Chapter 31. Invoking an external security manager
CICS provides an interface to an external security manager (ESM), which may be
the Resource Access Control Facility (RACF), a vendor product, or user-written.
This chapter gives an overview of the CICS-ESM interface, and describes how you
can use the MVS router exit to pass control to a user-written ESM. It describes how
ESM exit programs can access CICS-related information. Finally, it lists the control
points at which CICS invokes the ESM.
Note that this chapter is intended primarily for non-RACF users. For definitive
information about security processing using RACF, you should refer to
Introduction to CICS security with RACF, in the CICS RACF Security Guide.
The chapter is divided into the following sections:
1. “An overview of the CICS-ESM interface”
2. “The MVS router”
3. “Using ESM exit programs to access CICS-related information” on page 791
4. “CICS security control points” on page 796
5. “Using early verification processing” on page 797.
An overview of the CICS-ESM interface
CICS security uses, via the RACROUTE macro, the MVS system authorization
facility (SAF) interface to route authorization requests to the ESM. Normally, if
RACF is present, the MVS router passes control to it. However, you can modify the
action of the MVS router by invoking the router exit. The router exit can be used, for
example, to pass control to a user-written or vendor-supplied ESM. (If you want to
use your own security manager, you must supply an MVS router exit routine.)
The control points at which CICS issues a RACROUTE macro to route authorization
requests are described in “CICS security control points” on page 796.
The MVS router
SAF provides your installation with centralized control over security processing, by
using a system service called the MVS router. The MVS router provides a common
system interface for all products providing resource control. The resource-managing
components and subsystems (such as CICS) call the MVS router as part of certain
decision-making functions in their processing, such as access control checking and
authorization-related checking. These functions are called control points. This
single SAF interface encourages the use of common control functions shared
across products and across systems.
If RACF is available in the system, the MVS router may pass control to the RACF
router, which in turn invokes the appropriate RACF function. (The parameter
information and the RACF router table, which associates router invocations with
RACF functions, determine the appropriate function.) However, before calling the
RACF router, the MVS router calls an optional, installation-supplied
security-processing exit, if one has been installed.
The MVS router exit
The MVS router provides an optional installation exit that is invoked whether or not
RACF is installed and active on the system. If your installation does not use RACF,
© Copyright IBM Corp. 1977, 2011 789