Summary:

How to setup security when using CA Gen Direct Connect for CICS.

This document serves as a guide to implement security when using CA Gen Direct Connect for CICS.  It can be used for the Single Socket Server Listener (TISL) or the Muli-Socket Server Listener (TIML) installation.  The CA Gen initial software install will default to no security checking, meaning any user ID and/or password can execute. 

Instructions:

STANDARD SECURITY

To validate user ID and password, no setting is required on the client side if users logon using Client Manager.  The User ID and Password are passed in the Common Format Buffer.  Change user exit CEG8SAMP(TIRSLEXT) on the Host to validate standard security as follows:

Change:

BKLERPSW B     KLEARPSW       CLEAR PASSWORD AND RETURN             

*BVALUIDP B     VALUIDP        CONTINUE TO VALIDATE-USERID-PASSWORD 

To:

*BKLERPSW B     KLEARPSW       CLEAR PASSWORD AND RETURN             

BVALUIDP B     VALUIDP        CONTINUE TO VALIDATE-USERID-PASSWORD 

Install the TIRSLEXT module using CEG8SAMP(MKUECTCP) as directed in the comments of this module.  Install into CICS.User ID and Password are validated prior to calling the server.

If user written logon program is used, it must use the variables CLIENT_USER_ID and CLIENT_PASSWORD to capture the credentials.  In the Gen Toolset directory, change WREXITN.c in the method WRSECTOKEN to return SecurityUsedStandard.  This will pass the user id and password in the Common Format Buffer.  On the z/OS Host, change CEG8SAMP(TIRSLEXT) as described above and install using CEG8SAMP(MKUECTCP).  In addition, change user exit CEHBSAMP(TIRCUSRX) by substituting the MAINLINE thru MAINLINE-EXIT code in comments with the default code.  If this is not done, the task id is used and returned to the client.  Install the changed module using CEHBSAMP(MKUEXITS) as TIRCUSRZ.  Install both changed modules into CICS.

ENHANCED SECURITY 

When using enhanced security, the variables CLIENT_USER_ID and CLIENT_PASSWORD must be used to capture the credentials with the client program.  On the toolset, change the return in WREXITN.C in method WRSECTOKEN to SecurityUsedEnhanced.  This will put the user id and password in two places of the Common Format Buffer and set the enhanced flag.  On the z/OS Host, make the following change to CEG8SAMP(TIRSLEXT)

Change:

BKLERPSW B KLEARPSW       CLEAR PASSWORD AND RETURN 
*BVALUIDP B VALUIDP          CONTINUE TO VALIDATE-USERID-PASSWORD 
*BVFYENSC B VFYEHSEC       CONTINUE TO VERIFY-ENHANCED-SECURITY    

To:
*BKLERPSW B     KLEARPSW    CLEAR PASSWORD AND RETURN                
*BVALUIDP B     VALUIDP        CONTINUE TO VALIDATE-USERID-PASSWORD     
BVFYENSC B     VFYEHSEC       CONTINUE TO VERIFY-ENHANCED-SECURITY     

Modify CEHBSAMP(TIRSECVX) with custom changes to validate security.  See option 2 in the comments for this exit that gives helpful info on what has to be done.  Install this program with CEHBSAMP(MKUEXITS) and any other user program needed to validate security.