> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Itschak Mugzach
>
> Walt, I might used worng wording, but when I said LOGON to CICS (or
any
> other VTAM application on partner sight, I ment it. The only limit I
> have when Pentesting is the partner company to agree for the signon.
> I have seen few sites using no GMTRAN at all, so you signon to CICS
with no
> password and get the default user auth! There are also few other VTAM
> applications that uses internal userid and passowrd that is stored in
a
> file. NDM is a sumple for super user that is described in a parameter
> library.
It is not possible (without some exit programming) to "sign on" to CICS
without tendering both a user ID and a password. If a CICS region is
started with DFHSIT parameter SEC=NO, then CICS itself rejects _any_
sign-on attempt (i.e., you cannot "sign on" at all); you're "in" (as the
"default CICS user") by virtue of having connected, and can execute any
transaction defined in that region.
At the VTAM level, you cannot prevent connecting to a foreign CICS
except via requiring explicit CDRSC definitions, as others have already
noted. Otherwise, if "your" VTAM can find the requested CICS, a session
will be established (i.e., you will be "connected").
At the CICS level (i.e., once you are "connected" to CICS), access to
the CICS region itself can be controlled via a RACF APPL profile, but
that authorization is not (cannot be) checked until sign-on is
attempted. This requires that CICS be started with DFHSIT parameter
SEC=YES, at minimum.
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
