Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

RACF validation in COBOL CICS program

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> CICS
View previous topic :: :: View next topic  
Author Message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1504
Location: Chennai

PostPosted: Tue Apr 14, 2009 4:22 pm    Post subject: RACF validation in COBOL CICS program
Reply with quote

Hi,

I work in a CICS based application for warehouse management.
The application is used by 300 to 400 individual warehouse users.
But the problem is the users are grouped in to smallerer groups like managers,workers, drivers etc...

Each of these individual user groups have a common CICS logon ID.

Example : All Managers use DELCMAA to logon to CICS application.
All Drivers use DELCDRI to logon to CICS application.
There is no specific user ID for each individual user.

Lets take this scenario,
Driver 1 signs on with DELCDRI user ID and he is working and using CICS screens.
Driver 2 tries to log in with DELCDRI, but he does not know the password and revokes the User ID.
Meanwhile the Driver 1 is not aware that the user ID is revoked and he initiates a transaction in CICS.
This transaction performs some updates, triggers some more transactions and later at some point fails.

There are 100 s of transactions that the driver can initiate. So I am not specifying the details of the programs or code.

We currently do not have a mechanism to validate if a ID is active and eligible to start a transaction.

Could you please advice what could be done in this case
and is there anyway that the RACF status of a user ID is checked from a COBOL program and validated.

Could you please help.

Thanks in advance,
Back to top
View user's profile Send private message

dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Tue Apr 14, 2009 8:42 pm    Post subject:
Reply with quote

Hello,

Suggest you change from the "common" ids to user specific ids.

If management will not insist on unique ids, you may be able to change the number of failed password attempts to whatever is the maximum. Also, it would be good to reset the count each time the cics region is re-cycled.

This would be coordinated with the security people.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1504
Location: Chennai

PostPosted: Thu Apr 16, 2009 2:01 pm    Post subject:
Reply with quote

Hi,

Thanks for your time in this.
Quote:
Suggest you change from the "common" ids to user specific ids.


The system design is totally reliant on group user IDs and in many cases the IDs are hardcoded, so moving to specific user Ids will be very difficuly and a daunting task.

Quote:
you may be able to change the number of failed password attempts to whatever is the maximum.


I will try convincing our management to increase the number of re-tries.

Is there any way to access RACF and have some return code and vailidate it accordingly.
Since it proves to be a good technical solution without rebuilding the system that already exists.

Thanks in advance,


Thanks again,
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Thu Apr 16, 2009 10:19 pm    Post subject:
Reply with quote

Hello,

Quote:
Is there any way to access RACF and have some return code and vailidate it accordingly.
I don't understand the question. . .

Please clarify.

If there is truly to be no security, why is an id ever locked? Just let them flail away until they remember or get lucky or call someone for help. . .
Back to top
View user's profile Send private message
Terry Heinze

JCL Moderator


Joined: 14 Jul 2008
Posts: 1249
Location: Richfield, MN, USA

PostPosted: Thu Apr 16, 2009 10:23 pm    Post subject:
Reply with quote

Quote:
Each of these individual user groups have a common CICS logon ID.
Internal auditors just love this. icon_smile.gif
Back to top
View user's profile Send private message
Bill O'Boyle

CICS Moderator


Joined: 14 Jan 2008
Posts: 2502
Location: Atlanta, Georgia, USA

PostPosted: Thu Apr 16, 2009 11:35 pm    Post subject: Reply to: RACF validation in COBOL CICS program
Reply with quote

Yeah, especially if there 's a "SUX" (sorry, freudian slip), I mean "SOX" compliance issue.

"SUX" is more fitting. Oxley's last name should have been Uxley. icon_smile.gif

Regards,
Back to top
View user's profile Send private message
Raghu navaikulam

Active User


Joined: 27 Sep 2008
Posts: 193
Location: chennai

PostPosted: Sat Apr 18, 2009 1:31 am    Post subject: Reply to: RACF validation in COBOL CICS program
Reply with quote

Hi

Quote:

Driver 2 tries to log in with DELCDRI, but he does not know the password and revokes the User ID.


As per my understanding of your problem, I have some suggestions.
To check the validity of the password for the userid you can use the following statement in your COBOL program.
Code:
EXEC CICS VERIFY PASSWORD(PWDI) USERID(UIDI) RESP(RESPONSE) END-EXEC.


