Home > CICS Explorer, CICS Tools, Explorer, IBM, security > CICS Explorer: Security

CICS Explorer: Security

So you have seen the light and decided to install CICS Explorer? Well done, great decision!

However, depending on your site, this might be easier said than done – not because installing Explorer is hard, but because people will probably start worrying about security now that this easy to use CICS tool is available.

The point of this post is to try explain a little about CICS Explorer and security, so that you can be primed to answer any questions that may arise.

Passwords

A user can opt to save their password for a connection in Explorer. If this option is used, the password is stored, encrypted, in the workplace used by Explorer.

The default workplace is c:\Documents and Settings\username\.cicsexplorer (Windows) or ~/.cicsexplorer (Linux). The default location can be changed with the -data option when starting Explorer. See here for details. Despite the password being encrypted, this location needs to be protected – especially if it is on a network drive.

Depending on the type of connecton in use, SSL may be used on the conversation, this may stop passwords being transferred in clear text over the network.

For CMCI or Data Interface connections to CICSPlex SM, the PTFs for CICSPlex SM APARs PK87387 (4.1) and PK87334 (3.2) allow you to specify the acceptable cipher suites used for the conversation. For CMCI connections to an SMSS, or CICS CM, you can specify the cipher suites on the CICS TCPIPSERVICE manually.

Note: At present, the server certificates on an SSL connection are not validated, you won’t be prompted to accept an expired certificate etc.

Access

The access you have with CICS Explorer depends on the type of connection and plugins you are using. The basic answer to the question is, if you have access to the equivalent function using a ‘traditional’ interface, then you will have the same access under CICS Explorer.

CMCI Connections…

CMCI requests will run under the transaction CWWU by default. So use transaction security on CWWU to control who is allowed to use the CMCI.

.. to CICSPlex SM

As the requests will be processed by CICSPlex SM, the normal CICSPlex SM security controls are in place. e.g. CICSPlex SM Object security (CPSMOBJ) and Simulated CICS Command and Resource security.

.. to a Single System(SMSS)

Normal CICS Command and Resource Security is used. The IBM supplied CWWU transaction has CMDSEC=YES and RESSEC=YES.

Data Interface Connection to CICSPlex SM

This connection is read only. The transaction invoked on the CICSPlex SM Web User Interface (WUI) server will be COVA, so you can protect this transaction to control access to the WUI. Note that the user could also access the WUI via a browser using the normal WUI interface, where actions / updates are permitted. So you should implement CICSPlex SM Object security (CPSMOBJ) and possibly simulated Command and Resource security.

CICS Configuration Manager

The CICS CM ‘user’ Transactions, typically CCVA,CCVC,CCVR and CCVT are used. Again CICS Transaction Security may be used to control who can run these. The CICS Configuration Manager security settings are the same as used by other CICS CM interfaces, e.g. you can activate CICS CM security checking on the CICS CM commands and resource definitions.

CICS Interdependancy Analyser

CICS IA uses DB2 for its data. So the user needs to be granted access to the appropriate DB2 tables.

CICS Performance Analyser

CICS PA information is based on SMF data or a CICS PA Historical Database (HDB). Normal z/OS data set security can be used to control access to the SMF or HDB data. Once the information is in an HDB, users can export from the HDB to to two different places for use by CICS Explorer:

  1. DB2 – so the user needs to be granted access to the appropriate DB2 tables.
  2. CSV file – the user would need access to the generated CSV file to download to the workstation, so access can be controlled witn normal z/OS dataset protection.

New and Exciting Commands

When you are installing CICS TS 4.1 make sure you understand that there are potentially new exciting CICS SPI commands that can give you access to things which may have been protected by other means in previous releases.

What I am trying to refer to is the EXEC CICS CSD commands added by CICS TS 4.1. Normally you would use transaction security to control access to the CEDA, CEDB or CEDC transactions. Now that the CSD can also be accessed via EXEC CICS CSD, you may need to make sure that CICS Command security for the ‘CSD’ resource is defined appropriately and that command security is active for transactions that may issue this command. For example, CECI, or CWWU.

Summary

So to summarise, CICS Explorer isn’t about to let users alter their salaries on the Payroll CICS, nor order a new Hi-Def TV from the Web Ordering system, – Well not unless the user had access to do these sorts of things already!

In general if you are protecting your CICS resources today, they will be protected under CICS Explorer, using the same controls you always used.

If you have any questions about Security and CICS Explorer, please comment in this post, or ask away over on Developerworks.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: