTION resource definition has many different attributes, including RESSEC and CMDSEC.

RESSEC specifies whether resource security checking is to be used for the resources accessed by this transaction. The transaction itself has already been allowed to execute, and RESSEC is used to determine whether or not to have security check for access to the resources accessed by the running transaction.

NO - means that all resources are available to any user who has the authority to use this transaction.
YES - means that an external security manager is used to determine the access to the resources used by the running transaction.

The CICS provided default value is NO.

CMDSEC specifies whether security checking is to be applied on system programming commands.

NO - means no security check is made. The commands are always executed.
YES - a call is made to the external security manager to determine the allowable access. If the ESM cannot identify the resource or resource type, access is prevented.

The CICS provided default value is NO.

CICS has a system initialization table (SIT) that provides system wide (region) parameter values. These can be overridden at CICS startup using the PARM statement on the EXEC card, or using SYSIN input. The SIT parameters include RESSEC and CMDSEC.

RESSEC specifies whether you want CICS to honor the RESSEC option specified on a transaction's resource definition.

ASIS - means that CICS honors the RESSEC option defined in a transaction's resource definition. When the transaction definition specifies RESSEC(YES) then the external security manager is called to check access to resources used by the transaction. Normally ASIS is a sufficient level of control, because often you only need to control the ability to execute a transaction.
ALWAYS - means that CICS overrides the transaction's RESSEC option, and always calls its resource security checking routine to issue the appropriate call to the SAF interface.

The CICS provided default value is ASIS.

CMDSEC specifies whether or not you want CICS to honor the CMDSEC option specified on a transaction's resource definition.

ASIS - means that CICS honors the CMDSEC option defined in a transaction's resource definition. CICS only calls the external security manager when the transaction resource definition specifies CMDSEC(YES).
ALWAYS - means that CICS overrides the transaction's CMDSEC option, and always calls the external security manager to check for authorization.

The CICS provided default value is ASIS.

The impact to CA ACF2 CICS depends on how the OPTION parameter is setup.

Solution:

CA ACF2 CICS has its own set of parameters, one of which is the OPTION parameter. The OPTION parameter includes values for RESSEC and CMDSEC, which by default are set to ALWAYS, and these override the CICS SIT RESSEC and CMDSEC values. Specifying ALWAYS ensures that CA ACF2 CICS makes the security decisions for resource access attempts. The CICSKEY option provides additional granularity beyond the (IBM CICS) transaction definition RESSEC by specifying which resources need security checking.

The applicable CA ACF2 CICS parameters are (additional parameter/options removed for readability):

  OPTION   .....
            CMDSEC=ALWAYS | ASIS
            ..... 
            RESSEC=ALWAYS | ASIS
            ..... 
 
 CICSKEY    RESOURCE=
            OPTION=IGNORE | VALIDATE 
            ..... 
 
 For the OPTION parameter:

CMDSEC specifies what DFHSIT CMDSEC value is used by the CICS interface (overrides DFHSIT value).

ALWAYS - means that the DFHSIT CMDSEC value is set to ALWAYS.
ASIS - means that the DFHSIT CMDSEC value is set to ASIS.

The CA ACF2 CICS default value is ALWAYS.

RESSEC specifies what the DFHSIT RESSEC value is used by the CICS interface (overrides DFHSIT value).

ALWAYS - means that the DFHSIT RESSEC value is set to ALWAYS.
ASIS - means that the DFHSIT RESSEC value is set to ASIS.

The CA ACF2 CICS default value is ALWAYS.


Specifying CMDSEC and RESEC as ALWAYS ensures that CA ACF2 CICS will make the security decisions regarding the resources being accessed by transactions.

The CICSKEY parameter establishes CA ACF2 CICS interface control over CICS resources. The resources that CA ACF2 CICS can control are:

  • FILE - File control
     
  • MROIN - MRO, IRC, and ISC inbound processing control (CA ACF2 CICS only)
     
  • MROOUT - MRO, IRC, and ISC outbound processing control (CA ACF2 CICS only)
     
  • PROGRAM - Program control
     
  • PSB - DL/I PSB request control
     
  • TEMPSTRG - Temporary storage control
     
  • TRANS - Transaction control (checks whether or not the user is allowed to execute the transaction)
     
  • TRANDATA - Transient data control
     
  • XCMD - SP command security control
     
  • XTRAN - Validation check when a transaction begins execution (is attached)
     
  • XPCT - Validation check for any other transaction access, such as through an EXEC CICS INQUIRE, SET, or START command
     
  • XRES - CICS document templates (as of CTS 3.2)

For each resource (CICSKEY) you can specify whether or not you want to validate the resource with OPTION=IGNORE or VALIDATE. (The CA ACF2 CICS provided default value is IGNORE.) Using these CICSKEY parameters provides more granularity than just RESSEC=YES, which would apply to all resources accessed by the running transaction. Note that the (IBM CICS) RESSEC attribute only applies to the FILE, PROGRAM, PSB, TEMPSTRG, TRANDATA, XPCT, and XRES resources (CICSKEYS). The MROIN and MROOUT resources apply just to CA ACF2 CICS and are not relevant with RESSEC.

