Chapter 16 Exercises
Section 16.1 — Security Architecture for CICS
Exercise 16.1: SIT Security Parameter Analysis
You inherit a CICS region with the following SIT parameters:
SEC=YES
XTRAN=YES
XRES=NO
XCMD=NO
XUSER=NO
XFCT=NO
XTST=NO
XDCT=NO
XPPT=NO
XDFTRAN=YES
a) Identify every security gap in this configuration. For each gap, explain what an authorized (but malicious) user could do that the system administrator probably doesn't intend.
b) Write the corrected SIT parameters for a PCI-DSS-compliant production CICS region. Justify each parameter choice.
c) Explain why XDFTRAN=YES is particularly dangerous in combination with the other settings shown. What specific attack scenario does it enable?
Exercise 16.2: Region Topology Security Design
A retail company has the following CICS architecture:
- TOR-A: Terminal-owning region for store POS terminals (SEC=YES, XTRAN=YES)
- TOR-B: Terminal-owning region for back-office users (SEC=YES, XTRAN=YES)
- AOR-1: Application-owning region for sales transactions (SEC=NO)
- AOR-2: Application-owning region for inventory transactions (SEC=NO)
- FOR-1: File-owning region for all data files (SEC=NO)
a) Identify every security vulnerability in this topology. Be specific about attack vectors.
b) Redesign the security configuration for each region. Specify all SIT security parameters.
c) A manager argues: "We've been running this way for 10 years with no security incidents." Construct a response that addresses this argument from both a technical and compliance perspective.
Exercise 16.3: Security Domain Architecture
Draw a diagram showing the complete flow when a user enters a transaction at a TOR terminal and the transaction is routed to an AOR that accesses a file in a FOR. Show:
- Where DFHXS is invoked
- Where SAF calls are made
- Where ACEE tokens are created and propagated
- Where security caching occurs
- What happens at each point if authorization is denied
Section 16.2 — RACF-CICS Integration
Exercise 16.4: RACF Class Activation
You're setting up CICS security for the first time in a new LPAR. Write the complete set of RACF commands to:
a) Activate all CICS-related RACF classes
b) Enable RACLIST, GENCMD, and GENERIC processing for each class
c) Explain why you need all four (CLASSACT, RACLIST, GENCMD, GENERIC). What happens if you omit each one?
Exercise 16.5: Profile Naming Convention Design
Your organization has the following CICS regions:
- CICPROD1, CICPROD2 (production AORs)
- CICPTOR1, CICPTOR2 (production TORs)
- CICTEST1 (test AOR)
- CICTTOR1 (test TOR)
- CICDR001, CICDR002 (DR AORs)
a) Design a RACF profile naming convention that supports: - Different security rules per region - Generic profiles that apply to all production regions - A test environment with relaxed security for inquiry transactions - DR regions that mirror production security exactly
b) Write example RACF RDEFINE commands for the transaction TINQ using your naming convention.
c) Explain the profile evaluation order when multiple generic profiles match. How does RACF determine which profile to use?
Exercise 16.6: Security Caching Performance Analysis
A CICS region processes 5,000 transactions per second. Each transaction makes an average of 3 security checks (1 transaction check, 2 file checks). The RACF database is on a storage device with 2ms average response time.
a) Calculate the maximum RACF I/O load (calls per second) if no caching is in place.
b) If RACLIST reduces RACF calls by 95% and CICS security caching reduces the remaining 5% by 80%, calculate the actual RACF I/O load.
c) If each RACF call consumes 0.1ms of CPU, calculate the CPU overhead for security with and without caching.
d) Design a caching strategy: What SECTIMEOUT value balances security responsiveness with performance? Justify your choice.
Section 16.3 — Transaction-Level Security
Exercise 16.7: Transaction Security Profile Design
A bank has the following user roles and transactions:
| Transaction | Description | Teller | Supervisor | Loan Officer | Manager | Auditor |
|---|---|---|---|---|---|---|
| TINQ | Account inquiry | Yes | Yes | Yes | Yes | Yes |
| TDEP | Deposit | Yes | Yes | No | Yes | No |
| TWTH | Withdrawal | Yes | Yes | No | Yes | No |
| TXFR | Transfer | Yes | Yes | No | Yes | No |
| TOVR | Override | No | Yes | No | Yes | No |
| TADJ | Adjustment | No | Yes | No | Yes | No |
| TLIN | Loan inquiry | No | No | Yes | Yes | Yes |
| TLAP | Loan approval | No | No | Yes | Yes | No |
| TRPT | Reports | No | No | No | Yes | Yes |
| CEMT | CICS management | No | No | No | No | No |
a) Design the RACF group structure (group names and membership rules).
b) Write the complete set of RDEFINE and PERMIT commands for all 10 transactions. The CICS APPLID is CICSPROD.
c) How would you handle the CEMT transaction — who should have access, and at what level? Design CEMT security with command-level granularity.
