Академический Документы
Профессиональный Документы
Культура Документы
TXSeries IBM
Concepts and Facilities
Version 3.0
SC09-4455-00
WebSphere Application Server Enterprise Edition
TXSeries IBM
Concepts and Facilities
Version 3.0
SC09-4455-00
Note
Before using this information and the product it supports, be sure to read the general information under
“Notices” on page 199.
Contents v
vi WebSphere: Concepts and Facilities
Figures
1. Integration of WebSphere with other 34. An example Encina queue set 82
products . . . . . . . . . . . 5 35. Relational database services . . . . 83
2. A transaction . . . . . . . . . 10 36. A TXSeries communications network 90
3. Transactions and units of work 11 37. Communication between CICS clients
4. The transaction process for CICS 12 and a CICS region. . . . . . . . 92
5. Distributed transactions . . . . . . 15 38. The CICS Transaction Gateway (from
6. An Example Three-Tiered Distributed standard HTTP browser) . . . . . 96
System . . . . . . . . . . . 17 39. The CICS Transaction Gateway (from
7. Sample Order-Entry Application 18 Java-enabled browser) . . . . . . 97
8. Sample system environment . . . . 19 40. CDS components performing a CDS
9. CICS process flow for the sample lookup . . . . . . . . . . . 100
application . . . . . . . . . . 21 41. Communicating with CICS family
10. General TXSeries architecture 24 TCP/IP support . . . . . . . . 104
11. Client systems and communications 42. Communicating via Encina PPC
gateways . . . . . . . . . . . 26 TCP/IP . . . . . . . . . . . 105
12. Resource managers . . . . . . . 29 43. Using local SNA support to
13. Transaction base services . . . . . 31 communicate across SNA . . . . . 106
14. A DCE cell . . . . . . . . . . 35 44. PPC Gateway connection to an SNA
15. Distributed Computing Environment network . . . . . . . . . . . 107
(DCE) . . . . . . . . . . . . 36 45. Using a PPC Gateway server to
16. A simple distributed configuration communicate across SNA . . . . . 108
using CICS in a non-DCE cell 46. Communications using TCP/IP, a PPC
environment . . . . . . . . . 37 Gateway server, and SNA . . . . . 110
17. A distributed configuration using CICS 47. Communications using a PPC Gateway
in a DCE cell environment . . . . . 38 server and SNA . . . . . . . . 111
18. A simple Encina Monitor configuration 39 48. Security services . . . . . . . . 119
19. The CICS environment . . . . . . 41 49. The general DCE security process 120
20. The Encina Monitor environment 43 50. Authentication of CICS users by a DCE
21. General security concepts . . . . . 48 principal and password . . . . . . 122
22. Machine with a CICS region not 51. Authenticating CICS users by a CICS
running . . . . . . . . . . . 54 userid and password . . . . . . . 126
23. Windows NT machine with a CICS 52. CICS transaction and resource
region running . . . . . . . . . 56 authentication . . . . . . . . . 129
24. Data management services . . . . . 68 53. General 3-tier application
25. General file services . . . . . . . 70 programming . . . . . . . . . 137
26. File organizations . . . . . . . . 71 54. CICS application programming 139
27. General use of queues . . . . . . 73 55. Encina application programming 145
28. An example use of queues . . . . . 74 56. CICS and Encina product architecture 171
29. CICS transient data queues. . . . . 76 57. CICS in a DCE cell environment 173
30. CICS intrapartition transient data 58. CICS in an RPC-only environment 173
queues . . . . . . . . . . . 77 59. A region using an SFS server that is on
31. CICS extrapartition transient data the same machine . . . . . . . . 175
queues . . . . . . . . . . . 78 60. Two regions sharing the same SFS
32. CICS temporary storage queues 79 server . . . . . . . . . . . . 175
33. Encina queues and queue sets 80 61. CICS configuration . . . . . . . 184
Document organization
For more details about TXSeries and WebSphere, see the following Web page:
http://www.software.ibm.com/webservers/
This chapter also briefly discusses some of the other products that are licensed
for use with Enterprise Application Server.
