CICS Transaction Gateway V5 The WebSphere ... - IBM Redbooks

In contrast, Example 6-8 shows the result of an unauthorized user (CICSRS5)
attempting to access the EPIP transaction.
Example 6-8 Security failure with SignonCapable EPI test
C:\itsoctgv5\Java>java itso.cics.epi.SignonCapable tcp:\\volga SC62PJA4 CICSRS5
PASSWORD
Gateway URL: tcp://volga/
Region: SC62PJA4
Userid: CICSRS5
Password: PASSWORD
Unknown EPI error encountered
Error message was :Map is not valid
com.ibm.ctg.epi.EPIMapException: Map is not valid
at itso.cics.epi.EPIMAPMap.(EPIMAPMap.java:42)
at itso.cics.epi.SignonCapable.main(SignonCapable.java:159)
The EPIMapException error in Example 6-8 merely states that the screen received
when running the EPIP transaction was not expected. This is because we used
the EPI Map class to handle the expected output from the EPIP transaction. The
actual cause of the error can be seen by examining the CICS JESMSGLG where
the following security violation was logged.
Example 6-9 JES SYSLOG error for EPIP security violation
ICH408I USER(CICSRS5 ) GROUP(SYS1 ) NAME(CICS RESIDENT ) 552
SCSCPJA4.EPIP CL(TCICSTRN)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
Flow a user ID and password with each EPI request
If your CICS application does not need to invoke an EXEC CICS SIGNON, then a
better option is to use signon incapable terminals. With this method the EPI user
is not required to explicitly sign on to CICS. Instead a user ID and password must
be supplied with each EPI request, and these are flowed in the FMH attach
header and verified for each request. A sample code snippet demonstrating this
technique is shown in Figure 6-11 on page 124. The full version of this code is
provided in our sample Java application SignonIncapable.java in the
itso.cics.epi package supplied with this book.
Chapter 6. CICS TG security scenarios 123