John, Do you want me to surprise you? As your new president said: "yes, we can". Sec=YES has nothing to do with the signon procedure of CICS and how users get identified. As you know, each terminal runs the dfltuser (from SIT) if no user signed on. Its is well documented in the manuals. This is where I start when doing Pentest.
Itschak On Wed, Jan 14, 2009 at 5:57 PM, Chase, John <[email protected]> wrote: > > -----Original Message----- > > From: IBM Mainframe Discussion List On Behalf Of Itschak Mugzach > > > > Walt, I might used worng wording, but when I said LOGON to CICS (or > any > > other VTAM application on partner sight, I ment it. The only limit I > > have when Pentesting is the partner company to agree for the signon. > > I have seen few sites using no GMTRAN at all, so you signon to CICS > with no > > password and get the default user auth! There are also few other VTAM > > applications that uses internal userid and passowrd that is stored in > a > > file. NDM is a sumple for super user that is described in a parameter > > library. > > It is not possible (without some exit programming) to "sign on" to CICS > without tendering both a user ID and a password. If a CICS region is > started with DFHSIT parameter SEC=NO, then CICS itself rejects _any_ > sign-on attempt (i.e., you cannot "sign on" at all); you're "in" (as the > "default CICS user") by virtue of having connected, and can execute any > transaction defined in that region. > > At the VTAM level, you cannot prevent connecting to a foreign CICS > except via requiring explicit CDRSC definitions, as others have already > noted. Otherwise, if "your" VTAM can find the requested CICS, a session > will be established (i.e., you will be "connected"). > > At the CICS level (i.e., once you are "connected" to CICS), access to > the CICS region itself can be controlled via a RACF APPL profile, but > that authorization is not (cannot be) checked until sign-on is > attempted. This requires that CICS be started with DFHSIT parameter > SEC=YES, at minimum. > > -jc- > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
