How to setup SPI checking in Top Secret(TSS)?

The purpose of this document is to detail the process of setting up SPI (Set, Perform, Inquire) resource checking and secondary resource checking in Top Secret. SPI resource checking is a little different than secondary resource checking. SPI resource checking uses a keyword in the SPI resource class that corresponds to the command keyword in the CEMT or the EXEC CICS command.

For example, with CEMT INQUIRE TRANSACTION(ABC), the keyword TRANSACT would be used in the SPI resource class (i.e., SPI(TRANSACT) ) when protecting this command using SPI.

SPI resource checking is limited to CEMT and EXEC CICS commands. With XCMD=YES, there is no way to distinguish between CEMT and EXEC CICS. There is a security call made for CEMT prior to the SPI check. If the security call for CEMT fails, the transaction or EXEC CICS command will also fail, and no SPI check is made.

Secondary resource checking keys on the actual resource being accessed in the transaction. With CEMT INQUIRE TRANSACTION(ABC), a second check (after the check for access to CEMT) would occur against OTRAN(ABC) when using secondary resource checking. If the security call for CEMT fails, the transaction fails and no check is made for the secondary resource. Secondary resource checking is optional and somewhat redundant if used with SPI resource checking. However, if secondary resource checking is used with SPI resource checking:

• SPI resource access ensures that the user is permitted to display or alter a particular type of CICS resource.
• Secondary resource checking allows or denies display or alteration of the individual resources.

Use SPI checking if you want to secure the command keywords in CEMT and EXEC CICS commands. Use secondary resource checking if you want to allow certain resources to be accessed with any or all CICS transactions (not just the CEMT transaction). SPI resource checking is limited to CEMT and EXEC CICS commands where secondary resource checking can be used on any or all CICS transactions.

SPI Resource Checking

Top Secret provides the SPI resource for added security checking. With the Top Secret SPI resource you can secure the following:

• CEMT commands
• EXEC CICS INQUIRE and SET commands
• EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS commands
• EXEC CICS SPOOLOPEN command

To implement SPI resource checking

1. For CEMT commands, define OTRAN(CEMT) and permit ACCESS(EXECUTE) to the users that should be allowed to use CEMT. NOTE: Most users will not need access to CEMT.
   1. Own OTRAN(CEMT) via TSS ADD(dept) OTRAN(CEMT). To see if this is already owned, issue TSS WHOOWNS OTRAN(CEMT).
   2. Permit access to OTRAN(CEMT) via TSS PERMIT(acid) OTRAN(CEMT) ACCESS(EXECUTE).
2. Turn on SPI resource checking:
   1. If FACMATRX=YES is set on the CICS facility in Top Secret, set XCMD=YES on the facility. No recycle of CICS should be required to pick up this change.
   2. If FACMATRX=NO is set on the CICS facility in Top Secret, set XCMD=YES in the CICS System Initialization Table (SIT). A recycle of the CICS region is required to pick up this change.
3. Own and permit the SPI resources to be protected.
   1. TSS ADD(dept) SPI(xxxxxxxx)
   2. TSS PERMIT(acid) SPI(xxxxxxx) ACCESS(yyyyyyyyy)

Below is a list of the command keywords and the corresponding SPI resource.

For INQUIRE and SET:

