ICS/VSE 2.3 External Security Interface: Prerequisites and Setup

CONNX for CICS/VSE 2.3 and below verifies CICS userid/password combinations via the program CNXSIGN, which invokes the CICS/VSE 2.3 External Security Program DFHXSP. The default DFHXSP program requires a terminal ID during userid/password verification; first it loads the CICS sign-on table (DFHSNT); next, it optionally invokes external security manager program DFXSE.  Both default programs can be replaced by user-written or third-party vendor-supplied versions, which must conform to standard call/return parameter blocks. For more information on setup of the CICS/VSE 2.3 External Security Interface, refer to the following document:

Title: CICS/VSE V2R3 Customization Guide

Document Number: SC33-0707-02

 

For CICS 2.3 Coexistence Environments, the following steps are necessary to install the External Security Interface:

  1. Rename the original program phases for DFHXSE and DFHXSSCO, and reassemble the versions in library.sublib PRD2.CICSOLDP;

  2. Define program DFHXSSCO to CICS/VSE via the CEDA command: 

CEDA DEF PROG(DFHXSSCO) GROUP(VSESPO) LANG(ASS) RES(YES)
RSL(PUBLIC)

  1. Define a default DFHSNT (CICS Signon Table) entry;

  2. Code EXTSEC=YES in the CICS System Initialization Table (DFHSIT) source and reassemble;

  3. Restart CICS/VSE.

 

Bypassing the CONNX CICS/VSE 2.3 External Security Interface

By default, the CONNX CICS/VSE 2.3 userid/password verification logic invokes the External Interface program DFHXSP. This logic can be bypassed by setting CONNX environment variable CNXNOPREAUTHORIZE to 1:

 

ch050117.gif

ch050118.gif
 

Caution: When CNXNOPREAUTHORIZE is set to 1, userid/password verification is bypassed. This means that the CONNX TCP/IP Listener and Server programs inherit the security attributes of the CICS userid which starts the CONNX TCP/IP Listener transaction (NX00) via the NX01 START command. This setting can be used during initial installation and testing, but it is strongly recommended that userid / password checking be enabled for production installations.  

 

Enabling the CONNX CICS/VSE 2.3 External Security Interface

To enable userid/password verification, delete the CNXNOPREAUTHORIZE environment variable via the NX01 transaction:

ch050119.gif

ch050120.gif