ACFAE303 Setting DFHSIT value XPCT=YES ACFAE304 Setting DFHSIT value XTRAN=YES
What resource is actually in effect for XTRAN & XPCT ?
Resolution
At startup of the CICS region, ACF2/CICS will set the relevant CICS DFHSIT parameter in the in-storage SIT as follows:
IF CICSKEY RESOURCE=TRANS is set, both XPCT=YES and XTRAN=YES will be set and use the same resource type.
IF CICSKEY RESOURCE=XPCT is set, XPCT=YES will be set. The resource type is obtained from the XPCT CICSKEY.
IF CICSKEY RESOURCE=XTRAN is set, XTRAN=YES will be set. The resource type is obtained from the XTRAN CICSKEY.
You cannot set XTRAN or PCT when TRANS is specified.
The ACF2/CICS documentation section Transaction Security describes the following related to ACF2 CICS transaction validation:
CICS recognizes two types of transaction access: XTRAN and XPCT. When a transaction begins execution, or is attached in CICS terminology, CICS performs an XTRAN validation check. When any other type of transaction access is made, such as through an EXEC CICS INQUIRE, SET, or START command, CICS instead performs an XPCT validation check.
The CICS interface lets you protect both types of transaction accesses via a single entity, or it lets you protect them independently of one another. The TRANS CICSKEY resource activates both the XTRAN and XPCT levels of transaction checking. The XPCT CICSKEY resource activates only the XPCT level of checking and is mutually exclusive with the TRANS CICSKEY resource. The XTRAN CICSKEY resource activates only the XTRAN level of checking and is also mutually exclusive with the TRANS CICSKEY resource.
If you are running the CICSPLEX/SM (CPSM) product and you want to run with security active in a CICS Managed Address Space (CMAS) region, CPSM will not allow you to activate the XPCT level of transaction checking. In such an environment you would want to activate only the XTRAN CICSKEY resource.
If you are using the XPCT or XTRAN CICSKEY resources to secure transaction accesses, you must supply a set of SAFE and PROTECT lists for each resource type. This might be a migration concern if you currently use the TRANS CICSKEY resource to protect transaction accesses.