/SECURE command
The /SECURE command is used to control the RACF® security level. It is used for administrative control of the IMS environment and as an emergency operations control command to throttle RACF activity without requiring an IMS shutdown.
This command can be issued to an IMSplex using the Batch SPOC utility.
Subsections:
Environment
The following table lists the environments (DB/DC, DBCTL, and DCCTL) in which you can use the commands and keywords.
Command / Keywords | DB/DC | DBCTL | DCCTL |
---|---|---|---|
/SECURE | X | X | |
APPC | X | X | |
OTMA | X | X |
Syntax
Keywords
The following keywords are valid for the /SECURE command:
- ACEEAGE aging_value TMEMBER tmembername
- Specifies an aging value for OTMA accessor
environment elements (ACEEs), where aging_value is a 1- to 5-digit integer in the
range 0 - 86,400® seconds. 86,400 seconds is equivalent to 1 day.
If you specify a value in the range 1 - 300, OTMA uses a value of 300 seconds because OTMA requires a value of at least 300 to enable ACEE refreshes. If you specify a 5-digit integer that is greater than 86,400, the value is automatically reset to 86,400. If you specify an integer that is a 6 digits or greater than 6 digits, the value is rejected and an error message is issued.
If you specify 0 for the ACEEAGE parameter and you do not use the TMEMBER parameter to specify an OTMA client, ACEE caching is disabled by OTMA even if OTMA security is set to FULL or CHECK. That is, new ACEEs are not cached by OTMA and ACEEs that are already cached are expired and removed from online memory in subsequent ACEE refreshes.
If you specify 0 for the ACEEAGE parameter and you use the TMEMBER parameter to specify an OTMA client, ACEE caching is disabled by OTMA for the specified OTMA client. That is, new ACEEs for the OTMA client are not cached by OTMA and ACEEs that are already cached for the client are expired and removed from online memory in subsequent ACEE refreshes.
If you specify a value in the range 1 - 86,400 for the ACEEAGE parameter and you do not use the TMEMBER parameter to specify an OTMA client, the aging value applies globally to all OTMA clients and overrides all other aging values that are passed by OTMA clients.
If you specify a value in the range 1 - 86,400 for the ACEEAGE parameter and you specify an OTMA client by using the TMEMBER parameter, the aging value applies to the specified OTMA client. If an aging value is passed by the OTMA client at client-bid time, the value is overridden by the value that you specify by using the ACEEAGE parameter. If you previously issued the /SECURE OTMA ACEEAGE 0 command, the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command is rejected. For the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command to be valid if the /SECURE OTMA ACEEAGE 0 command was previously issued, first reissue the /SECURE OTMA ACEEAGE command and specify a value in the range 1 - 86,400, and then reissue the /SECURE OTMA ACEEAGE aging_value TMEMBER tmembername command.
- APPC
- When used with the CHECK, FULL, NONE, or PROFILE parameters. APPC
controls the RACF security level for input from LU 6.2
devices. The /DISPLAY APPC command can be used to show the security level that is
currently in effect. At IMS startup, the security default is
FULL.
- CHECK
- Causes existing RACF calls to be made. IMS commands are checked using the RACF resource class of CIMS. IMS transactions are checked using TIMS. Disables z/OS® System Authorization Facility security for IMS allocate PSBs (APSBs).
- FULL
- Causes the same processing as the CHECK parameter but uses additional RACF calls to create the security environment for dependent regions and enables z/OS System Authorization Facility security for IMS APSBs for all CPI Communications driven application programs.
- NONE
- Does not call RACF within IMS for security verification. RACF security verification in APPC/MVS™ is not affected. Disables z/OS System Authorization Facility security for IMS APSBs.
- PROFILE
- Causes the values in the TP profile for each transaction to be used. If the TP profile is not defined for a transaction, or if the TP profile does not specify a RACF security level, then the default security is CHECK.
- OTMA
Is used with the CHECK, FULL, JOIN, NONE, or PROFILE parameters to control the RACF security level for input from IMS Open Transaction Manager Access (OTMA) clients. The /DISPLAY OTMA command can be used to show the security level that is currently in effect. After an IMS cold start, the security default is FULL if the IMS startup parameter OTMASE= is not used.
- CHECK TMEMBER tmembername
- Causes existing RACF calls to be made for input from the specified OTMA client.
- FULL TMEMBER tmembername
- Causes the same processing as the CHECK parameter for input from the specified OTMA client, but uses additional RACF calls to create the security environment for dependent regions.
- JOIN TMEMBER tmembername
- Causes existing RACF calls to be made on only the OTMA client bid requests from OTMA clients. No transaction or command security checking is performed on individual messages.
- NONE TMEMBER tmembername
- Specifies that there is no RACF security checking within IMS for the input from the specified OTMA client.
- PROFILE TMEMBER tmembername
- Specifies that the values in the Security Data section of the OTMA message prefix of each transaction are used to check security for input from the specified OTMA client.
- REFRESH
- OTMA caches the ACEE for a user ID to reduce the amount of RACF I/O. As a result, a refresh for the cached ACEE is needed after the RACF database is updated. Issuing the /SEC OTMA REFRESH
command without the TMEMBER option performs the ACEE refresh for all user IDs for all the OTMA
clients. However, the actual ACEE refresh occurs when the next OTMA message for the user ID is
received. This is designed to prevent all the RACF ACEE
refreshes from happening at one time.
When USER is specified, OTMA refreshes across all TMEMBERs only ACEEs that include the specified user profile.
- USER userid
- An option to refresh only the specified user ID for all OTMA TMEMBERs. userid is the 1-8 character name of RACF User Profile to be refreshed.
Examples
The following are examples of the /SECURE command:
Example 1 for /SECURE command
/DIS APPC
IMSLU #APPC-CONV SECURITY STATUS DESIRED
IMSLUNME 0 PROFILE ENABLED ENABLED
*91242/163820*
Explanation: Enter /DISPLAY APPC to see which security checking option is in effect.
/SECURE APPC FULL
DFS058I SECURE COMMAND COMPLETED
Example 2 for /SECURE command
/DIS OTMA
GROUP/MEMBER XCF-STATUS USER-STATUS SECURITY TIB INPT SMEM
DRUEXIT T/O ACEEAGE
XCFGRP1
-IMS1 ACTIVE SERVER FULL 8000
-IMS1 N/A 0
-HWS1 ACTIVE ACCEPT TRAFFIC FULL 0 5000
-HWS1 HWSYDRU0 239 3600
-HWS2 ACTIVE ACCEPT TRAFFIC CHECK 0 5000
-HWS2 HWSYDRU0 239 7200
-HWS3 ACTIVE ACCEPT TRAFFIC NONE 0 5000
-HWS3 HWSYDRU0 239 0
*09121/172200* IMS1
Explanation: Enter /DISPLAY OTMA to view the security setting of each OTMA tmember.
/SECURE OTMA FULL
DFS058I SECURE COMMAND COMPLETED