The IBM WebSphere Family was designed to help users realize the promise of
e-business. The WebSphere Family is a set of software products that helps
customers develop and manage high-performance Web sites and integrate
those Web sites with new or existing non-Web business systems. The
WebSphere Family consists of the WebSphere Application Server and other
WebSphere Family software that is tightly integrated with the WebSphere
Application Server and enhances its performance.
These three editions are available on two UNIX® platforms (IBM AIX® and
Sun® Microsystems Solaris™) and Microsoft® Windows NT®. WebSphere
Application Server is also available for the OS/390® and AS/400® platforms;
only one edition of WebSphere Application Server is available on these
platforms.
Enterprise Application Server contains a complete tool set for building Web
applications, for creating distributed, transactional applications that can tie
together disparate non-Web business computing resources, or for integrating
your Web and non-Web systems.
The IBM DB2 Universal Database is designed for businesses that need a
full-powered relational database server that can make use of the power of the
Internet. It combines the customer-proven strengths of IBM’s industry-leading
relational database, DB2, with a robust set of tools for managing
heterogeneous, geographically dispersed databases. It is simple enough for
small Local Area Network (LAN) environments and yet powerful enough for
large-scale distributed customer environments.
DB2 can be used by the EJB administration servers contained in the Advanced
Application Server and must be used by the EJB administration servers
contained in Component Broker. It can also be used to store persistent data
associated with entity beans with Container-Managed Persistence (CMP) in
both EJB implementations.
IBM offers a full range of application development tools for use with
WebSphere. The WebSphere Application Server Enterprise Edition for
Windows NT includes the following VisualAge products:
v IBM VisualAge for Java Enterprise Edition—VisualAge for Java is a
powerful integrated development (IDE) environment that contains many
features for building an e-business solution. This powerful IDE provides
support for developing and testing Java applications and components
written to the Enterprise JavaBeans and JavaBeans Specifications.
v IBM VisualAge C++ Professional Edition—VisualAge C++ provides a rich
environment and toolset for multiplatform object-oriented application
development. The development environment is especially valuable for
high-performance and highly computational applications. Its Open Class
Library provides advanced class libraries and frameworks to build robust
applications on AIX, OS/2, and Windows NT.
Transactions
If a task fails, any uncommitted changes are backed out automatically. This
restores recoverable resources to the consistent state they were in at the
beginning of the interrupted LUW (that is, at the most recent syncpoint or the
start of the task). This reversal process, called dynamic transaction backout,
occurs within the same task to safeguard other tasks from any chance of using
corrupted data.
Each CICS region coordinates all the facilities needed by its application
servers. For example, it coordinates the security of the application servers,
obtains data and storage that they need, and logs their transactions. Among
other advantages, multiple CICS regions can be used to provide a distributed
transaction processing environment for greater throughput and separation of
workload.
Several instances of the same transaction can be running at the same time, as
separate tasks.
The most common way for clients to communicate with servers is by using
RPCs. The RPC mechanism hides the details of network communications from
applications; a program always makes the same type of call (an RPC) to
communicate with other programs, regardless of whether the programs are
running on the same or different machines.
For example, a client can provide a form on which a user (a person working
at a data entry terminal, for instance) can enter orders for a product. The
client sends this order information to the server, which checks the product
database and performs tasks needed for billing and shipping. A single server
is typically used by multiple clients. For example, dozens or hundreds of
clients can interact with a handful of servers that control database access.
To place an order, a user interacts with the order-entry program. This program
calls the main order-entry program to do the main application functions. This
program, in turn, does the following:
v Checks for the item in a local RDBMS.
v Adds a shipping request to a central queue that is not part of the
order-entry application. This queue is processed by a central shipping
program that is also not part of the order-entry application.
These operations are all parts of the same logical unit of work. If any
operation fails (for example, if there is insufficient inventory to fill the order),
any changes are backed out and the client is told that the order cannot be
placed.
Other programs cooperate with the order-entry application but are not part of
that application. For example, the queue is processed by a separate central
shipping program and customer bills are processed by a separate central
billing program.
The sample system environment
To place an order, a user interacts with a client, which requests that a CICS
region do the main application functions. (The CICS region can run on the
same machine or on a different machine.) This CICS region runs the main
In a CICS environment, the order-entry program can run on one of the IBM
CICS Clients provided by TXSeries, and the other programs can run on a
CICS region. The transactions, programs, and other resources used by the
sample application are predefined to the CICS region, as are the identities of
the RDBMS, resource manager, and other network resources.
