User security in link definitions
The level of user security you require for a remote system is specified in the ATTACHSEC attribute of the CONNECTION resource definition.
CICS interprets the parameters of the ATTACHSEC attribute as described here. However, special rules apply for CICS transaction routing using CRTE, as described in Transaction routing security with MRO.
The ATTACHSEC attribute specifies the sign-on requirements for incoming requests. It has no effect on requests that are issued by your system to a remote system; these are dealt with by the remote system.
The following values of the ATTACHSEC attribute are valid with MRO:
- LOCAL
- specifies that a user identifier is not required from the remote
system, and if one is received, it is ignored. Here, CICS makes the
user security profile equivalent to the link security profile. You
do not need to specify RACF® profiles for the remote users.
(LOCAL is the default value.)
Specify ATTACHSEC(LOCAL) if you think that the link security profile alone provides sufficient security for your system.
- IDENTIFY
- specifies that a user identifier is expected on
every attach request. All remote users of a system must be identified
to RACF.
Specify ATTACHSEC(IDENTIFY) when you know that CICS can trust the remote system to verify its users, when, for example, the remote system is another CICS.
The following rules apply to IDENTIFY:- If a password is included in an attach request with a user identifier on a link with ATTACHSEC(IDENTIFY), CICS rejects the attach request and unbinds the session.
- If a null user identifier or an unknown user identifier is received, CICS rejects the attach request.
- If no user identifier is received, the attach is rejected unless USEDFLTUSER(YES) is specified on the connection. In this case CICS applies the security capabilities of the default user, as specified in the DFLTUSER system initialization parameter. For more information, see The CICS default user ID.