Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

External CICS access(EXCI and JAVA) and security.

7 views
Skip to first unread message

Steve Menard

unread,
Oct 12, 1998, 3:00:00 AM10/12/98
to
We are testing the NT JAVA gateway's access to CICS/ESA, an area I know
precious little about. Since it uses an interface very similar to EXCI
(batch job to CICS , something I have worked with) I would like to see if
anyone here has an opinion on the subject of security in these new arenas.

In these situations, as I understand it, the user program sets four items
that are used to execute the CICS application.

1) Transaction Code (must point to the mirror program)
2) Program id (DPL command subset)
3) User id (java gateway)
4) Password (java gateway)

Does anyone else feel uneasy with a user program specifying both the
transaction code and program id? The situation that worries me is the
specification of some globally authorized transaction code and say a
payroll update program.
I know this opens little that is not already available to a devious CICS
application programmer. But somehow I'm more comfortable with code
compiled here, and residing in my load library that some JAVA code running
in some SERVLET (or the like) somewhere "out there".

Thanks for your time.

Boesel, Ed

unread,
Oct 12, 1998, 3:00:00 AM10/12/98
to
Steve,
Consider me a stick in the mud and puritanical, but:
I believe that after authentication, you should associate a token in
the stream which is checked against the IP-addr to ensure continuity.
The gateway should respond to only a very limited set of
transactions, and all should be indirect (if you said TRN1, I will schedule
TRN1, never put your transaction id field into the CICS transaction ID.
I think you are quite right to be nervous.
HTH, Ed

Mark Granger

unread,
Oct 12, 1998, 3:00:00 AM10/12/98
to
Steve,

>Does anyone else feel uneasy with a user program specifying both the
>transaction code and program id? The situation that worries me is the
>specification of some globally authorized transaction code and say a
>payroll update program.

What about turning the Security option XPCT or XPPT = YES (whichever)
in CICS/ESA so that the program id will be tested by RACF (or whatever
security), then the transaction id should not matter. I haven't had a
chance to try this, it is just a thought.

Mark Granger.


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

0 new messages