Command Keyword  SPI Keyword
'Blanks' (default) SPI(SYSTEM)
AUTINSTMODEL  SPI(AUTINSTM)
AUTOINSTALL    SPI(AUTOINST)
AUXTRACE   SPI(TRACEDES)
BEAN    SPI(BEAN)
CFDTPOOL   SPI(CFDTPOOL)
CONNECTION   SPI(CONNECTI)
CORBASERVER   SPI(CORBASER)
DB2CONN   SPI(DB2CONN)
DB2ENTRY   SPI(DB2ENTRY)
DB2TRAN   SPI(DB2TRAN)
DELETESHIPPED  SPI(DELETESH)
DELTSHIPPED   SPI(DELTSHIP)
DJAR    SPI(DJAR)
DLIDATABASE   SPI(DLIDATAB)
DOCTEMPLATE   SPI(DOCTEMPL)
DSA    SPI(SYSTEM)
DSNAME   SPI(DSNAME)
DUMP    SPI(DUMP)
DUMPDS   SPI(DUMPDS)
ENQ    SPI(UOWENQ)
ENQMODEL   SPI(ENQMODEL)
EXCI    SPI(EXCI)
FECONNECTION  SPI(FEPIRESO)
FENODE   SPI(FEPIRESO)
FEPOOL   SPI(FEPIRESO)
FEPROPSET   SPI(FEPIRESO)
FETARGET   SPI(FEPIRESO)
FILE    SPI(FILE)
GTFTRACE   SPI(TRACEDES)
INTTRACE   SPI(TRACEDES)
IRBATCH   SPI(IRBATCH)
IRC    SPI(IRC)
JMODEL   SPI(JMODEL)
JOURNALNAME/JOURNALNUM  SPI(JOURNAL) *
JVMPOOL   SPI(JVMPOOL)
LINE    SPI(LINE)
MODENAME   SPI(MODENAME)
MONITOR   SPI(MONITOR)
NETNAME   SPI(TERMINAL)
PARTNER   SPI(PARTNER)
PITRACE   SPI(PITRACE)
PROCESSTYPE   SPI(PROCESST)
PROFILE   SPI(PROFILE)
PROGRAM   SPI(PROGRAM)
REQUESTMODEL  SPI(REQUESTM)
RRMS    SPI(RRMS)
STATISTICS   SPI(STATISTI)
STREAMNAME   SPI(STREAMNA)
SYSDUMPCODE   SPI(SYSDUMPC)
SYSTEM   SPI(SYSTEM)
TASK    SPI(TASK)
TCLASS   SPI(TCLASS)
TCPIP    SPI(TCPIP)
TCPIPSERVICE  SPI(TCPIPSER)
TDQUEUE   SPI(TDQUEUE)
TERMINAL   SPI(TERMINAL)
TRANSACTION   SPI(TRANSACT)
TRDUMPCODE   SPI(TRANDUMP)
TSMODEL   SPI(TSMODEL)
TSPOOL   SPI(DB2CONN)   
TSQUEUE   SPI(TSQUEUE)
UOW    SPI(UOW)
UOWDSNFAIL   SPI(UOWDSNFA)
UOWENQ   SPI(UOWENQ)
UOWLINK   SPI(UOWLINK)
VOLUME   SPI(VOLUME)
VTAM    SPI(VTAM)
WEB    SPI(WEB)

* Note: JOURNALNAME is used for CTS 1.2 and above; JOURNALNUM is used for CICS 4.1 and CTS 1.1.

For PERFORM:

Command Keyword  SPI Keyword
DELETESHIPPED  SPI(DELETESH)
DUMP    SPI(DUMP)
ENDAFFINITY   SPI(CONNECTI)
RECONNECT   SPI(RECONNEC)
RESET    SPI(RESET)
SECURITY   SPI(SECURITY)
SHUTDOWN   SPI(SHUTDOWN)
SNAP    SPI(SNAP)
STATISTICS   SPI(STATISTI)

For DISCARD:

Command Keyword  SPI Keyword
DB2CONN   SPI(DB2CONN) 
DB2ENTRY   SPI(DB2ENTRY)
DB2TRAN   SPI(DB2TRAN) 
DOCTEMPLATE   SPI(DOCTEMPL)   
ENQMODEL   SPI(ENQMODEL) 
JMODEL   SPI(JOURNALM)
JOURNALNAME   SPI(JOURNAL) 
PROCESSTYPE   SPI(PROCESST)
REQUESTMODEL  SPI(REQUESTM)  
TCPIPSERVICE  SPI(CONNECTI)
TSMODEL   SPI(TSMODEL)

For EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS:

Command Function  SPI Keyword
ENABLE   SPI(EXITPROG)
DISABLE   SPI(EXITPROG)
EXTRACT   SPI(EXITPROG)
COLLECT STATISTICS SPI(EXITPROG) 

EXEC CICS SPOOLOPEN:

Command Function  SPI Keyword
SPOOLOPEN   SPI(JESSPOOL)

SPI access levels:

For CEMT commands:

CEMT Action   SPI Access Level
INQUIRE   INQUIRE
PERFORM   PERFORM
SET    SET
DISCARD   DISCARD

For example, if a CEMT INQUIRE is done, ACCESS(INQUIRE) is required to the protected SPI resource in order to perform the function.

For EXEC CICS ENABLE, DISABLE, EXTRACT, and COLLECT STATISTICS:

Command Function  SPI Access Level
ENABLE   SET
DISABLE   SET
EXTRACT   INQUIRE
COLLECT STATISTICS COLLECT

For example, if an EXEC CICS ENABLE is done, ACCESS(SET) is required to the protected SPI resource in order to perform the function.