This section describes the CICS transaction processing flow for the order-entry
application and associated programs described in “The sample application” on
page 18. Figure 9 on page 21 shows the process flow in the sample application.
To place an order, a user interacts with the order-entry graphical user interface
(GUI) on a client machine. This starts the transaction processing flow. The
following numbered steps correspond to the numbers in Figure 9:
1. The GUI program calls the client program with a request to place an
order. The request identifies a transaction to be run and passes
appropriate parameters to qualify the request.
2. The client program calls a CICS region, passing on the request from the
GUI.
3. The CICS region verifies that the user is authorized to make the request
and that the user’s terminal is supported. If not, the user is prevented
from using the transaction processing system.
4. The CICS region assigns a task to process the new instance of the
transaction and schedules the task for processing alongside other current
tasks. The CICS region processes and monitors the order-entry request
throughout the task.
5. The CICS region starts the task, getting storage and other operating
system resources for it. It runs the first program for the transaction, the
main order-entry program. The program runs on an application server
taken from the server’s pool of such processes.
6. The main program checks and decrements the entry in the relational
database. The CICS region and the RDBMS both lock the database entry
to isolate it from update by other transactions. Only this one transaction
can update the account. The CICS region logs the change but does not
commit it until the shipping and billing operations have succeeded.
For more details, see “Part 2. More about TXSeries facilities” on page 51.
What is TXSeries?
IBM CICS Clients: TXSeries includes the following IBM CICS clients:
v CICS Universal Clients (for Windows 95, Windows 98, Windows NT, OS/2,
AIX, and Solaris)
v CICS on Open Systems Clients (for AIX, Solaris, and HP-UX)
CICS Universal Clients communicate with CICS regions on the wide range of
platforms supported by CICS. Communications can be through Transmission
Control Protocol/Internet Protocol (TCP/IP) or Systems Network Architecture
(SNA), available as a range of communications products for the client
workstation platforms or (for TCP/IP) as part of some workstation operating
systems. Clients can also communicate with other systems in an SNA
network—for example, with IBM mainframe-based CICS. To do this, the
clients and servers can use local SNA directly, or indirectly through a
Peer-to-Peer Communications (PPC) Gateway. TXSeries also includes the
Encina PPC Executive component, which provides the APIs for Logical Unit
(LU) 6.2 peer-to-peer communications, and emulation of LU 6.2 over TCP/IP.
CICS on Open Systems Clients use only DCE remote procedure calls (RPCs)
over TCP/IP to communicate with CICS regions.
Additional Products
Resource managers
The Encina Toolkit provides the transaction base services required for
distributed transaction processing systems. The Toolkit services implement a
complete transaction paradigm: nested, distributed, concurrent transactions
with recoverable storage. These transactions can be used to maintain the
consistency of data on a network in the face of communications failures,
system failures, and disk failures.
The transaction base services are grouped into the following two classes:
Toolkit Executive
The Executive provides services that permit a process to initiate,
participate in, and commit distributed transactions. These services
include transactional extensions to DCE remote procedure calls (RPCs)
that ensure transactional integrity over distributed computations
transparently. The Executive also supports nested transactions, a
feature that provides failure containment and simplifies application
development.
Toolkit Server Core
Built upon the Executive, the Server Core provides facilities for
managing recoverable data (data that is accessed and updated
transactionally). These facilities include a locking library to serialize
data access, a recoverable storage system to allow transactions to roll
back after failures, and an X/Open XA interface to permit the use of
XA-compliant resource managers.
Toolkit Executive: The following services, which are part of the Toolkit
Executive, provide support for writing client applications:
Distributed Transaction Service (TRAN)
TRAN coordinates multiple transactions, guarantees that transactions
either commit or abort consistently, supports a nested transaction
model, and manages the delivery of information about transaction
outcome to various participants.
Transactional RPC (TRPC)
TRPC provides the underlying communications mechanisms used by
the entire system, enabling transactions to be distributed to other
programs and nodes.