Exercise 16.8: XDFTRAN Scenarios
For each scenario, determine whether the transaction will be allowed or denied, and explain why:
a) SIT: XTRAN=YES, XDFTRAN=YES. Profile CICSPROD. exists with UACC(NONE). User JSMITH (in group TELLERS) enters transaction TNEW. No specific profile for TNEW exists. Group TELLERS has no access to CICSPROD..
b) Same as (a), but XDFTRAN=NO.
c) SIT: XTRAN=YES, XDFTRAN=YES. Profile CICSPROD.* exists with UACC(READ). User JSMITH enters TNEW.
d) SIT: XTRAN=YES, XDFTRAN=YES. No generic profile exists. User JSMITH enters TNEW.
e) Explain which of these scenarios represents the biggest security risk and why.
Exercise 16.9: MRO Transaction Security
A transaction TPAY is routed from TOR (APPLID=CICPTOR1) to AOR (APPLID=CICPAOR1). The following profiles exist:
RDEFINE TCICSTRN CICPTOR1.TPAY UACC(NONE)
PERMIT CICPTOR1.TPAY CLASS(TCICSTRN) ID(PAYGRP) ACCESS(READ)
RDEFINE TCICSTRN CICPAOR1.TPAY UACC(NONE)
PERMIT CICPAOR1.TPAY CLASS(TCICSTRN) ID(PAYGRP) ACCESS(READ)
a) User JSMITH is in group PAYGRP. Trace the security check at both the TOR and AOR. Will the transaction succeed?
b) User BSMITH is in group TELLERS but not PAYGRP. What happens at each region?
c) Now suppose someone removes the AOR profile (CICPAOR1.TPAY) and the AOR has XDFTRAN=NO. What happens?
d) Design a resilient MRO security configuration that handles profile synchronization between TOR and AOR.
Section 16.4 — Resource-Level Security
Exercise 16.10: File Security Matrix
Design file security profiles for the following scenario:
| File | Teller | Supervisor | Loan Officer | Auditor | Batch |
|---|---|---|---|---|---|
| CUSTMAST | READ | UPDATE | READ | READ | READ |
| ACCTFILE | UPDATE | UPDATE | READ | READ | UPDATE |
| LOANFILE | NONE | READ | UPDATE | READ | READ |
| TXNHIST | READ | READ | READ | READ | UPDATE |
| CREDFILE | NONE | NONE | READ | READ | NONE |
a) Write all RDEFINE and PERMIT commands. CICS APPLID is CICSPROD.
b) Explain why a teller having UPDATE access to ACCTFILE but no access to LOANFILE is significant for audit purposes.
c) The batch userid needs UPDATE to TXNHIST (to write history records) but should never read from CUSTMAST interactively. How does CICS resource security handle this distinction?
Exercise 16.11: TSQ Security Design
An application uses the following TSQ naming pattern: <USERID>-<TRANID>-<SEQUENCE> (e.g., JSMITH-TINQ-001).
a) Write generic RACF profiles that allow each user to access only their own TSQs.
b) Explain the challenge with this approach. What happens if the TSQ name doesn't follow the convention?
c) Propose an improved TSQ naming and security strategy that's both secure and manageable.
Exercise 16.12: Command Security Granularity
Design command security profiles for these three CICS operational roles:
- Junior Operator: Can inquire on transactions, programs, and files. Cannot set or modify anything.
- Senior Operator: Can inquire on everything. Can SET TRANSACTION ENABLED/DISABLED. Can NEWCOPY programs. Cannot CREATE or DISCARD resources.
- CICS Administrator: Full command authority.
a) Write the RACF profiles for each role.
b) Explain how CMDSEC(YES) on the CEMT transaction interacts with these profiles.
c) Design a test matrix to validate that each role has exactly the intended authority.
