Gen .NET proxy connecting with default CICS user causing RACF error ICH408I
search cancel

Gen .NET proxy connecting with default CICS user causing RACF error ICH408I

book

Article ID: 392457

calendar_today

Updated On: 03-30-2025

Products

Gen Gen - Run Time Distributed

Issue/Introduction

A Gen 8.6 .NET proxy test harness application connects to the related CICS server via Multi Sockets Listener TISRVMSL (TIML).

In development environments there is no RACF checking for the load module to execute.  
The test regions are configured for RACF authorisation.
Changing just the CommConfig field to point to a test CICS region fails, producing this error:

ICH408I USER(CICSx   ) GROUP(####    ) NAME(CICSx USERID        ) 401 
  xxxxxxxx CL(xxxPPT  )                                               
  INSUFFICIENT ACCESS AUTHORITY                                       
  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )                     

where CICSx is the default CICS user for the region and xxxxxxxx is the load module name.  The proxy connects to the region specified in the CommConfig field.

Providing a valid RACF user in the ClientID field produces the same error.

Please advise how to correctly send the ClientID to the CICS server from the .NET Proxy application.

Environment

Gen 8.6 .NET Proxy to CICS Multi Sockets Listener TISRVMSL (TIML)

Resolution

One of the Distributed Processing user exits needs to be used.

On page User Exits in Distributed Processing under "C - ASP.NET Client and .NET Proxy Runtime" is: CFBDynamicMessageSecurityExit.cs
That user exit is located under Gen 8.6 installation directory "%Gen86%\Gen86\Gen\.net\exits\src\msgobj" and is the equivalent of the GUI C client user exit function WRSECTOKEN (WREXITN.C)
Here is also the detailed page for the exit: com.ca.gen.exits.msgobj.cfb.CFBDynamicMessageSecurityExit - C# CFB Dynamic Message Security Exit
It contains the customisation to set the security type to one of:
SECURITY_NO
SECURITY_STANDARD
SECURITY_ENHANCED

The default is SECURITY_NO

Per Security in Distributed Processing and the 3 sub-sections under that, use SECURITY_STANDARD to make use of ClientId and ClientPassword in the proxy client application (similar to what is required to pass CLIENT_USER_ID and CLIENT_PASSWORD in a Gen GUI client).

Additional Information

Using a .NET Proxy and section Security Processing:
"A .NET Proxy provides facilities to implement Distributed Processing Security.

Note:
 For more information about implementation of Distributed Processing Security, see Understand Distributed Processing.
..."

z/OS 3.1.0 >ICH Messages for the system operator > ICH408I

Powered by Wolken Software