DOCSLIB.ORG

CICS Essentials Auditing CICS – a Beginner’S Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CICS Essentials Auditing CICS – a Beginner’S Guide CICS Essentials Auditing CICS – A Beginner’s Guide Julie-Ann Williams Mike Cairns Martin Underwood Craig Warren ii CICS ESSENTIALS Foreword by Brian Cummings A thorough Audit Guide for CICS is something that is long overdue. This document provides a wealth of information about CICS, its operations, and its various resources and capabilities along with audit guidelines and recommendations. Various documents on AuditNet and other sources have taken a stab at parts or all of CICS, but are likely not up to date or sufficiently complete. CICS largely remains an environment that holds its mysteries against auditors and security officers alike. The results of poor understanding can lead to dangerous levels of unidentified risk to the applications and sensitive information of entities that use the power of CICS for critical business applications. Unlike any other environment, CICS security implementations fail in the first place because all of the security control is often only focused on transactions. Transactions are many levels of resources removed from the data files and data bases they query or update. In the end, we see the greatest level of security established for the least sophisticated technical users – end business users, and the least security facing the most technically sophisticated – the CICS sub-system programmer and the CICS Application programmer. For example, it is typical to leave FCT resources unsecured and to allow the CICS regions to have total rights to the data sets they access. This condition gives sub-system and application programmers full-reign to use CICS utilities to inherit the CICS regions’ authorities and gain full access to freely browse and update data. Worse, such activity would take place well beneath the business and process internal controls established to assure the integrity of the data. There are many other security failures prevalent in CICS security implementations such as: empowering the CICS region default userid; running all CICS sub-systems and regions under the same user account or group, thus failing to achieve a separation of function across business applications; and inadequate protection of high-risk CICS system supplied transactions. I learned a great deal by reading this document, and will value it as a handy reference for my CICS security implementation and audit activities. I’m certain that you will find it equally useful, and possibly disturbing. As a peer professional so well said: When I realize that I don’t know something that is important to me, job one becomes to learn what I need to know. This document is a great start. Brian V. Cummings Practice Lead, IRM Advisory Services Tata Consultancy Services North America by Mike Cairns I was invited into this project late in its development, and asked to contribute some of my previously published articles on the subject of CICS security. When I was publishing online articles about CICS, the writing was limited to well under 2000 words to fit inside publishing limitations. With this book though, we see at last a larger format where subjects can be explained in more depth and detail than I could in my earlier work. It’s been a delight to be able to help a dedicated team of writers complete this CICS ESSENTIALS iii comprehensive introduction to auditing CICS. My contributions have been small, some old articles, and a bit of editing. The chance to re-write my old articles, and try to clarify the parts I now considered weak, was the best part of this project personally for me. But for the group, I have to congratulate Julie-Ann, Martin and Craig for creating the first detailed work on CICS audit that I know of. It’s a complex topic, and needs a book of this length to do it justice. We hope that all auditors when faced with a z/OS audit will find our contribution useful, and we look forward to providing future assistance with similar publications. Mike Cairns – August 2009 iv CICS ESSENTIALS TableofContents About this Book . 1 About the Book’s Sponsor . 1 About the Author(s) . 1 About You . 2 Icons Used in this Book . 2 More Detailed Technical Information . 3 Introduction to CICS Audit requirements . 5 What is CICS? . 5 How is CICS used? . 6 Databases and CICS . 7 Networks and CICS . 7 External Security control and CICS . 8 What types of risk need to be considered when auditing CICS? . 11 z/OS elements . 11 DB2 elements . 12 Networking elements . 13 Auditing CICS 101 . 14 Auditing CICS - A Beginners Guide . 15 Where to look and what to look for . 15 Job Control . 15 Associated Userid . 17 Datasets . 17 STEPLIB/STEPCAT . 18 Journals and Logs . 18 Dynamic transaction backout . 19 Recovery after a system abnormally terminates . 19 CSD . 19 System Initialization Parameters . 20 Override Parameter Settings . 20 SIT Settings . 20 CMDSEC . 21 CONFDATA . 21 CONFTXT . 21 DFLTUSER . 22 EJBROLEPRFX . 22 ENCRYPTION . 22 ESMEXITS . 22 GMTRAN . 22 KEYRING . 23 PLTPIUSR . 23 PLTPISEC . 23 PSBCHK . 24 RESSEC . 24 SEC . 24 SECPRFX . 24 SECPREFIXID . 25 SNSCOPE . 25 CICS ESSENTIALS v table of contents TCPIP . 26 USRDELAY . 26 XAPPC . 26 XCMD . 27 XDB2 . 29 XDCT . 29 XEJB . 30 XFCT . 31 XHFS . 31 XJCT . 32 XPCT . 33 XPPT . 33 XPSB . ..
