Security Features

This chapter describes TACF and programming features associated with security.

1. Overview

An OSC application server could encounter any of the following security threats when there are a large number of users.

  • Unauthorized server access

  • Unauthorized file or directory access

  • Unauthorized data modification

  • Unauthorized data deletion or destruction

To avoid these problems, administrators can block access to system resources from unauthorized users and thus protect the resources. Using OpenFrame/Tmax Access Control Facility (hereafter TACF), the OSC system provides the following security features for transactions and resources.

2. TACF

The OSC application server security features are based on TACF functions. The OSC application server security features are based on TACF functions.

TACF protects the system from unauthorized users by requiring an authentication and authorization checks from users and then blocking access to system components by unauthorized users. TACF provides basic access control and authorization, and the TACF resource module of OSC application server enables security policies. This way, TACF provides security for an OpenFrame system as Resource Access Control Facility (RACF) does for an IBM mainframe.

Security check features can be configured differently for each OSC application server, in the SAF section of the osc.{servername} subject under OpenFrame Configuration.

  1. For more information about security settings, refer to OpenFrame OSC Administrator’s Guide.

  2. For more information about how to configure the osc.{servername} subject, refer to OpenFrame Configuration Guide.

3. User Authentication Process

The OSC system needs to know the identity of any user who requests access to a resource to verify that the user has sufficient privileges to access the requested resource. This authentication is achieved through the user SIGNON process. To sign on to the OSC system, users must enter the SIGNON transaction id, CESN, or call SIGNON directly from an application server. This associates the user ID with the terminal used for the SIGNON transaction.

The SIGNOFF process notifies the system that the user has finished using the system. To sign off, users must enter the SIGNOFF transaction ID, OESF, or call the SIGNOFF command from an application program.

For more information about CESN/CESF transactions, refer to OpenFrame OSC Administrator’s Guide.
User Authentication Process Commands

The following is a list of user authentication process commands. For more information about each command, refer to the respective section.

Command Description

SIGNOFF

Removes the authentication granted to a specific user ID.

SIGNON

Authenticates a user ID.

3.1. SIGNOFF

This command signs a user out from a terminal. After SIGNOFF has been completed, the OSC system provides security services to the default user ID specified to the VALUE of the DFLTUSER key in the SAF section, from the osc.{servername} subject under OpenFrame Configuration. There are on options for this command.

  • Syntax

    EXEC CICS SIGNOFF END-EXEC.

For more information about the osc.{servername} subject, refer to OpenFrame Configuration Guide.

3.2. SIGNON

Authenticates a user ID and signs the user on to a terminal.

  • Syntax

    EXEC CICS SIGNON [option …] END-EXEC.

  • Options

    Option Description

    GROUPID

    Specifies the TACF group in which the user will be placed.

    NEWPASSWORD

    Specifies a new password.

    PASSWORD

    Specifies the user’s current password.

    USERID

    Specifies the user ID.

  1. LANGINUSE, NATLANG and NATLANGINUSE are not supported.

  2. Only parsing is supported for ESMREASON, ESMRESP, LANGUAGECODE and OIDCARD.

4. User Password Process

In the OSC system, passwords can be modified or verified by a process that is separate from user authentication.

User Password Process Commands

The following is a list of user password process commands. For more information about each command, refer to the respective section.

Command Description

CHANGE PASSWORD

Changes a user’s password.

VERIFY PASSWORD

Compares the specified password with the user’s password.

4.1. CHANGE PASSWORD

Changes a user’s password. The current password must be provided by the user to change it. To avoid divulging any password information, the values in the PASSWORD and NEWPASSWORD options must be deleted after using CHANGE PASSWORD.

  • Syntax

    EXEC CICS CHANGE PASSWORD [option …] END-EXEC.

  • Options

    Option Description

    NEWPASSWORD

    Specifies the new password.

    PASSWORD

    Specifies the current password.

    USERID

    Specifies the user ID associated with the password to be changed.

    Only parsing is supported for ESMREASON and ESMRESP.

4.2. VERIFY PASSWORD

Checks a specified password against the password stored for a user. If the passwords match, security information for the user can be accessed. To avoid divulging any password information, the value in the PASSWORD option must be deleted after using VERIFY PASSWORD.

  • Syntax

    EXEC CICS VERIFY PASSWORD [option …] END-EXEC.

  • Options

    Option Description

    CHANGETIME

    Returns the last time that the password was changed, in ABSTIME format.

    DAYSLEFT

    Returns the amount of time remaining before the password expires.

    EXPIRYTIME

    Returns the password expiration date in ABSTIME format.

    INVALIDCOUNT

    Returns the number of times that the password was incorrectly entered.

    LASTUSETIME

    Returns the last access time by the specified user, in ABSTIME format.

    PASSWORD

    Specifies the password to verify.

    USERID

    Specifies the user ID associated with the password to be verified.

    Only parsing is supported for ESMREASON and ESMRESP.

5. User Authorization Process

When a user is authenticated by the OSC system, he or she has been identified by the system. In order to access resources on the system, however, the user must be registered in TACF with the proper authorization. Verification of a user’s authorization is done by the user authorization process.

User Authorization Process Command

The following is the user authentication processing command. For more information about the command, refer to the respective section.

Command Description

QUERY SECURITY

Checks a signed-on user’s authorization to access a specific resource.

5.1. QUERY SECURITY

Checks a signed-on user’s authorization to access a specific resource. It can be used for user-defined resource classes as well as the default resource classes provided by TACF.

  • Syntax

    EXEC CICS QUERY SECURITY [option …] END-EXEC.

  • Options

    Option Description

    RESTYPE

    Specifies the type of resource to be checked. Only TRANSATTACH is supported. To use RESTYPE, set the VALUE of the SEC key to YES, in the SAF section from the osc.{servername} subject under OpenFrame Configuration.

    RESCLASS

    Specifies the class of resource to be checked.

    RESIDLENGTH

    Specifies the length of resource name in RESID. This option must be used when RESCLASS is specified.

    RESID

    Specifies the name of the resource to be checked.

    READ

    Returns a CVDA value that indicates whether or not the user has READ authorization for the resource.

    UPDATE

    Returns a CVDA value that indicates whether or not the user has UPDATE authorization for the resource.

    CONTROL

    Returns a CVDA value that indicates whether or not the user has CONTROL authorization for the resource.

    ALTER

    Returns a CVDA value that indicates whether or not the user has ALTER authorization for the resource.

    LOGMESSAGE

    Option to prohibit security violation messages. Either LOG or NOLOG can be specified as the CVDA value.

    NOLOG

    Prohibits security violation messages. It can be used instead of the LOGMESSAGE (NOLOG) option.

    LOG

    Sends security violation messages to the user. It can be used instead of the LOGMESSAGE (LOG) option.

For more information about how to configure the osc.{servername} subject, refer to OpenFrame Configuration Guide.