Section 16.5 — Surrogate User and Web Service Security
Exercise 16.13: Surrogate User Configuration
A mobile banking app connects to CICS through a CTG using service userid MOBSVCID. The app serves 50,000 end users.
a) Write RACF profiles to allow MOBSVCID to act as a surrogate for any user in the MOBUSER group.
b) Explain the security implications if you accidentally write SURROGAT *.DFHSTART UACC(READ) instead of specific profiles.
c) Design the complete authentication flow from mobile app → API gateway → CTG → CICS TOR → AOR, showing where each security check occurs.
Exercise 16.14: SSL/TLS Configuration
Write the complete configuration to enable HTTPS on a CICS TCP/IP service:
a) Create the RACF keyring and connect certificates (server cert + CA cert)
b) Define the CICS TCPIPSERVICE with SSL enabled and mutual authentication
c) Explain what mutual TLS authentication provides that one-way SSL does not
d) A certificate expires in 30 days. Design a process to replace it without CICS downtime.
Exercise 16.15: Web Service Security Architecture
Design a complete web service security architecture for a health insurance company that needs to:
- Expose claims status inquiry via REST API
- Allow providers to submit claims via SOAP web service
- Ensure HIPAA compliance for all PHI transmitted
- Support 10,000 concurrent API sessions
a) Design the region topology with security at each layer.
b) Specify all RACF profiles needed (transaction, resource, surrogate, command).
c) Design the certificate management strategy.
d) Explain how you'd handle session management for 10,000 concurrent users.
Section 16.6 — Audit Compliance
Exercise 16.16: PCI-DSS Audit Readiness
You're preparing for a PCI-DSS audit. The auditor will ask for evidence of the following. For each, specify exactly what CICS/RACF artifact provides the evidence:
a) Req 2.1: Vendor-supplied defaults have been changed
b) Req 7.1: Access to system components is limited to individuals whose job requires such access
c) Req 8.5: Group, shared, or generic accounts are not used
d) Req 10.2: Automated audit trails for all system components to reconstruct specific events
e) Req 10.5: Audit trails are secured so they cannot be altered
Exercise 16.17: SMF 110 Analysis
An SMF 110 record contains the following fields (simplified):
Transaction ID: TACCT
Userid: JSMITH
Terminal: T001
Start Time: 14:23:45.123
End Time: 14:23:45.456
Response Time: 0.333 seconds
CPU Time: 0.012 seconds
File Operations: 3 READ, 1 WRITE
Abend Code: (none)
a) What PCI-DSS Requirement 10 fields are present in this record? What fields are missing?
b) How would you supplement this SMF record with application-level journal data to satisfy Requirement 10.3 completely?
c) Design a SIEM correlation rule that would use multiple SMF 110 records to detect a potential data exfiltration attempt.
Exercise 16.18: HIPAA Minimum Necessary Implementation
Pinnacle Health has a CICS claims processing system. The CLAIMS transaction is used by:
- Claims processors (view billing codes, amounts, procedure codes)
- Clinical reviewers (view diagnosis codes, treatment notes, physician information)
- Billing specialists (view billing codes, amounts, patient contact information)
- Auditors (view all fields, read-only)
a) Design a field-level security approach using RACF groups and EXEC CICS QUERY SECURITY in the COBOL program.
b) Write the COBOL code fragment that checks the user's role and controls which BMS map fields are displayed.
c) Explain why transaction-level security alone is insufficient for HIPAA's minimum necessary rule.
Exercise 16.19: Journal-Based Audit Trail Design
Design a CICS journal-based audit trail that captures:
- Every customer record access (read and write)
- Every financial transaction (deposits, withdrawals, transfers)
- Every override/adjustment action
- The userid, timestamp, transaction, terminal, action, and before/after images
a) Design the journal record layout (COBOL copybook).
b) Write the EXEC CICS JOURNAL commands for each audit event type.
c) Design the journal archival process to meet PCI-DSS's 1-year retention requirement.
d) How do you ensure the journal itself is tamper-proof?
Exercise 16.20: SOX Separation of Duties
A SOX auditor finds the following:
- Developer DEVJONES has transaction authority for CEDA in the production CICS region
- Operator OPSMITH has UPDATE access to the production load library (where CICS programs reside)
- The same userid (BATCHID1) runs both the transaction posting batch and the reconciliation batch
a) Explain why each of these is a SOX violation.
b) Write the corrective RACF commands for each finding.
c) Design a preventive control that would catch these violations before they occur (i.e., a RACF profile structure that prevents them architecturally rather than relying on manual review).
