3270 devices that connect to CICS

Dynamically defined 3270 terminals

These terminals are defined by CICS as they connect by using a process that is called Terminal Autoinstall. Because they do not usually have a predefined identity, they are assigned defaultUser. Afterward, the user authenticates by using a signOn transaction.

Figure 1 shows a terminal that uses LU termAppl connects to CICS. On receipt of the connection from VTAM®, CICS checks the currently defined terminals for one with a NETNAME value of termAppl. Because one is not found, CICS Terminal Autoinstall is started to dynamically create a terminal definition.

1. As the USERID value of the terminal definition is blank. This terminal is assigned the default user of the region defaultUser.
2. The Good Morning Transaction, gmTran, is started.
3. CICS verifies that defaultUser is authorized to run gmTran. This check is made by calling RACF® to verify that defaultUser has READ access to resource gmTran in resource group class GCICSTRN.

Statically defined 3270 terminals

These terminals are defined to CICS in advance. Each definition must have a specific and unique termAppl specified along with any other attributes required.

CICS preset security terminals use a fixed user ID that is specified in their CICS terminal definition. Generally, these terminals are physical and use a presetID specified in the definition. These terminals are known as having preset security or a preset user ID. Any attempts to use a signOn transaction to change the credentials fail.

Security checks for terminals with preset security are undertaken in two stages.

1. When the definition is created in CICS. Usually during CICS initialization or on a subsequent manual installation through a tool such as CEDA. This is shown in Figure 2.
2. When the device connects to CICS, as shown in Figure 3.

As shown in Figure 2, because the terminal definition has a preset user ID, checks are undertaken when the terminal definition is installed as follows. These checks are to verify that presetID is authorized to use the CICS and the specific terminal.

1. CICS verifies that presetID is authorized to the CICS region. This check is achieved by calling RACF to verify that presetID has READ access to profile grApplid in class APPL.
   Important: If a profile is not found in the APPL class that matches this value, CICS assumes that this check is not required.
2. CICS verifies that presetID is authorized to the terminal. This check is achieved by calling RACF to verify that presetID has READ access to resource profile termAppl in class TERMINAL.
   Important: If a profile is not found in the TERMINAL class that matches this value, CICS assumes that this check is not required.

Figure 3 shows what happens when a statically defined 3270 terminal connects to CICS:

1. The Good Morning Transaction, gmTran specified by the SIT parameter GMTRAN, is started on the terminal.
2. CICS verifies that presetID is authorized to run gmTran. This check is achieved by calling RACF to verify that presetID has READ access to resource gmTran in resource group class GCICSTRN.
   Important: If gmTran is a CICS Category 3 transaction (for example, CESL, CESL or CSGM) this check is not undertaken. CICS Transaction CSGM is not a Category 3 transaction for releases earlier than CICS Transaction Server for z/OS, Version 6 Release 1.

3270 consoles

3270 consoles are devices that are used by operations staff to manage the system. Unlike 3270 terminals, they do not connect to individual CICS regions but instead display messages from multiple jobs that run on the sysplex. Commands from a console are sent to one or more jobs by using a modify command with any returned messages that are displayed on the screen. Console commands routed to a CICS system take the form of a transaction with optional parameters, for example, CEMT INQUIRE TASK.

A console can be a physical device that is dedicated to the purpose or a virtual one.

When a console user issues a modify command that specifies the running CICS region job name, z/OS passes the console name, associated user ID, and command to the CICS system. CICS checks the installed console definitions for an entry with the same value in the CONSNAME field. If no match is found, CICS installs a console definition that provides console autoinstall in the region.

Usually, the installed console model has the value *EVERY on the USERID attribute, so the user ID passed by z/OS is used as the USERID of the defined console. Figure 4 shows:

1. CICS verifies that consUser is authorized to the CICS region. This check is achieved by calling RACF to verify that consUser has READ access to profile grApplid in class APPL.
2. CICS verifies that consUser is authorized to the console. This check is achieved by calling RACF to verify that consUser has READ access to resource profile consName in class CONSOLE.
3. CICS verifies that consUseris authorized to run tranA, the transaction that the console commands to start. This check is achieved by calling RACF to verify that consUser has READ access to resource tranA in group resource class GCICSTRN.