Thread-to-Tid Mapping Service
The Thread-to-Tid Mapping Service (ThreadTid) maintains the
association between a thread and a transaction identifier (TID),
allowing applications to determine which transaction is associated
with a thread.
Toolkit Server Core: The following services, which are part of the Toolkit
Server Core, provide support for writing server applications:
Lock Service (LOCK)
LOCK permits synchronization of accesses to data. Transactions that
run concurrently act as though each ran to completion before the next
was begun.
Log Service (LOG) and Recovery Service (REC)
LOG and REC help guarantee that changes made to data by a
transaction are permanent if the transaction commits, regardless of
system restarts or media failures, and that changes made to data by
that transaction are undone if the transaction aborts.
Volume Service (VOL)
VOL provides a logical interface to underlying physical storage that
enables volumes and files to span physical device boundaries.
DCE services
Remote Procedure Call: At the core of DCE support is the RPC. RPCs
provide a form of network-transparent communication between processes in a
distributed system. Processes use RPCs to communicate in exactly the same
way regardless of whether they are on the same machine or different
machines in the DCE cell. The DCE security service can be used to
authenticate RPCs. Authenticated RPCs can be checked for tampering and can
be encrypted for privacy. DCE uses multithreading to enable a client to have
multiple concurrent RPC conversations with servers and to enable a server to
handle many concurrent client requests.
Cell Directory Service (CDS): The CDS provides a namespace within which
network resources can be accessed by name only. Applications do not need to
know the addresses of resources. (Typical network resources are servers, users,
files, disks, or print queues.) Further, if a resource is moved, it can still be
located by the same name; application code does not need to be changed.
The CDS Server manages a database, called a clearinghouse, which contains the
names and attributes (including locations) of network resources in the DCE
cell. When a request is made for a network resource, the CDS Server
dynamically locates the resource.
The DCE Directory Service also supports a global name service for identifying
resources outside a cell. For more information, see “Using the CDS to locate
systems outside the DCE cell” on page 101.
DCE cells: A DCE cell is a group of machines, systems, users, and services
that are administered as a DCE unit. This model simplifies the
implementation and administration of security throughout a network. A DCE
cell requires the following DCE core servers:
v One or more CDS servers
v One or more Security servers
v One or more DTS servers
All of the DCE core servers can run on the same machine or on different
machines in the DCE cell. The machines can be any platform that supports
DCE.
The Security Server must run on a secure, highly available computer under
the control of a specially authorized system administrator. The registry
database is only as secure as the security provided by the machine on which
it resides. Access to the CDS is protected by the DCE Security Server so that
only properly authenticated and authorized principals can access the CDS.
The CDS Server and Security Server can be replicated to increase their
availability. Replicating the CDS Server and Security Server provides a master
of each type of server and several read-only replicas. If the database of the
master CDS Server is changed, the databases of the read-only CDS servers are
updated automatically. Likewise, if the database of the master Security Server
is changed, the databases of the read-only Security servers are updated
automatically. Normally, multiple DTS Servers are used to ensure that the
failure of one DTS server does not interfere with the synchronization of clocks
in a DCE cell.
All machines in a DCE cell run the DCE client services, which provide the
following DCE clerks. (A clerk is a DCE program that runs unattended to
provide a standard DCE client service.)
An RPC daemon
Enables DCE RPCs to be used for communications between operating
system services on the machine and DCE servers and services on
other machines. The DCE RPC daemon uses the endpoint map
database to identify servers on its machine.
A CDS clerk
Accepts requests from systems on the machine to store or retrieve
CDS information and sends requests to the CDS Server for processing.
The clerk caches the results of retrieved requests to avoid repeat
requests to the CDS Server.
A Security clerk
Verifies that the Security Server is authentic, manages the machine
principal, and certifies login contexts.
A DTS clerk
Keeps the machine’s local time synchronized with other machines in
the DCE cell by regularly asking one or more DTS Servers for the
correct time. If necessary, the DTS clerk adjusts the local time to the
correct time returned by the DTS Servers.
Example configurations
The following sections illustrate some example configurations for CICS and
Encina.
Figure 16. A simple distributed configuration using CICS in a non-DCE cell environment
Note: The CICS client machine does not have to be part of the DCE cell,
unless it also runs a CICS region that uses the DCE cell services.
