Chapter 28. Invoking a user-written external security manager
CICS provides an interface to an external security manager (ESM), which may be
user-written or may be the Resource Access Control Facility (RACF) program
product. This chapter gives an overview of the CICS-ESM interface, and describes
how you can use the MVS router exit to pass control to a user-written ESM. It
describes how ESM exit programs can access CICS-related information. Finally, it
lists the control points at which CICS invokes the ESM.
Note that this chapter is intended primarily for non-RACF users. For definitive
information about security processing using RACF, you should refer to the
CICS RACF Security Guide
.
The chapter is divided into the following sections:
1. “An overview of the CICS-ESM interface”
2. “The MVS router”
3. “How ESM exit programs access CICS-related information” on page 724
4. “CICS security control points” on page 727
5. “Early verification processing” on page 729.
An overview of the CICS-ESM interface
CICS security uses, via the RACROUTE macro, the MVS system authorization
facility (SAF) interface to route authorization requests to the ESM. Normally, if
RACF is present, the MVS router passes control to it. However, you can modify the
action of the MVS router by invoking the router exit. The router exit can be used, for
example, to pass control to a user-written or vendor-supplied ESM. (If you want to
use your own security manager, you must supply an MVS router exit routine.)
The control points at which CICS issues a RACROUTE macro to route authorization
requests are described in “CICS security control points” on page 727.
The MVS router
SAF provides your installation with centralized control over security processing, by
using a system service called the MVS router. The MVS router provides a common
system interface for all products providing resource control. The resource-managing
components and subsystems (such as CICS) call the MVS router as part of certain
decision-making functions in their processing, such as access control checking and
authorization-related checking. These functions are called control points. This
single SAF interface encourages the use of common control functions shared
across products and across systems.
If RACF is available in the system, the MVS router may pass control to the RACF
router, which in turn invokes the appropriate RACF function. (The parameter
information and the RACF router table, which associates router invocations with
RACF functions, determine the appropriate function.) However, before calling the
RACF router, the MVS router calls an optional, installation-supplied
security-processing exit, if one has been installed.
© Copyright IBM Corp. 1977, 1999 721