Setup of OTMA Security Level

The OTMA security levels include NONE, CHECK, FULL, and PROFILE. Decide which one best meets your installation requirements.

You establish the OTMA security level for IMS with the IMS startup parameter OTMASE= in the DFSPBxxx member of the IMS procedure library or with the /SECURE OTMA command. By default, the OTMA security level in IMS is FULL (or F). To override the default, specify a different value for OTMASE. The valid values for the OTMASE= parameter are as follows:
  • N (None)
  • C (CHECK)
  • F (FULL, the default value)
  • P (PROFILE)

Alternatively, after the IMS startup, you can specify or change the OTMA security level by issuing NONE, CHECK, FULL, or PROFILE on the /SECURE OTMA command.

The OTMASE= startup parameter setting and the /SECURE OTMA command do the same thing. Each establishes the OTMA security level for IMS. The /SECURE OTMA command enables you to override the OTMA security level set by the OTMASE= parameter during IMS initialization. With the /SECURE OTMA command, you can change the OTMA security level without reinitializing IMS.

Although the /SECURE OTMA command overrides the OTMASE= value, the OTMA security level specified with the /SECURE OTMA command is not maintained across an IMS restart. When IMS restarts, the OTMA security level is established by either the value of the OTMASE= keyword or its default, OTMASE=F, which applies under either of these conditions:
  • The OTMASE= keyword is not coded in startup parameters.
  • The OTMASE= keyword is specified in the startup parameters without a value.

The following table shows you how to set up each of the OTMA security levels.

Startup Parameters and OMS Commands for OTMA Security Levels
Security Level Startup Parameter IMS Command
NONE OTMASE=N

OTMASE=P and the security flag value N.

/SEC OTMA NONE

/SEC OTMA PROFILE

In the profile, the security flag value is N.

CHECK OTMASE=C

OTMASE=P and the security flag value C.

/SEC OTMA CHECK

/SEC OTMA PROFILE

In the profile, the security flag value is C.

FULL OTMASE=C

OTMASE=P and the security flag value F

/SEC OTMA FULL

/SEC OTMA PROFILE

In the profile, the security flag value is F.

PROFILE OTMASE=P /SEC OTMA PROFILE
Note: If PROFILE or P is set, the security flag value in each message received through OTMA is checked to determine whether the level NONE, CHECK, or FULL must apply to that message.

OTMASE=N or /SECURE OTMA NONE

If the OTMA security level is NONE, RACF is not invoked by IMS. OTMASE=N and /SECURE OTMA NONE establish an IMS-wide security level, that is, IMS takes the same action for each message received by OTMA.

For the OTMA security level NONE, that means that IMS does not invoke RACF for the following tasks:
  • Client-bid security checking for client-bid messages received.
  • IMS command authorization for command messages received via OTMA.
  • IMS transaction authorization for initial input messages received via OTMA.

OTMASE=C or /SECURE OTMA CHECK

If the OTMA security level is CHECK, RACF is invoked by IMS and OTMA. Like the OTMA security level NONE, CHECK (or C) is also an IMS-wide security level, that is, IMS takes the same action for each message received by OTMA.

For the OTMA security level CHECK, IMS invokes RACF for the following tasks:

  • Client-bid security checking for client-bid messages.
  • User ID validation and ACEE creation for OTMA client applications and inducer IDs.
  • IMS command authorization for command messages received via OTMA.
  • IMS transaction authorization for transaction input messages received via OTMA.
  • Authorization checking for subsequent IMS resources, such as transactions, databases, segments, fields, or other resources, that are requested during source-transaction processing, when the application issues a CHNG call and an AUTH call and performs a deferred conversational program-to-program message switch.