The Monitor cell is part of a DCE cell, which contains another machine on
which the DCE CDS and DCE Security Services are installed.
Server location and security services are provided by DCE. The DCE RPCs
used to communicate between the Encina servers and client can be
authenticated by the DCE Security Server.
Each machine on which a CICS region can be started has a CICS permanent
database, which stores configuration details for the CICS regions. This
information includes resource definitions that define the initial characteristics of
the CICS regions and any resources, such as transactions, programs, and files,
that they use. When a CICS region is started, it loads the resource definitions
it needs into its runtime database. While a CICS region is running, it uses its
runtime database to control its processing, to track changes to its resources,
and to add new resources dynamically.
The only DCE service required by CICS is DCE RPCs, which CICS regions use
to communicate with SFS servers, other CICS regions, other servers, and CICS
on Open Systems clients. Outside a DCE cell, the security and name services
are provided by the CICS regions. To take advantage of the centralized DCE
security service and name service, it is recommended that CICS production
environments be run in a DCE cell.
Each Monitor cell has one cell manager, which coordinates the activity of
servers in the cell by communicating with node managers. Each node manager
controls server activity on a managed node.
In addition to cell and node managers, a Monitor cell contains the following:
Monitor clients
A Monitor client is the portion of an Encina application through
which users interact with the Monitor cell. Monitor clients make
requests for services provided by Monitor application servers. Monitor
clients can run on any node, including nodes that are not managed by
the cell manager.
Monitor application servers
A Monitor application server is the server portion of an Encina
application. Monitor application servers provide the services
requested by Monitor clients. A Monitor application server contains
one or more processing agents (PAs), which are multithreaded processes
that can handle either single or multiple client requests for services.
Monitor application servers must run on managed nodes.
Processing agents allow parallel processing without the administrative
overhead of running several identical Monitor application servers. A
A cell manager tracks cell contents and activities by storing and continually
updating information about servers running in the cell. It maintains this
information in its cell repository, which can be administered from any machine
in the Monitor cell.
A Monitor cell is a subset of a DCE cell, which can contain multiple Monitor
cells. Servers and clients in a Monitor cell make use of the DCE RPC, security
service, and name service.
TXSeries facilities
Business applications must not lose or corrupt their data. TXSeries preserves
data integrity by keeping track of updates and ensuring that they are
committed in a consistent way across the entire network.
Applications do not need to know where data is located; they make simple
calls for data, and servers determine where to find the data. This provides
flexibility in the distribution of data.
TXSeries manages data being passed around the business information system,
finding storage for the data while it exists and then relinquishing that storage
for reuse when the data has been processed.
CICS also supports journals, which are special files used to record data needed
to reconstruct events or changes to data; for example, as an audit trail or aid
to transaction recovery. Automatic journaling can be used for files to write
records to a specified journal if a record is read for update, a new record is
added, or an existing record is deleted.
Communications
Users interact with TXSeries through clients, which communicate with servers
(CICS regions and Encina servers) for transaction processing services. The
servers, in turn, can communicate with each other and with resource
managers (such as SFS servers and RDBMSs) and other systems to provide a
full range of services.
Each server can use multiple, parallel communications sessions with other
systems (clients and servers). The server monitors all sessions for activity so
that no user is left waiting for access.
Before a system can communicate, it must identify the remote system and
then make a connection to that system. The remote system must advertise
itself, making available binding information needed to make the connection.
This is provided by a name service, either by the CDS of a DCE cell or, in a
CICS environment, by each CICS region. Communications between systems
can be made secure, again centrally by DCE or by using services provided by
individual CICS regions.
Systems that store data in Extended Binary Coded Decimal Interchange Code
(EBCDIC) can transfer data with other systems that store data in American
Standard Code for Information Interchange (ASCII). For example, data can be
To start using a system, a user provides a user identifier (userid) and password
to prove the user’s identity to the system. This process, which can be
automatic (and hidden from the user), is known as authentication.
CICS also provides its own security services to provide authentication of users
and authorization for their access to transactions and other resources. CICS
internal security services provide a basic alternative to DCE security. These
services can make use of user-written or vendor-supplied external security
managers to enhance or replace the basic CICS internal security.
