I just activated the CA Symdump CICS external security feature. When I attempt to use one of the secured options I receive message CAIN3323 restricted option but I do not see any security messages in the CICS log. Why?
Article ID: 126349
Updated On:
Products
SymDump for CICS
SymDump Batch
Issue/Introduction
The client configured the Symdump CICS external security option EXTSEC=Y to prevent user from using certain administrator options of Symdump CICS. When a user selects one of the secured options they receive message CAIN3323 restricted option entered. The user does not see any Top Secret violation message is the CICS LOG. The client would like to see security violation messages in the CICS Log so they can monitor the Symdump CICS activity. Why do I not see any security messages?
Environment
Z/OS
CICS
CICS
Resolution
The current design of Symdump CICS does not write any security messages to the CICS log when the external security option is turned on.
When you turn on the Symdump CICS external security feature parameter EXTSEC=Y in module IN25OPTS the Symdump CICS CODE issues an EXEC CICS QUERY SECURITY command to see if the user is allowed to use that Symdump CICS option.
On the QUERY SECURITY command they have specified parameter LOGMESSAGE(NOLOG) so no security messages are written to the CICS log MSGUSR.
Below is an example of the CICS Query Security command specifying NOLOG on the LOGMESSAGE parameter.
MVC QUERYSEC_LOGMESSAGE_CVDA,DFHVALUE(NOLOG)
EXEC CICS QUERY SECURITY
RESCLASS(CA@NTSYM_RESCLASS),
RESID(0(R6)),
RESIDLENGTH(QUERYSEC_RESLEN),
LOGMESSAGE(QUERYSEC_LOGMESSAGE_CVDA),
READ(QUERYSEC_READ_CVDA),
UPDATE(QUERYSEC_UPDATE_CVDA),
CONTROL(QUERYSEC_CONTROL_CVDA),
ALTER(QUERYSEC_ALTER_CVDA),
NOHANDLE
Since we have clients that use the external security we cannot turn on messages in mid release and change the behavior of the product. If messages are generated then we need the ability to suppress these messages for clients who do not want to flood the CICS log with messages. A parameter would need to be added to the product to generate or suppress these messages. An enhancement request would have to be requested.
When you turn on the Symdump CICS external security feature parameter EXTSEC=Y in module IN25OPTS the Symdump CICS CODE issues an EXEC CICS QUERY SECURITY command to see if the user is allowed to use that Symdump CICS option.
On the QUERY SECURITY command they have specified parameter LOGMESSAGE(NOLOG) so no security messages are written to the CICS log MSGUSR.
Below is an example of the CICS Query Security command specifying NOLOG on the LOGMESSAGE parameter.
MVC QUERYSEC_LOGMESSAGE_CVDA,DFHVALUE(NOLOG)
EXEC CICS QUERY SECURITY
RESCLASS(CA@NTSYM_RESCLASS),
RESID(0(R6)),
RESIDLENGTH(QUERYSEC_RESLEN),
LOGMESSAGE(QUERYSEC_LOGMESSAGE_CVDA),
READ(QUERYSEC_READ_CVDA),
UPDATE(QUERYSEC_UPDATE_CVDA),
CONTROL(QUERYSEC_CONTROL_CVDA),
ALTER(QUERYSEC_ALTER_CVDA),
NOHANDLE
Since we have clients that use the external security we cannot turn on messages in mid release and change the behavior of the product. If messages are generated then we need the ability to suppress these messages for clients who do not want to flood the CICS log with messages. A parameter would need to be added to the product to generate or suppress these messages. An enhancement request would have to be requested.
Feedback
Yes
No
Powered by