Section 16.7 — Security Testing and Validation
Exercise 16.21: Security Test Plan
Write a comprehensive security test plan for a CICS region with: - 30 transactions - 5 user roles (RACF groups) - 15 secured files - 4 secured TDQs - Web service endpoint with surrogate user processing
a) Calculate the total number of positive and negative test cases.
b) Design the test matrix (which userid tests which resource with what expected outcome).
c) Estimate the time to execute manually vs. with automated EXEC CICS QUERY SECURITY testing.
Exercise 16.22: EXEC CICS QUERY SECURITY Program
Write a complete COBOL program that:
a) Reads a test matrix from a TSQ (containing userid, resource type, resource name, expected result)
b) For each entry, issues EXEC CICS QUERY SECURITY and compares the result to the expected outcome
c) Writes the results (pass/fail, details) to a TDQ
d) Handles all error conditions (invalid resource type, TSQ not found, etc.)
Exercise 16.23: Security Monitoring Rules
Design five SIEM correlation rules for CICS security monitoring. For each rule, specify:
a) The trigger condition (which SMF records, what pattern)
b) The severity level (info, warning, critical)
c) The automated response (alert, page, lock account, etc.)
d) The false positive mitigation strategy (how to avoid alert fatigue)
Section 16.8 — HA Banking System Security
Exercise 16.24: HA Banking Security Architecture
For the HA Banking Transaction Processing System:
a) Write the complete SIT security parameters for each of the six regions (TOR-1, TOR-2, AOR-PAY, AOR-ACCT, AOR-LOAN, FOR).
b) Write all RACF group ADDGROUP commands with the OWNER, SUPGROUP, and initial membership.
c) Design the security testing approach for a blue/green deployment: how do you validate security in the new (green) environment before switching traffic?
Exercise 16.25: Disaster Recovery Security
The HA banking system fails over to the DR site.
a) List every security component that must be available at the DR site for the failover to succeed.
b) Design a DR security validation procedure: what checks do you perform after failover to confirm security is intact?
c) How do you handle the scenario where the RACF database at the DR site is 2 hours behind the primary? What security decisions might be incorrect?
d) Write the RACF commands to verify that DR site profiles match production.
Integrative Exercises
Exercise 16.26: Security Architecture Review
You're conducting a security architecture review of a CICS system. The current state:
- 3 TORs, 5 AORs, 2 FORs
- SEC=YES on TORs, SEC=NO on AORs and FORs
- XTRAN=YES on TORs, all other security SIT parameters at NO
- 200 transactions, 50 RACF groups, 2,000 users
- No resource-level security
- No command security
- No audit trail beyond basic SMF
- Web services enabled with a single shared service userid and no surrogate processing
- PCI-DSS audit in 6 months
a) Write a prioritized remediation plan. What do you fix first, second, third?
b) Estimate the RACF profile count needed for full security implementation.
c) Design a phased rollout that doesn't disrupt 2,000 users while closing the security gaps.
d) Write the executive summary for management explaining the risk of the current state and the cost of remediation.
Exercise 16.27: Security Incident Response
At 2:47 AM, the SIEM alerts: userid OPSMITH (a CICS operator) has executed 847 READ operations against the CUSTMAST file in the past 15 minutes. Normal operator activity involves zero file READ operations. OPSMITH's shift ended at 11 PM.
a) What are the possible explanations (malicious and benign)?
b) Write the immediate response procedure (RACF commands, CICS commands, evidence preservation steps).
c) What log data do you need to reconstruct the timeline of events?
d) After investigation, you determine OPSMITH's password was compromised. Write the remediation plan.
Exercise 16.28: Cross-Chapter Integration
Connect the security architecture from this chapter to concepts from previous chapters:
a) How does the CICS recovery/restart mechanism (Chapter 14) interact with security? What happens to the security context when a transaction abends and is restarted?
b) How does CICS BMS (Chapter 15) interact with field-level security? Design a pattern where BMS map fields are conditionally displayed based on RACF authorization.
c) How would you secure a CICS DB2 application (from Chapter 1's z/OS overview) where DB2 has its own security model? Design the security architecture for dual CICS/DB2 authorization.