For EXEC CICS SPOOLOPEN:

Command Options  SPI Access Level
INPUT    SET
OUTPUT   SET

For example, if an EXEC CICS SPOOLOPEN INPUT is done, ACCESS(SET) is required to the protected SPI resource in order to perform the function.

Examples:

1. To protect users from issuing CEMT PERFORM SHUTDOWN, issue:
   TSS ADD(dept) SPI(SHUTDOWN)
   
   Any user that should be allowed to shutdown the CICS region should be given the following permit:
   TSS PER(acid) SPI(SHUTDOWN) ACCESS(PERFORM)
   
   
2. To protect users from doing CEMT INQUIRE TRANSACTION(xxxx), issue:
   TSS ADD(dept) SPI(TRANSACT)
   
   Any user that should be allowed to issue CEMT INQUIRE TRANSACTION(xxxx) should be given the following permit:
   TSS PER(acid) SPI(TRANSACT) ACCESS(INQUIRE)
   
   
3. To protect users from doing CEMT INQUIRE DUMP commands, issue:
   TSS ADD(dept) SPI(DUMPDS)
   
   Any user that should be allowed to issue CEMT INQUIRE DUMP should be given the following permit:
   TSS PER(acid) SPI(DUMPDS) ACCESS(INQUIRE)
   
   
4. To protect users from doing EXEC CICS SET FILE(PAYROLL) OPEN, issue:
   TSS ADDTO(dept) SPI(FILE)
   
   Any user that should be allowed to issue EXEC CICS SET FILE(PAYROLL) OPEN should be given the following permit:
   TSS PERMIT(acid) SPI(FILE) ACCESS(SET)

SPI(*ALL*) ACCESS(acc) can be owned and permitted to allow access to all of the SPI resources; however, in order to have all the SPI resources protected, you must own all of them via TSS ADD(dept) SPI(xxxx). You can set DEFPROT on the SPI resource class; however, you have to be VERY careful about this because with DEFPROT set on the SPI resource class, access will be denied to any SPI resource that is not permitted to the user. For example, a user who used to successfully issue CEMT INQ TRANS(ABC) will be denied access once DEFPROT is set if he is not permitted ACCESS(INQUIRE) to SPI(TRANSACT).

SPI bypass list

The SPI access levels can be put in the bypass list on the CICS facility in Top Secret. For example, to put INQUIRE in the CEMT bypass list to bypass the INQUIRE checks:

TSS MODIFY((FAC(cicsfac=BYPADD(CEMT=INQUIRE)))

In the TSS parameter file add "FAC(cicsfac=BYPADD(CEMT=INQUIRE))".

This will bypass SPI security for all CEMT INQUIRE commands.

Note: To bypass SET you also need to add INQUIRE to the Bypass List because CEMT SET redisplays the items altered in the CEMT SET.

Secondary resource checking

To turn on secondary resource checking for a specific transaction:

1. Define the transaction to Top Secret.
2. Permit ACCESS(EXECUTE) to the transaction.
3. Set PCTRESSEC=HONOR on the CICS facility in Top Secret. This will honor the RESSEC= parameter in the CSD.
4. Set RESSEC=YES in the CSD entry in CICS for the specific transaction(s) that are to use secondary resource checking. (Set RESSEC=NO in the CSD entry in CICS for the transactions that are not to use secondary resource checking.)
5. Set RESSEC=ASIS in the CICS SIT.

For example, to activate secondary resource checking for CEMT:

1. TSS ADD(dept) OTRAN(CEMT)
2. TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE)
3. Set PCTRESSEC=HONOR on the CICS facility in Top Secret.
4. Set RESSEC=YES on the CSD entry in CICS for CEMT.
5. Set RESSEC=ASIS in the CICS SIT.

This means any resource CEMT goes after will be checked. For example, with CEMT I TRAN(ABC), there would first be a check for EXECUTE access to OTRAN(CEMT) and if access is allowed, an additional (second) check for INQUIRE access to OTRAN(ABC).

To turn on secondary resource checking for all transactions:
Set PCTRESSEC=OVERRIDE on the CICS facility in Top Secret. This will override the RESSEC= parameter in the CSD entry and enforce secondary resource checking for all CICS transactions.

