Explicit sign-on

You can explicitly sign on either by using one of the CICS-supplied sign-on transactions CESL or CESN or by using an installation-provided sign-on transaction that uses the EXEC CICS SIGNON command.

OIDCARD users can use CESL or CESN to sign on if the card reader supports the DFHOPID identifier (AID). If it does not, use your own installation-provided sign-on transaction. When you sign on to CICS, the sign-on process involves the following phases:

Scoping

After the sign-on panel is completed and sent, CICS verifies that the user ID you entered does not match a user ID already signed on in the scope of the SNSCOPE definition for the CICS system.

Identification

CICS calls RACF® to confirm that a profile has been defined for your user ID.

Verification

CICS passes information to RACF to verify that the user ID is genuine. For RACF, this information is either a password or an OIDCARD or both. If the password entered is between 9 and 100 characters, RACF verifies it with the password phrase associated with your user ID. If the password is 8 characters or less, RACF verifies it with your standard password. A user ID can have both a standard password and a password phrase. If the password or password phrase has expired, CICS prompts you for a new password or password phrase. When the new password conforms to the RACF password formatting rules for an installation, the new password or password phrase and the date-of-change are recorded in your RACF user profile.

Passwords and password phrases operate independently of each other. You can sign on with a valid password phrase even if your standard password has expired. Similarly, you can sign on with a valid password if your password phrase has expired.

Immediately following the request to RACF for user ID and password verification, CICS clears the internal password field. This minimizes the possibility of the password or password phrase being revealed in any dump of the CICS address space that might be taken.

The CESL and CESN transactions do not warn users when a password or password phrase is about to expire. To display expiry warnings to users, you must replace CESL or CESN with your own transaction that calls a custom sign-on program. This program can use the EXEC CICS VERIFY PASSWORD or EXEC CICS VERIFY PHRASE commands to return expiry information from RACF, before using the EXEC CICS SIGNON command to make a full verification request for the user ID.

Authorization

RACF performs checks on the application name and the port of entry to verify that you are allowed to use the CICS system. In the application name check, RACF determines whether you are authorized to access the application named in the APPLID or GRNAME system initialization parameter. RACF does this by checking the access list of the CICS application profile defined in the RACF APPL resource class. (See Authorizing access to the CICS region for information about how to define profiles in the APPL resource class.)

With the port of entry check, RACF verifies that you are authorized to sign on using that port of entry. The use of defined terminals can be restricted to certain times of the day, and to certain days of the week. See Controlling access to CICS from specific ports of entry.

These checks restrict CICS users to signing on only to those CICS regions for which they are authorized, and only from terminals they are authorized to use.

Explicit sign-on, with the CESL or CESN transaction, or the SIGNON command, is performed at the port of entry.

Table 1. Explicit and implicit signons

Phase	Explicit	Implicit
Scoping	Yes	No
Identification	Yes	Yes
Verification	Yes	No except with ATTACHSEC(IDENTIFY)
Authorization	Yes	Yes

User attributes

CICS obtains CICS user attributes from the CICS and LANGUAGE segments of the RACF database.