/SECURE command

This command can be issued to an IMSplex using the Batch SPOC utility.

Subsections:

• Environment
• Syntax
• Keywords
• Examples

Environment

The following table lists the environments (DB/DC, DBCTL, and DCCTL) in which you can use the commands and keywords.

Syntax

Keywords

The following keywords are valid for the /SECURE command:

ACEEAGE aging_value TMEMBER tmembername

Specifies an aging value for OTMA accessor environment elements (ACEEs), where aging_value is a 1- to 5-digit integer in the range 0 - 86,400® seconds. 86,400 seconds is equivalent to 1 day.

If you specify a value in the range 1 - 300, OTMA uses a value of 300 seconds because OTMA requires a value of at least 300 to enable ACEE refreshes. If you specify a 5-digit integer that is greater than 86,400, the value is automatically reset to 86,400. If you specify an integer that is a 6 digits or greater than 6 digits, the value is rejected and an error message is issued.

If you specify 0 for the ACEEAGE parameter and you do not use the TMEMBER parameter to specify an OTMA client, ACEE caching is disabled by OTMA even if OTMA security is set to FULL or CHECK. That is, new ACEEs are not cached by OTMA and ACEEs that are already cached are expired and removed from online memory in subsequent ACEE refreshes.

If you specify 0 for the ACEEAGE parameter and you use the TMEMBER parameter to specify an OTMA client, ACEE caching is disabled by OTMA for the specified OTMA client. That is, new ACEEs for the OTMA client are not cached by OTMA and ACEEs that are already cached for the client are expired and removed from online memory in subsequent ACEE refreshes.

If you specify a value in the range 1 - 86,400 for the ACEEAGE parameter and you do not use the TMEMBER parameter to specify an OTMA client, the aging value applies globally to all OTMA clients and overrides all other aging values that are passed by OTMA clients.

If you specify a value in the range 1 - 86,400 for the ACEEAGE parameter and you specify an OTMA client by using the TMEMBER parameter, the aging value applies to the specified OTMA client. If an aging value is passed by the OTMA client at client-bid time, the value is overridden by the value that you specify by using the ACEEAGE parameter. If you previously issued the /SECURE OTMA ACEEAGE 0 command, the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command is rejected. For the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command to be valid if the /SECURE OTMA ACEEAGE 0 command was previously issued, first reissue the /SECURE OTMA ACEEAGE command and specify a value in the range 1 - 86,400, and then reissue the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command.

APPC

When used with the CHECK, FULL, NONE, or PROFILE parameters. APPC controls the RACF security level for input from LU 6.2 devices. The /DISPLAY APPC command can be used to show the security level that is currently in effect. At IMS startup, the security default is FULL.

CHECK

Causes existing RACF calls to be made. IMS commands are checked using the RACF resource class of CIMS. IMS transactions are checked using TIMS. Disables z/OS® System Authorization Facility security for IMS allocate PSBs (APSBs).

FULL

Causes the same processing as the CHECK parameter but uses additional RACF calls to create the security environment for dependent regions and enables z/OS System Authorization Facility security for IMS APSBs for all CPI Communications driven application programs.

NONE

Does not call RACF within IMS for security verification. RACF security verification in APPC/MVS™ is not affected. Disables z/OS System Authorization Facility security for IMS APSBs.

PROFILE

Causes the values in the TP profile for each transaction to be used. If the TP profile is not defined for a transaction, or if the TP profile does not specify a RACF security level, then the default security is CHECK.

OTMA

Is used with the CHECK, FULL, JOIN, NONE, or PROFILE parameters to control the RACF security level for input from IMS Open Transaction Manager Access (OTMA) clients. The /DISPLAY OTMA command can be used to show the security level that is currently in effect. After an IMS cold start, the security default is FULL if the IMS startup parameter OTMASE= is not used.

CHECK TMEMBER tmembername

Causes existing RACF calls to be made for input from the specified OTMA client.

FULL TMEMBER tmembername

Causes the same processing as the CHECK parameter for input from the specified OTMA client, but uses additional RACF calls to create the security environment for dependent regions.

JOIN TMEMBER tmembername

Causes existing RACF calls to be made on only the OTMA client bid requests from OTMA clients. No transaction or command security checking is performed on individual messages.

NONE TMEMBER tmembername

Specifies that there is no RACF security checking within IMS for the input from the specified OTMA client.

PROFILE TMEMBER tmembername

Specifies that the values in the Security Data section of the OTMA message prefix of each transaction are used to check security for input from the specified OTMA client.

REFRESH

OTMA caches the ACEE for a user ID to reduce the amount of RACF I/O. As a result, a refresh for the cached ACEE is needed after the RACF database is updated. Issuing the /SEC OTMA REFRESH command without the TMEMBER option performs the ACEE refresh for all user IDs for all the OTMA clients. However, the actual ACEE refresh occurs when the next OTMA message for the user ID is received. This is designed to prevent all the RACF ACEE refreshes from happening at one time.

When USER is specified, OTMA refreshes across all TMEMBERs only ACEEs that include the specified user profile.

USER userid

An option to refresh only the specified user ID for all OTMA TMEMBERs. userid is the 1-8 character name of RACF User Profile to be refreshed.