Load more

Recommended publications
  • Cloud Enabling CICS
    Front cover Cloud Enabling IBM CICS Discover how to quickly cloud enable a traditional IBM 3270-COBOL-VSAM application Use CICS Explorer to develop and deploy a multi-versioned application Understand the benefits of threshold policy Rufus Credle Isabel Arnold Andrew Bates Michael Baylis Pradeep Gohil Christopher Hodgins Daniel Millwood Ian J Mitchell Catherine Moxey Geoffrey Pirie Inderpal Singh Stewart Smith Matthew Webster ibm.com/redbooks International Technical Support Organization Cloud Enabling IBM CICS December 2014 SG24-8114-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (December 2014) This edition applies to CICS Transaction Server for z/OS version 5.1, 3270-COBOL-VSAM application. © Copyright International Business Machines Corporation 2014. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii IBM Redbooks promotions . ix Preface . xi Authors. xii Now you can become a published author, too! . .xv Comments welcome. .xv Stay connected to IBM Redbooks . xvi Part 1. Introduction . 1 Chapter 1. Cloud enabling your CICS TS applications . 3 1.1 Did you know?. 4 1.2 Business value . 4 1.3 Solution overview . 5 1.4 Cloud computing in a CICS TS context. 6 1.5 Overview of the cloud-enabling technologies in CICS TS V5 . 11 1.5.1 Platform overview . 12 1.5.2 Application overview . 13 Chapter 2. GENAPP introduction. 15 2.1 CICS TS topology . 16 2.2 Application architecture. 17 2.2.1 GENAPP in a single managed region.
    [Show full text]
  • Syncsort for Z/VSE Programmer's Guide Release
    All rights reserved. This document contains proprietary and confidential material, and is only for use by licensees of the SyncSort for z/VSE proprietary software system. PROVEN performance SyncSort for z/ VSE Programmer's Guide Release 3. 7 SI-0328-G SyncSort is a registered trademark of Syncsort Incorporated 070809 © Syncsort Incorporated, 2009 All rights reserved. This document contains proprietary and confidential material, and is only for use by licensees of the SyncSort proprietary software system. This publication may not be reproduced in whole or in part, in any form, except with written permission from Syncsort Incorporated. SyncSort is a trademark of Syncsort Incorporated. All other company and product names used herein may be the trademarks of their respective companies. Table of Contents Summary of Changes . v Performance Improvements . v Data Utility Features. v Operating System . vi Messages. vi Chapter 1. Introduction . 1.1 An Introduction to SyncSort for z/VSE. 1.1 SyncSort’s Basic Functions . 1.1 SyncSort’s Data Utility and SortWriter Features . 1.2 Join Processing Sequence . 1.5 Sample SortWriter Report. 1.6 SyncSort’s Operational Features. 1.7 Structure of the Programmer’s Guide. 1.7 Related Reading. 1.9 Chapter 2. SyncSort Control Statements . 2.1 Control Statement Summary Chart . 2.3 Data Utility Processing Sequence. 2.17 Maximum Record Length Allowed . 2.23 Control Statement Examples . 2.25 Rules for Control Statements . 2.25 ALTSEQ Control Statement . 2.30 ANALYZE Control Statement. 2.32 DUPKEYS Control Statement . 2.33 Table of Contents i END Control Statement. 2.38 INCLUDE/OMIT Control Statement .
    [Show full text]
  • 13347 CICS Introduction and Overview
    CICS Introduction and Overview Ezriel Gross Circle Software Incorporated August 13th, 2013 (Tue) 4:30pm – 5:30pm Session 13347 Agenda What is CICS and Who Uses It Pseudo Conversational Programming CICS Application Services CICS Connectivity CICS Resource Definitions CICS Supplied Transactions CICS Web Services CICS The Product What is CICS? CICS is an online transaction processing system. Middleware between the operating system and business applications. Manages the user interface. Retrieves and modifies data. Handles the communication. CICS Customers Banks Mortgage Account Reconciliations Payroll Brokerage Houses Stock Trading Trade Clearing Human Resources Insurance Companies Policy Administration Accounts Receivables Claims Processing Batch Versus Online Programs The two ways to process input are batch and online. Batch requests are saved then processed sequentially. After all requests are processed the results are transmitted. Used for order entry processing such as warehouse applications. Online requests are received randomly and processed immediately. Results are transmitted as soon as they are available. Response time tends to be sub-second. Used for applications – such as: Credit Card Authorization. Transaction Processing Requirements Large volume of business transactions to be rapidly and accurately processed Multiple users, single/sysplex or distributed With potentially: – A huge number of users – Simultaneous access to data – A large volume of data residing in multiple database types – Intense security and data integrity controls necessary The access to the data is such that: – Each user has the perception of being the sole user of the system – A set of changes is guaranteed to be logically consistent. If a failure occurs, any intermediate results are undone before the system becomes available again – A completed set of changes is immediately visible to other users A Business Transaction A transaction has a 4-character id.
    [Show full text]
  • Introduction-To-Mainframes.Pdf
    Mainframe The term ‘MainFrame’ brings to mind a giant room of electronic parts that is a computer, referring to the original CPU cabinet in a computer of the mid-1960’s. Today, Mainframe refers to a class of ultra-reliable large and medium-scale servers designed for carrier-class and enterprise-class systems operations. Mainframes are costly, due to the support of symmetric multiprocessing (SMP) and dozens of central processors existing within in a single system. Mainframes are highly scalable. Through the addition of clusters, high-speed caches and volumes of memory, they connect to terabyte holding data subsystems. Mainframe computer Mainframe is a very large and expensive computer capable of supporting hundreds, or even thousands, of users simultaneously. In the hierarchy that starts with a simple microprocessor at the bottom and moves to supercomputers at the top, mainframes are just below supercomputers. In some ways, mainframes are more powerful than supercomputers because they support more simultaneous programs. But supercomputers can execute a single program faster than a mainframe. The distinction between small mainframes and minicomputers is vague, depending really on how the manufacturer wants to market its machines. Modern mainframe computers have abilities not so much defined by their single task computational speed (usually defined as MIPS — Millions of Instructions Per Second) as by their redundant internal engineering and resulting high reliability and security, extensive input-output facilities, strict backward compatibility with older software, and high utilization rates to support massive throughput. These machines often run for years without interruption, with repairs and hardware upgrades taking place during normal operation.
    [Show full text]
  • IBM Z Open Automation Utilities Provides New Services to Help Developers Work with IBM Z/OS Data Sets Directly from the Shell, Java, Or Python
    IBM United States Software Announcement 220-087, dated February 18, 2020 IBM Z Open Automation Utilities provides new services to help developers work with IBM z/OS data sets directly from the shell, Java, or Python Table of contents 1 Overview 3 Technical information 2 Key requirements 3 Ordering information 2 Planned availability date 5 Terms and conditions 2 Program number 9 Prices 2 Publications 9 Order now At a glance IBM Z(R) Open Automation Utilities helps z/OS(R) developers to automate tasks that access z/OS resources. It enables easier calling of z/OS utilities compared with JCL by providing a natural coding experience on UNIX System Services (USS) and interfaces in modern programming languages. Overview Job Control Language (JCL) has been used for a long time for performing or automating a set of steps on the IBM(R) z/OS operating system. Though JCL has evolved with the times, it is inevitably foreign to people familiar with environments such as Linux(R), UNIX, and Microsoft Windows. On z/OS, as an alternative to using JCL, developers can write scripts to automate tasks in the USS environment. Such scripts are easier to understand and to manage, and many open source tools are also available in USS. However, there is a gap in some cases, and z/OS developers have to fall back to submitting JCL jobs, which requires z/OS specific knowledge. In addition, JCL jobs are asynchronous, which means you must submit them to batch and wait for the result; thus, they do not fit in well with the rest of the script, which is typically synchronous.
    [Show full text]
  • 9228 Brown/JCL 01.K.Qxd 5/1/02 11:39 AM Page 1
    9228 Brown/JCL 01.k.qxd 5/1/02 11:39 AM Page 1 CHAPTER 1 INTRODUCTION 1.1 THE SHOCK OF JCL Your first use of JCL (Job Control Language) will be a shock. No doubt you have used personal computers costing $500 or $1,000 that had wonderfully human-engineered software, giving you an expectation of how easy it is to use a computer. Now, as you use a computer costing several million dollars, you may feel like a waif in a Dickens story standing in the shadow of a mas- sive mainframe computer saying meekly, “Please, sir, may I run my job?” It will come as a shock that its software is not wonderfully human engi- neered. The hardware and software design of large IBM mainframe computers date back to the days when Kennedy was president. JCL is a language that may be older than you are. It was designed at a time when user-friendliness was not even a gleam in the eye of its designers. This is easily demonstrated by taking the simple task of copying a file and contrasting how it is done through JCL with how it is done on the most popular personal computer system, Windows. To copy a file with Windows, you left-click twice on the MY COMPUTER icon, left-click on the C: drive icon, left-click twice on the folder containing the file, and right-click on the file to copy. On the resulting menu, you click on COPY and then left-click twice on the folder into which you want the file copied.
    [Show full text]
  • CICS Transaction Server for OS/390 Installation Guide
    CICS® Transaction Server for OS/390® Installation Guide Release 3 GC33-1681-30 CICS® Transaction Server for OS/390® Installation Guide Release 3 GC33-1681-30 Note! Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Third edition (June 1999) This edition applies to Release 3 of CICS Transaction Server for OS/390, program number 5655-147, and to all subsequent versions, releases, and modifications until otherwise indicated in new editions. Make sure you are using the correct edition for the level of the product. This edition replaces and makes obsolete the previous edition, SC33-1681-00. The technical changes for this edition are summarized under ″Summary of changes″ and are indicated by a vertical bar to the left of a change. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address given below. At the back of this publication is a page entitled “Sending your comments to IBM”. If you want to make comments, but the methods described are not available to you, please address them to: IBM United Kingdom Laboratories, Information Development, Mail Point 095, Hursley Park, Winchester, Hampshire, England, SO21 2JN. When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. © Copyright International Business Machines Corporation 1989, 1999. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
    [Show full text]
  • CA Datacom CICS Services Best Practices Guide
    CA Datacom® CICS Services Best Practices Guide Version 14.02 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
    [Show full text]
  • Enterprise PL/I for Z/OS V5.3 Compiler and Runtime Migration Guide Part 1
    Enterprise PL/I for z/OS Version 5 Release 3 Compiler and Run-Time Migration Guide IBM GC27-8930-02 Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page 181. Third Edition (September 2019) This edition applies to Version 5 Release 3 of Enterprise PL/I for z/OS, 5655-PL5, and to any subsequent releases until otherwise indicated in new editions or technical newsletters. Make sure you are using the correct edition for the level of the product. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address below. A form for readers' comments is provided at the back of this publication. If the form has been removed, address your comments to: IBM Corporation, Department H150/090 555 Bailey Ave San Jose, CA, 95141-1099 United States of America When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Because IBM® Enterprise PL/I for z/OS® supports the continuous delivery (CD) model and publications are updated to document the features delivered under the CD model, it is a good idea to check for updates once every three months. © Copyright International Business Machines Corporation 1999, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Tables.................................................................................................................. xi Figures............................................................................................................... xiii About this book....................................................................................................xv Using your documentation........................................................................................................................