Application development
A wide range of development tools for both client and server application
segments is available for use with TXSeries, from IBM and other vendors. In
addition, TXSeries supports the development of object-oriented applications
that are based on DCE, CORBA, or a mixture of both.
TXSeries has evolved out of the well-proven CICS and Encina products and
their associated technologies. Application programs can use the standard CICS
and Encina application programming interfaces to run on hardware ranging
from personal computers to mainframes without needing major change. This
means that existing applications and programming skills can be used,
protecting and building on your investment.
Systems management
The services used to run CICS regions are in many cases the same services as
those used to process user transactions.
Note: Although this section describes a CICS region running on Windows NT,
the descriptions of resources and startup and shutdown procedures are
similar for CICS regions running on other platforms. Where
appropriate, NT-specific descriptions are noted.
In this chapter, figures are simplified to show only facilities related to the
CICS region; typically there are other facilities related to other active
applications.
This section contains an overview of what happens during the startup and
shutdown of a CICS region. It is based on a region that is predefined in the
CICS permanent database.
The main process also obtains the operating system memory that it needs.
2. The main process starts the RPC listener and, if the system was predefined
appropriately, one or more Transmission Control Protocol/Internet
Protocol (TCP/IP) listeners, the SNA listener, the named-pipe listener
(used for local 3270 terminals), and the LU0 listener. (The LU0 listener is
supported on Windows NT only.)
3. The main process establishes connections to the relational databases that it
is to use.
4. The main process creates the following management processes:
v The Log Manager, which opens the system log and waits for a request
to write the first checkpoint.
The CICS region is now started and is able to run user transactions. If any
errors occur during startup, the system generates an error message so that
appropriate action can be taken.
Recovery during restart
When a CICS region starts up after a previous shutdown, the CICS region
performs recovery processing to return the region to the same state that it was
in when it was last shut down. The CICS region automatically decides
whether to perform a warm start (following a normal shutdown) or an
emergency restart (following a system failure). You can force a cold start (in
which the system log is reset during initialization), but data integrity
problems can occur—for example, from in-doubt transactions not being
recovered.
During a restart, the system data loaded into operating system memory
during the previous run is used. For example, the resources in the runtime
database are used (and not reloaded from the permanent database).
The processes in the CICS region cooperate with other servers, such as
resource managers and security managers, to provide a complete transaction
processing environment. The region forwards to other servers the work that
they are best able to do, but provides other services to coordinate the function
of the multiple servers. For example, it passes requests to update data to SFS
servers and relational databases, but provides extra data management services
to ensure that updates are synchronized.
Task management
You can control the number of tasks running concurrently in a CICS region by
using transaction classes. You can assign certain types of transactions to a given
transaction class and limit the number of tasks that can run for transactions in
that class.
Performance optimization
User tasks (for example, adding a new employee to a payroll file) are usually
simple and do not take very long. However, the tasks are often interrelated
and share the same programs and data. Furthermore, users want short
response times. CICS regions enable the users’ work to be done most
efficiently by managing the use of operating system processing time,
resources, and access to data. A CICS region continually monitors the work to
be done and the state and performance of the operating system. It forwards
the optimum selection of work to the operating system and ensures that work
throughput is maximized. The workload can be balanced across multiple
regions to further enhance the performance of the entire system. Besides the
automatic monitoring and adjustment of work and resources, CICS regions
collect data about system performance and provide functions and interfaces
for tuning them.
You can distribute transactions across multiple CICS regions to spread the
workload across those regions. You can predefine whether a transaction
request is to be served locally (on the CICS region that received the request),
routed to a specified remote region to be run there, or routed dynamically to
any region that can run the transaction.
Program management
Program management services are used to associate a task with the application
program that is to do its work. Although many tasks can need to use the
same application program, program control loads only one copy of the code
into memory. Each task threads its way through this code independently, so
many users can run tasks concurrently using the same physical copy of an
application program.
If a task involves many interactions with the user (for example, for data to be
input), it is usually implemented as a number of programs that run in
sequence and end before the next program starts. This technique is called
pseudoconversational programming. When each program ends, it displays a
screen for the user to input data. The CICS region remembers which program
to run next to process the input, but releases the memory used by the task
and the program that ended. If that program was not being used by other
tasks, the region also reuses the memory used to hold the program. So, while
the CICS region is waiting for a user to input data, the system resources are
freed to be used by other tasks. However, the user is unaware of the program
ending and can continue to communicate with the system, almost like a
conversation.
