The new Sybase listener performs security checking for users connecting both through a three-tier, gateway-enabled, and a two-tier, gateway-less environment. This section explains which user ID is associated with the Sybase listener and the processing for both of these scenarios.
This section contains the following subsections:
Sybase recommends that you start the Sybase listener through the CICS Program List Table (PLT). Add a DFHPLT entry for the SYBOPEN program, which establishes the TCP environment based on values defined in IxTCP. You can add the DFHPLT entry after the DFHDELIM entry since the SYBOPEN program runs in the third stage of initialization.
Use the SIT PLTIUSR parameter to assign a user ID to your PLT programs. All PLT programs run under the transaction ID CPLT. If XUSER=YES in the SIT, surrogate authorization is checked before the CPLT transaction ID is attached. The CICS region userid must be authorized as a surrogate for the PLTIUSR userid. If a value is not specified for the PLTIUSR parameter, no surrogate checking is done, and PLT programs run under the authorization of the CICS region userid.
You can use the SYOP transaction to start the Sybase listeners if you choose not to use the PLT or if you need to restart the listeners while CICS is running. In using the SYOP transaction, listeners run under the authorization of the user ID signed on to the terminal. If no user is signed on to the terminal, the CICS default user ID is used.
The Sybase listener uses the client user ID and password as input to the EXEC CICS VERIFY PASSWORD command. Verification proceeds as follows:
If the user ID and password are valid, the client transaction is started with the USERID parameter.
If surrogate checking is active, the user ID under which the Sybase listener was started is checked to see if it is authorized to the USERID.DFHSTART profile, where user ID (in this case) is the user ID passed up from the client.
If the password has expired, the Sybase listener checks to see if the client RPC is the PEM RPC, SYB_PEM. If the RPC is SYB_PEM, the transaction is started, and the client may change the password.
If there is any other type of error resulting from VERIFY PASSWORD, the client receives an error notification, and a message is sent to the CICS log.
If security is not on in this region (SEC=NO in the SIT), the client transaction is started without the USERID parameter.
The Sybase listener uses the client user ID and password as input to the EXEC CICS VERIFY PASSWORD command. Verification proceeds as follows:
If the user ID and password are valid, the Sybase listener starts the Sybase Context Handler (SYCH) transaction with the USERID parameter.
If surrogate checking is active, the user ID under which the Sybase listener was started is checked to see if it is authorized to the USERID.DFHSTART profile, where USERID (in this case) is the user ID passed up from the client. The SYCH transaction then starts the client transaction using the START command with the USERID parameter.
If the password has expired, the Sybase listener sets a flag and starts SYCH with the USERID parameter. If this flag is set, SYCH checks to see if the client RPC is the PEM RPC, SYB_PEM. If the RPC is SYB_PEM, the corresponding transaction is started with the USERID parameter. This allows the client to change the password.
If there is any other type of error on the VERIFY PASSWORD, the Sybase listener sets a flag, and the context handler is started without the USERID parameter. If a security error flag is set, the context handler notifies the client of the error, and a message is sent to the CICS log. The client transaction does not run.
If security is not on in this region (SEC=NO in the SIT), then the SYCH transaction is started without the USERID parameter. Then SYCH starts the client's transaction without the USERID parameter.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|