CICS (IBM) recognizes two types of transaction access, XTRAN and XPCT. When a transactions begins execution (or is attached in CICS terminology), an XTRAN validation occurs. When any other type of transaction access is made, such as through an EXEC CICS INQUIRE, SET, or START command, then an XPCT validation occurs.

The CA ACF2 CICS interface lets you protect both types of transaction accesses with a single entity, or it lets you protect them independently of one another. The TRANS CICSKEY resource activates both the XTRAN and XPCT levels of transaction checking. The XPCT CICSKEY resource activates only the XPCT level of checking and is mutually exclusive with the TRANS CICSKEY resource. The XTRAN CICSKEY resource activates only the XTRAN level of checking and is also mutually exclusive with the TRANS CICSKEY resource.

Also note that the TRANS (or XTRAN) and XCMD resources are not impacted by RESSEC (since RESSEC only applies to the resources accessed by the running transaction). The XPCT resource is impacted by RESSEC, and this validation only occurs when RESSEC is YES. The XCMD resource is only impacted by CMDSEC.

The CICSKEY for XCMD only applies when CMDSEC is YES. If a site chooses to specify the CA ACF2 CICS OPTION parameter with CMDSEC=ASIS, then the (IBM CICS) transaction definition controls access to XCMD validation. If the transaction definition has CMDSEC(NO) then there is no call to the external security manager (CA ACF2 CICS is not called), so the CICSKEY for RESOURCE=XCMD,OPTION=VALIDATE does not apply. If the transaction definition has CMDSEC(YES) then the external security manager is called and CA ACF2 CICS checks the CICSKEY for XCMD to see if this resource has OPTION = VALIDATE or IGNORE to determine whether or not to validate the access.

If a site chooses to specify the CA ACF2 CICS OPTION parameter with RESSEC=ASIS, then the (IBM CICS) transaction definition controls access to the resources. RESSEC(NO) means that any user allowed to execute that transaction can access any of the resources accessed by that transaction, despite what the CICSKEY resource OPTION= parameters say.

For example, the CA ACF2 CICS parameters specify (additional parameters removed for readability):

  OPTION CMDSEC=ASIS
   RESSEC=ASIS
   ..... 
   
   CICSKEY RESOURCE=TRANDATA,OPTION=VALIDATE,.....
   CICSKEY RESOURCE=FILE,OPTION=VALIDATE,..... 
   CICSKEY RESOURCE=PROGRAM,OPTION=IGNORE,..... 
   CICSKEY RESOURCE=PSB,OPTION=IGNORE,..... 
   CICSKEY RESOURCE=TRANS,OPTION=VALIDATE,..... 
   CICSKEY RESOURCE=TEMPSTRG,OPTION=VALIDATE,..... 
   CICSKEY RESOURCE=MROIN,OPTION=VALIDATE,..... 
   CICSKEY RESOURCE=MROOUT,OPTION=IGNORE,..... 
   CICSKEY RESOURCE=XCMD,OPTION=VALIDATE,..... 

The CA ACF2 CICS specified CMDSEC and RESSEC values of ASIS override the DFHSIT values (so they are now ASIS), and security checking is determined by the (IBM CICS) transaction definition RESSEC and CMDSEC values. If the transaction definition has RESSEC(NO), then there is NO security validation for the TRANDATA, FILE, and TEMPSTRG (despite the OPTION=VALIDATE specified on the CICSKEY parameter). If the transaction definition has RESSEC(YES), then the CICSKEY parameters with OPTION=VALIDATE will be validated by CA ACF2 CICS. Note that the running transaction is validated for execution access.

The PROGRAM and PSB resources will not be validated. If the transaction definition has RESSEC(NO) then the external security manager (CA ACF2 CICS) is not called. If the transaction definition has RESSEC(YES) then CA ACF2 CICS is called, and the OPTION=IGNORE for these resources means they will not be validated.

Any transaction that is executed will be validated because the CICSKEY for TRANS specifies OPTION=VALIDATE. For any running transaction that accesses another transaction (i.e. EXEC CICS INQUIRE TRANS?), this call is for the XPCT resource (included with CICSKEY RESOURCE=TRANS) and is only validated if the running transaction definition has RESSEC(YES). If it has RESSEC(NO) then the additional transaction call (XPCT) does not call the external security manager (CA ACF2 CICS) and the XPCT access is allowed for any user allowed to execute the (original) transaction.

The CICSKEY for the XCMD resource with OPTION=VALIDATE will only be validated if the running transaction has CMDSEC(YES) and assuming an SP command is issued from the running transaction.

Instructions:
Please Update This Required Field