CICS provides two system transactions for authentication purposes:
ARTTCP implements a similar authentication function leveraging Tuxedo's security mechanisms. Two Tuxedo system services CESN and CESF are provided by CICS Runtime to emulate the CESN and CESF transactions in CICS.
When a terminal connects to ARTTCP, ARTTCP creates a 3270 session and the session joins Tuxedo with the default security profile. The user name defined in the default security profile has the similar role as the CICS default user CICSUSER. The authentication process is then as follows:
ARTTCP supports three types of Tuxedo security mechanisms: application password (APP_PW), user-level authentication (
USER_AUTH), and access control list (ACL and MANDATORY_ACL).
The application password security mechanism requires that every client provide an application password as part of the process of joining the Tuxedo ATMI application. The administrator defines a single password for the entire Tuxedo ATMI application and gives the password only to authorized users. For more information on how to configure Tuxedo application password, please refer to Tuxedo documentation.
The user-level authentication security mechanism requires that in addition to the application password, each client must provide a valid username and password to join the Tuxedo ATMI application. The per-user password must match the password associated with the user name stored in a file named
tpusr. Client name is not used. The checking of per-user password against the password and user name in
tpusr is carried out by the Tuxedo authentication service
AUTHSVC, which is provided by the Tuxedo authentication server
AUTHSVR. For more information on how to configure Tuxedo user-level authentication, please refer to Tuxedo documentation.
When Tuxedo security is enabled, a default security profile, which includes the default
USER_AUTH username and password and/or the
APP_PW password,, is required to allow users to join the Tuxedo domain before calling the CESN service. A security profile generator tool is introduced to generate the default security profile. Please refer to Security Profile Generator for details.
In the case of
APP_PW, the Tuxedo application password must be created in Tuxedo configuration.
In the case of
USER_AUTH, the Tuxedo application password, a Tuxedo username and password must be created in the Tuxedo configuration.
In both cases, the password (and username for
USER_AUTH) must be specified in the default security profile file that is specified in the command line option (-p profile-name) of theTuxedo ARTTCPL server. The password (and username for
USER_AUTH) will be used as parameters of
tpinit() when ARTTCP server joins Tuxedo.
CICS Runtime offers a security framework which allows a customer to choose integration with an external security manager. The Tuxedo application key (
appkey) is used as the credential to be passed to an external security manager. The
appkey is 32 bits long, Tuxedo user identifier is in the low order 17 bits and the Tuxedo group identifier is in the next 14 bits (the high order bit is reserved for administrative keys). For more information, please refer to Tuxedo documentation.
appkey is passed in
An authorisation function is available for customization by the integration team. This function is called by CICS Runtime each time a resource authorization should be checked for a given resource.
A default function that always returns an ok status is provided. It can be replaced by a project specific version by the integration team, for a project where CICS resource authorization must be activated in addition to transaction authorization.
01 ret-code usage int.
01 AUTH-USERID PIC X(30).
01 AUTH-GROUPID PIC X(256).
01 AUTH-RSRCE-TYPE PIC X(256).
01 AUTH-RSRCE-NAME PIC X(512).
01 AUTH-ACCESS-TYPE PIC X(6).
PROCEDURE DIVISION USING LK-AUTH-USERID LK-AUTH-GROUPID
Type of resource being checked (see Codification).
The resources types are codified as in a native CICS/RACF environment: XTST for Temporary Storage resources, XFCT for files, …
See native CICS documentation for more information. The default version of this function provided with CICS Runtime always returns 0.
TDI_TRIGGER -t Transaction_Name [-p <profile>];
genappprofile. When not provided it defaults to
When Tuxedo security is enabled, a default security profile, which includes the
APP_PW password and the default
USER_AUTH username and password, is required to allow the user to join the Tuxedo domain before calling the CESN service.
A security profile generator tool is introduced to generate the default security profile for TCP.
genappprofile — Security Profile Generator
genappprofile [-f <output_file>]
This utility generates the security profile for Tuxedo applications. When the utility is launched, you are prompted to enter the Tuxedo application password, user name and user password. The output is a security profile file which contains the user name and encrypted passwords. The generated security profile file can be used by CICS Runtime ARTTCPL server to login to the Tuxedo domain.
The command option is: