CICS® Transaction Gateway supports mapping of a registered X.509 certificate to a RACF® user ID in remote mode.
For more information see, User authentication using SSL client certificates.
Preliminary checks
You use the extattr
+p command to mark HFS files as program controlled. To use
this command, you must be the owner of the files, or a superuser.
The user ID that installed CICS Transaction
Gateway normally owns the files. You also need READ access to the
BPX.FILEATTR.PROGCTL FACILITY class. For more information, see the 
z/OS® UNIX System Services Planning.
Your user ID must have the RACF SPECIAL
attribute to perform the actions in step 3.
Follow these steps to check that you have the necessary authority:
z/OS® UNIX System Services Planning.
Your user ID must have the RACF SPECIAL
attribute to perform the actions in step 3.
Follow these steps to check that you have the necessary authority: - Log on to TSO.
- Run ISPF.
- Choose option 6 (Command).
- Issue the following command:
Check that these entries are in the list:SR CLASS(FACILITY)BPX.SERVER BPX.FILEATTR.PROGCTL - Issue the following command:
Check that this entry is in the list:SR CLASS(SURROGAT)*.DFHEXCI
Configuring the system
- Mark the load modules used by CICS Transaction Gateway as program-controlled. The HFS files which require the extended attribute +p are set correctly by SMP/E, however the SCTGLOAD and SDFHEXCI libraries must be set manually. All Java™ program files used by CICS Transaction Gateway during operation must also be program controlled to successfully run with authentication active. Use the "ls -E" command from an OMVS or Telnet screen to verify the CICS Transaction Gateway HFS files.
- If necessary, activate program control by issuing these commands:
SETROPTS CLASSACT(PROGRAM) RDEFINE PROGRAM * UACC(READ) SETROPTS WHEN(PROGRAM) - Mark the CICS SDFHEXCI library,
which provides the EXCI for CICS Transaction
Gateway, as program controlled. For example, if the library was installed
as CICSTS51.CICS.SDFHEXCI, use the following RACF command:
RALTER PROGRAM * ADDMEM('CICSTS51.CICS.SDFHEXCI'//NOPADCHK) SETROPTS WHEN(PROGRAM)REFRESH - Mark the CICS Transaction
Gateway SCTGLOAD library, which provides the CTGBATCH program for CICS Transaction Gateway as program-controlled.
For example, if this library was installed as CICSTG.CTG910.SCTGLOAD,
use the following RACF command:
RALTER PROGRAM * ADDMEM('CICSTG.CTG910.SCTGLOAD'//NOPADCHK) SETROPTS WHEN(PROGRAM)REFRESH - Mark the Language Environment® runtime
library SCEERUN2 as program controlled. For example, if this library
was installed as CEE.SCEERUN2, use the following RACF command:
RALTER PROGRAM * ADDMEM('CEE.SCEERUN2'//NOPADCHK) SETROPTS WHEN(PROGRAM)REFRESH - Mark the CICS SDFHLINK library, which contains DFHRXSVC and DFHXCSVC, as program controlled.
- Give the user ID under which CICS Transaction
Gateway runs READ access to the BPX.SERVER FACILITY profile. For more
information, see the __passwd() section in z/OS XL C/C++
Run-Time Library Reference.
- Ensure that the user ID that starts CICS Transaction Gateway has READ access to BPX.STOR.SWAP.
- Give the user ID under which CICS Transaction Gateway runs READ access to the RACF profile that protects the TCPIP.STANDARD.TCPXLBIN data set. This contains tables for translating from ASCII to EBCDIC and from EBCDIC to ASCII.
- Use one of the following options to configure CICS Transaction Gateway:
- Editing a STDENV file
- Ensure that this entry is in the file:
AUTH_USERID_PASSWORD=YES - Editing ctgenvvar
- Ensure that this entry is in the file:
export AUTH_USERID_PASSWORD=Yes
- If you are using CTGBATCH to start CICS Transaction Gateway, ensure that _BPX_SHAREAS=YES is set in the STDENV DD statement, regardless of whether a ctgenvvar script is also being used. If starting CICS Transaction Gateway from USS, set _BPX_SHAREAS=NO in the ctgenvvar script, to force the use of a clean address space.
Information