Notes:
The secondary resource checking is a little trickier to set up because CEMT I TRAN(CEMT) would require EXECUTE and INQUIRE access to OTRAN(CEMT). Assuming your AUTH control option is AUTH(OVERRIDE,ALLOVER), EXECUTE and INQUIRE access would have to be in the same place (e.g., user record, same profile, or the ALL record). If EXECUTE is permitted in the user record and INQUIRE in a PROFILE, the transaction will fail because the permit for EXECUTE on the user record will be picked up as a match and it won't get to the INQUIRE permit. However, the secondary resource checking is more granular. You could allow CEMT INQ for certain transactions, but not others.

You can ADD and PERMIT OTRAN(*ALL*) ACCESS(acc). The PERMIT for OTRAN(*ALL*) ACCESS(acc) will include all OTRANs. Also, as long as NONGENERIC is not set on the OTRAN, permits for the OTRAN are generic, so OTRAN(AB) includes all transactions that start with AB.

WARNING: USING ACCESS(EXECUTE) WITH TSS PER(acid) OTRAN(*ALL*) ACCESS(acc) WILL ALLOW THE USER TO EXECUTE ANY TRANSACTION.

Secondary resource checking includes the following resource classes:

CEMT Keyword  Secondary Resource Type
DB2ENTRY*   DB2ENTRY
DB2TRAN*   DB2TRAN
DSNAME   DATASET
FILE    FCT
JOURNAL   JCT
PROGRAM   PPT
QUEUE    DCT
TRANSACTIONS  OTRAN or LCF
VOLUMES   VOLUMES

* - CTS 1.2 and above only.

• DSNAME access checking by Top Secret requires DSNCHECK=YES be set on the CICS facility in Top Secret. This is set via the command:
  
  TSS MODIFY FACILITY(cicsfac=DSNCHECK=YES)
  
  In the Top Secret parameter file. add "FAC(cicsfac=DSNCHECK=YES)".
  When DSNCHECK=YES is in effect, Top Secret checks DATASET, but not FCT resources for FILE or DATASET keywords in INQUIRE or SET actions used through CEMT.
  
  
• FCT access checking by Top Secret requires the FACILITY control option DSNCHECK=NO (the default). This is set via the command:
  
  TSS MODIFY FACILITY(cicsfac=DSNCHECK=NO)
  
  In the Top Secret parameter file, add "FAC(cicsfac=DSNCHECK=NO)" or don't specify DSNCHECK and it will default to NO.)
  When DSNCHECK=NO is in effect, Top Secret checks the FCT but not DATASET resources when FILE or DATASET keywords with INQUIRE or SET actions used through CEMT.

NOTES:
Like CEMT INQUIRE, the CEMT SET action is also used to provide a display of affected resources (after the SET operands are implemented). For this reason, individual resources described in the table above will often need both INQUIRE and SET access to invoke alteration through CEMT. You should also note that:

1. SET access does not imply INQUIRE access.
2. When the CEMT SET action is applied to these resources, both SET and INQUIRE access is required through Top Secret.
3. Whether the CEMT SET or INQUIRE action is used to initiate a resource display for the keywords in the table above, both SET and INQUIRE access through Top Secret are required to alter the individual CICS resource.

EXAMPLES
The following examples assume PCTRESSEC=HONOR is set on the CICS facility in Top Secret, RESSEC=YES is set on the CSD entry in CICS for CEMT, RESSEC=ASIS is set in the CICS SIT, and TSS ADD(dept) OTRAN(CEMT) has been done.

To allow a user to issue CEMT INQUIRE TRANSACTION(CS*) but prevent others from doing so:

TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE)
TSS ADDTO(dept) OTRAN(CS) 
TSS PERMIT(acid) OTRAN(CS) ACCESS(INQUIRE)

Note: The OTRAN(CS) permission in the above example does not allow the ACID to use the CSxx transactions.

To allow a user to issue CEMT SET FILE(WXYZ) where 'WXYZ' is an FCT entry that points to dataset ABC.DEF and then alter characteristics of the file, but prevent others from doing so:

With DSNCHECK=YES on the CICS facility in Top Secret:

TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE)
TSS ADDTO(dept) DSNAME(ABC.DEF) 
TSS PERMIT(acid) DSNAME(ABC.DEF) ACCESS(INQUIRE,SET)

With DSNCHECK=NO on the CICS facility in Top Secret:

TSS PER(acid) OTRAN(CEMT) ACCESS(EXECUTE)
TSS ADDTO(dept) FCT(WXYZ) 
TSS PERMIT(acid) FCT(WXYZ) ACCESS(INQUIRE,SET)