    [Show full text]
  • CICS System Services
    CICS System Services Mainframe CICS System Services July 2021 Rate Description Rate FY22/FY23 Debit Code CICS zIIP $0.1780/CICS Unit 5 CICS zIIP $0.1780/CICS Unit 6 All OCIO rates can be found at: https://cio.nebraska.gov/financial/serv-rates.html General Overview Customer Information Control System or CICS System Services provide an interactive transaction-based processing environment to host business applications that are reliable, scalable, and secure. CICS features include: • Ability to process a high volume of transactions. • Ability to efficiently support event processing, dynamic scripting, web browser (HTML), and 3270 presentation of data. • Ability to access multiple types of data structures, such as relational databases, hierarchical databases (IMS), and VSAM data sets. • Ability to support other application features such as; report printing, document imaging, application help functionality, and other z/OS automation capabilities. Service Details The service includes: • 24/7 CICS application and business event hosting with traditional 3270 and web browser presentation. • z/OS Enterprise mainframe security and protection for CICS application software, application data, and user security. • 24/7 Service Desk support. This includes ‘incident troubleshooting’ for CICS application environments. • Complete CICS application data backup and recovery services. • Complete CICS application disaster recovery facilities and services provided. Office of the CIO/ Mainframe CICS System Services | Contact: CIO Service Desk: 402.471.4636 or 800.982.2468 1 CICS System Services • z/OS System automation available for unique CICS application mainframe requirements. • CICS automated services to coordinate application “On-line” and “Batch” processes. • Automated software to generate CICS maps. • Automated software to assist applications with reporting (style sheets).
    [Show full text]
  • Appendix A: Current Environment Overview the Following Subsections Provide an Overview of the Current Technical Environment
    1 Appendix A: Current Environment Overview The following subsections provide an overview of the current technical environment. N-FOCUS – Nebraska’s Legacy Integrated Health and Human Services and Benefits Application Nebraska Family Online Client User System (N-FOCUS) is an integrated system that automates benefit/service delivery and case management for more than 30 DHHS programs, including Aid to Dependent Children (ADC), Supplemental Nutrition Assistance Program (SNAP), Child Welfare and Medicaid. The system was initially developed in partnership with Accenture as the prime Systems Integrator. N-FOCUS functions include client/case intake, eligibility determination, case management, service authorization, benefit payments, claims processing and payments, provider contract management, interfacing with other private, state and federal organizations, and management and government reporting. N-FOCUS was implemented in production in mid-1996 and is operational statewide. The typical N-FOCUS user is a DHHS or contracted employee. N-FOCUS supports over 2500 workers, operating from offices around the State as well as from 4 customer service centers and a centralized scanning facility. Some cases are assigned to specific workers; however, the majority of cases are managed via a universal caseload methodology coordinated by the customer service centers. N-FOCUS has both batch and online components and stores data in Db2 and SQL Server. The Db2 database has over 650 tables, some with a corresponding archive table. There are over 785 relationships between tables, 1278 indexes, and over 9665 attributes. There are over 1.7 billion rows of production data with over 193 million rows in one table with an average table size of 3.2 million rows.
    [Show full text]
  • Basic of Mainframe
    Basic of Mainframe Mainframe computer Mainframe is a very large and expensive computer capable of supporting hundreds, or even thousands, of users simultaneously. In the hierarchy that starts with a simple microprocessor at the bottom and moves to supercomputers at the top, mainframes are just below supercomputers. In some ways, mainframes are more powerful than supercomputers because they support more simultaneous programs. But supercomputers can execute a single program faster than a mainframe. The distinction between small mainframes and minicomputers is vague, depending really on how the manufacturer wants to market its machines. Modern mainframe computers have abilities not so much defined by their single task computational speed (usually defined as MIPS ² Millions of Instructions Per Second) as by their redundant internal engineering and resulting high reliability and security, extensive input- output facilities, strict backward compatibility with older software, and high utilization rates to support massive throughput. These machines often run for years without interruption, with repairs and hardware upgrades taking place during normal operation. Software upgrades are only non-disruptive when Parallel Sysplex is in place, with true workload sharing, so one system can take over another's application, while it is being refreshed. More recently, there are several IBM mainframe installations that have delivered over a decade of continuous business service as of 2007, with hardware upgrades not interrupting service. Mainframes are defined by high availability, one of the main reasons for their longevity, because they are typically used in applications where downtime would be costly or catastrophic. The term Reliability, Availability and Serviceability (RAS) is a defining characteristic of mainframe computers.
    [Show full text]