CICS provides two system transactions for authentication purposes:

• CESN is the sign on transaction;
• CESF is the sign off transaction;

ARTTCP implements a similar authentication function leveraging Tuxedo's security mechanisms. Two Tuxedo system services CESN and CESF are provided by CICS Runtime to emulate the CESN and CESF transactions in CICS.

When a terminal connects to ARTTCP, ARTTCP creates a 3270 session and the session joins Tuxedo with the default security profile. The user name defined in the default security profile has the similar role as the CICS default user CICSUSER. The authentication process is then as follows:

1. The operator calls the CESN transaction to sign on to Tuxedo CICS Runtime Runtime.
2. CESN sends a sign-on MAP to ask for username and password
3. The username and password are entered from the terminal.
4. ARTTCP re-joins Tuxedo using the username and password entered from the terminal.
5. If the authentication:
   • succeeds, a success message is returned to the terminal.
   • fails, an error message is returned to the terminal.
6. When completing the operations, the operator calls service CESF to sign off from Tuxedo CICS Runtime Runtime.

ARTTCP supports three types of Tuxedo security mechanisms: application password (APP_PW), user-level authentication (USER_AUTH), and access control list (ACL and MANDATORY_ACL).

The application password security mechanism requires that every client provide an application password as part of the process of joining the Tuxedo ATMI application. The administrator defines a single password for the entire Tuxedo ATMI application and gives the password only to authorized users. For more information on how to configure Tuxedo application password, please refer to Tuxedo documentation.

The user-level authentication security mechanism requires that in addition to the application password, each client must provide a valid username and password to join the Tuxedo ATMI application. The per-user password must match the password associated with the user name stored in a file named tpusr. Client name is not used. The checking of per-user password against the password and user name in tpusr is carried out by the Tuxedo authentication service AUTHSVC, which is provided by the Tuxedo authentication server AUTHSVR. For more information on how to configure Tuxedo user-level authentication, please refer to Tuxedo documentation.

When Tuxedo security is enabled, a default security profile, which includes the default USER_AUTH username and password and/or the APP_PW password, is required to allow users to join the Tuxedo domain before calling the CESN service. A security profile generator tool is introduced to generate the default security profile. Please refer to Security Profile Generator for details.

In the case of APP_PW, the Tuxedo application password must be created in Tuxedo configuration.

In the case of USER_AUTH, the Tuxedo application password, a Tuxedo username and password must be created in the Tuxedo configuration.

In both cases, the password (and username for USER_AUTH) must be specified in the default security profile file that is specified in the command line option (-p profile-name) of the Tuxedo ARTTCPL server. The password (and username for USER_AUTH) will be used as parameters of tpinit() when ARTTCP server joins Tuxedo.

CICS Runtime offers a security framework which allows a customer to choose integration with an external security manager. The Tuxedo application key (appkey) is used as the credential to be passed to an external security manager. The appkey is 32 bits long, Tuxedo user identifier is in the low order 17 bits and the Tuxedo group identifier is in the next 14 bits (the high order bit is reserved for administrative keys). For more information, please refer to Tuxedo documentation.

The appkey is passed in AUTH-GROUPID

An authorisation function CheckResourceAuth.gnt is available for customization by the integration team. This function is called by CICS Runtime each time a resource authorization should be checked for a given resource.

A default function that always returns an ok status is provided. It can be replaced by a project specific version by the integration team, for a project where CICS resource authorization must be activated in addition to transaction authorization.

Listing 3‑1 COBOL CICS Resource Authorization Interface

01 ret-code usage int.
LINKAGE SECTION.
01 AUTH-USERID PIC X(30).
01 AUTH-GROUPID PIC X(256).
01 AUTH-RSRCE-TYPE PIC X(256).
01 AUTH-RSRCE-NAME PIC X(512).
01 AUTH-ACCESS-TYPE PIC X(6).
PROCEDURE DIVISION USING LK-AUTH-USERID LK-AUTH-GROUPID
LK-AUTH-RSRCE-TYPE LK-AUTH-RSRCE-NAME
LK-AUTH-ACCESS-TYPE.

• Accepting
  
• Returning
  
• Codification
  

When Tuxedo security is enabled, a default security profile, which includes the APP_PW password and the default USER_AUTH username and password, is required to allow the user to join the Tuxedo domain before calling the CESN service.

A security profile generator tool genappprofile is introduced to generate the default security profile for TCP

If Tuxedo security is enabled, when 3270 terminal is connected, ART for CICS will use a default user for this session. Before you do CESN to logon CICS, you can only do CESN/CSGM/CESF.