The Sybase listener performs security checking for users connecting both through a three-tier, gateway-enabled, and a two-tier, gateway-less environment. This section explains which user ID is associated with the Sybase listener and the processing for both of these scenarios.
Use the SIT PLTIUSR parameter to assign a user ID to your PLT programs. All PLT programs run under the transaction ID CPLT. If XUSER=YES in the SIT, surrogate authorization is checked before the CPLT transaction ID is attached. The CICS region userid must be authorized as a surrogate for the PLTIUSR userid. If a value is not specified for the PLTIUSR parameter, no surrogate checking is done, and PLT programs run under the authorization of the CICS region userid.
The Sybase listener uses the client user ID and password as input to the EXEC CICS VERIFY PASSWORD command. Verification proceeds as follows:
If the user ID and password are valid, the client transaction is started with the USERID parameter.
If surrogate checking is active, the user ID under which the Sybase listener was started is checked to see if it is authorized to the USERID.DFHSTART profile, where user ID (in this case) is the user ID passed up from the client.
If the password has expired, the Sybase listener checks to see if the client RPC is the PEM RPC called SYB_PEM. If so, the transaction is started, and the client may change the password.
If any other type of error results from VERIFY PASSWORD, the client receives an error notification, and a message is sent to the CICS log.
If security is not on in this region (SEC=NO in the SIT), the client transaction is started without the USERID parameter.
The Sybase listener uses the client user ID and password as input to the EXEC CICS VERIFY PASSWORD command. Verification proceeds as follows:
If the user ID and password are valid, the Sybase listener starts the Sybase Sockets Handler (SYSH) transaction with the USERID parameter.
If surrogate checking is active, the user ID under which the Sybase listener was started is checked to see if it is authorized to the USERID.DFHSTART profile, where USERID (in this case) is the user ID passed up from the client. Then, the SYSH transaction starts the client transaction using the START command with the USERID parameter.
If the password has expired, the Sybase listener sets a flag and starts SYSH with the USERID parameter. Then, SYSH checks to see if the client RPC is the PEM RPC called SYB_PEM. If so, the corresponding transaction is started with the USERID parameter. This allows the client to change the password.
If any other type of error occurs on the VERIFY PASSWORD, the Sybase listener sets a flag, and the socket handler is started without the USERID parameter. If a security error flag is set, the socket handler notifies the client of the error, and a message is sent to the CICS log. The client transaction does not run.
If security is not on in this region (SEC=NO in the SIT), the SYSH transaction is started without the USERID parameter. Then, SYSH starts the client's transaction without the USERID parameter.