Here PWDI and UIDI are map variables corresponding to password and userid fields.
IF RESPONSE = DFHRESP(NOTAUTH)
You can use a count to inform the user that the user supplied wrong password for the first time and subsequently send a message to the user based on the maximum number of password retries allowed in your system.
Please post whether this is helpful for you as per your requirements.

Regards
Raghu
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Sat Apr 18, 2009 2:13 am    Post subject:
Reply with quote

Hello,

Quote:
To check the validity of the password for the userid you can use the following statement in your COBOL program.
I suspect that if one cannot log onto CICS, one will never reach any cobol code in that region. . . icon_confused.gif
Back to top
View user's profile Send private message
CICS Guy

Senior Member


Joined: 18 Jul 2007
Posts: 2150
Location: At my coffee table

PostPosted: Sat Apr 18, 2009 2:17 am    Post subject:
Reply with quote

dick scherrer wrote:
I suspect that if one cannot log onto CICS, one will never reach any cobol code in that region. . . icon_confused.gif
Unless that COBOL code is in the signon program.... icon_wink.gif
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10274
Location: italy

PostPosted: Sat Apr 18, 2009 2:35 am    Post subject: Reply to: RACF validation in COBOL CICS program
Reply with quote

what difference does it make that the invalid password is discovered by RACF itself or rather than by a user program invoking RACF services ???

a decision must be taken anyway on what to do after a certain number of invalid passwords
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1504
Location: Chennai

PostPosted: Mon Apr 20, 2009 8:02 pm    Post subject:
Reply with quote

Hi All,

Thanks for your time in this.

Quote:
a decision must be taken anyway on what to do after a certain number of invalid passwords


This seems to be the logical solution , I will try talking to Info Secs about this. (I cant fix your brakes, so I made the horn louder) icon_biggrin.gif

I wish there was a modded version of the command

Code:
EXEC CICS VERIFY PASSWORD(PWDI) USERID(UIDI) RESP(RESPONSE) END-EXEC.


some thing like,
Code:
EXEC CICS VERIFY USERID(UIDI) RESP(RESPONSE) END-EXEC.

So it can be used in program.

Thanks,
Back to top
View user's profile Send private message
kvamsy

New User


Joined: 14 Apr 2009
Posts: 10
Location: chennai

PostPosted: Tue Apr 21, 2009 12:47 pm    Post subject: Reply to: RACF validation in COBOL CICS program
Reply with quote

[size=18]I don't think the command mentioned exists but what I can suggest is when ever Depot is trying to submit anything or doing crucial we can pop up one more window asking to re-enter the password so that we can reduce this kind of errors some.

What do you feel......
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10274
Location: italy

PostPosted: Tue Apr 21, 2009 1:03 pm    Post subject: Reply to: RACF validation in COBOL CICS program
Reply with quote

what to do if the user keeps on typing the wrong password ?
asking over and over for a password will not help the user to remind a forgotten one icon_biggrin.gif

again...
before giving any advice everybody should meditate on the implications of a secure environment
whatever the interface - line, full screen, pop up ( do not exist in 3270 ), ... add anything You want
a choice must be made...

1) revoke the user after a certain number ( just choose some ) of attempts
proper action in any decent environment
one of the many reasons not to have group userid
( auditability is another one )

2) do nothing and let the user keep trying,
but then why ask for the password and spend resources to implement a useless security environment

the final consideration...
security is what the name implies... security
has it's costs and what appear at first glance as inconveniences
... somebody must make the choice on having it or not
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> CICS All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts XML Parse for COBOL 5.2 Bhanu Praveen COBOL Programming 1 Sat Jul 08, 2017 8:58 pm
No new posts Writing a file using online program grvtomar PL/I & Assembler 3 Fri Jun 30, 2017 1:06 pm
No new posts How to Clear all TSQs during CICS sta... Hooman24 CICS 10 Mon Jun 26, 2017 9:46 pm
No new posts pre-compiler for program in an HFS Pedro DB2 0 Fri Jun 23, 2017 11:13 pm
No new posts CICS Transaction attach count of supp... lind sh CICS 1 Wed Jun 21, 2017 1:33 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us