Setup of OTMA Security Level
The OTMA security levels include NONE, CHECK, FULL, and PROFILE. Decide which one best meets your installation requirements.
Alternatively, after the IMS startup, you can specify or change the OTMA security level by issuing NONE, CHECK, FULL, or PROFILE on the /SECURE OTMA command.
The OTMASE= startup parameter setting and the /SECURE OTMA command do the same thing. Each establishes the OTMA security level for IMS. The /SECURE OTMA command enables you to override the OTMA security level set by the OTMASE= parameter during IMS initialization. With the /SECURE OTMA command, you can change the OTMA security level without reinitializing IMS.
The following table shows you how to set up each of the OTMA security levels.
Security Level | Startup Parameter | IMS Command |
---|---|---|
NONE | OTMASE=N
OTMASE=P and the security flag value N. |
/SEC OTMA NONE
/SEC OTMA PROFILE In the profile, the security flag value is N. |
CHECK | OTMASE=C
OTMASE=P and the security flag value C. |
/SEC OTMA CHECK
/SEC OTMA PROFILE In the profile, the security flag value is C. |
FULL | OTMASE=C
OTMASE=P and the security flag value F |
/SEC OTMA FULL
/SEC OTMA PROFILE In the profile, the security flag value is F. |
PROFILE | OTMASE=P | /SEC OTMA PROFILE |
OTMASE=N or /SECURE OTMA NONE
If the OTMA security level is NONE, RACF is not invoked by IMS. OTMASE=N and /SECURE OTMA NONE establish an IMS-wide security level, that is, IMS takes the same action for each message received by OTMA.
OTMASE=C or /SECURE OTMA CHECK
If the OTMA security level is CHECK, RACF is invoked by IMS and OTMA. Like the OTMA security level NONE, CHECK (or C) is also an IMS-wide security level, that is, IMS takes the same action for each message received by OTMA.
For the OTMA security level CHECK, IMS invokes RACF for the following tasks:
- Client-bid security checking for client-bid messages.
- User ID validation and ACEE creation for OTMA client applications and inducer IDs.
- IMS command authorization for command messages received via OTMA.
- IMS transaction authorization for transaction input messages received via OTMA.
- Authorization checking for subsequent IMS resources, such as transactions, databases, segments, fields, or other resources, that are requested during source-transaction processing, when the application issues a CHNG call and an AUTH call and performs a deferred conversational program-to-program message switch.