System resource management
A CICS region frees application programs from having to negotiate with the
operating system to acquire and release resources. Each task being processed
uses processor cycles, processor memory for the programs doing the work,
and memory for the task and user data. It needs small areas of memory for
scratchpad-type calculations and, sometimes, it needs data-communications
channels, data files, and databases. For all these, the region gets the resources
needed from the operating system. It then allocates the resources to the tasks
that need them. It reacquires the resources when the tasks complete their
processing or specifically release a resource.
Controlling access to and updating data
A CICS region enables many users to share the same data. It controls the
simultaneous access to resource managers, even across multiple machines and
platforms, and preserves the integrity of data updates. For example, it
To enable many users to work at the same time, a CICS region must minimize
the users’ wait time. It uses data communication services to recognize which
user has sent a particular message and to send data to the correct user. The
region also ensures that display data is sent in a way that is compatible with
the user’s device. The CICS region does this by monitoring all communication
sessions with users, managing all the data handling and transmission, and
finding and releasing memory for the data to be worked on.
Terminal management
Recovery management
A CICS region ensures that the business system and its data are always in a
consistent state. In the event of an application or system failure (for example,
if there is a power loss and the computer system shuts down), the region can
automatically restart itself (if needed) and recover any uncompleted work that
was in progress at the time of failure, including any changes to data. If it
cannot commit data changes for a task, a region dynamically backs out the
changes to a point when the system was last in a consistent state.
The data can be provided by one or more resource managers: for example, a
Structured File Server (SFS) server; a Relational Database Manager (RDBM) such
as IBM’s Database 2 (DB2) or Microsoft SQL Server; or a queue manager, such
as the Encina Recoverable Queueing Service (RQS) or MQSeries.
Types of data
Data is a global resource available to one or more servers. Any task can read,
write, or delete data, and can share data with other tasks.
For data access, the most important difference between data stored in a
database and data stored in files or queues is the structure that the RDBM
imposes on the data. This structure dictates the application programming
interface to the data and determines how easy or hard it is to store and
retrieve the data for a particular processing requirement. If the data is
complex, the structure can be the overriding consideration.
Files
A file has one primary index, which defines the physical order of records in the
file. A file can also have any number of secondary indexes that provide
alternative sequences in which the file’s records can be accessed. An index can
be seen as a list of pointers to records in a file, where the primary index lists
the actual order of the records, and each secondary index lists the pointers in
a different order. Application programs can read, update, add, delete, and
browse data in local or remote files.
TXSeries file services (provided by SFS) are like those provided by the Virtual
Storage Access Method (VSAM) data sets. If you are moving to CICS on Open
Systems from an IBM mainframe-based CICS platform, your application
programs can use the same file access commands as used for VSAM data sets.
File organization
Before a file can be used, you must define it. For example, a file definition is
used by CICS to identify the name and location of a file, and to automatically
define the file to the appropriate file manager. The file definition also defines
the file organization (its records and indexes defined in terms of their
constituent fields).
Each field can be fixed or variable length. A record can have only one
variable-length field, which must be the last field in the record.
The three file organizations and their equivalent VSAM terms are as follows:
Records in an entry-sequenced file are stored in the order in which they are
written into the file. New records are always appended to the end of the file.
When records are deleted, the disk space they used is not automatically
reclaimed or reused; it can be reclaimed by reorganizing the file.
Entry-sequenced files are often used when the records are accessed in the
chronological order in which they were written; for example, for log files and
audit trail files. The primary index, which is stored separate from the file, lists
records in the order in which they were added to the file.
Clustered (KSDS)
A clustered file has each of its records identified by a key field in a predefined
position within the record. The keys need not be unique. The records in a file
are sorted automatically according to the value of their keys, to cluster records
with the same and adjacent keys. This reduces the cost of searching for ranges
of records.
A file’s primary index is used to access each record in the file by a unique
primary key. You can also define one or more alternate indexes, which enable
you to access the same set of records in different ways. For example, a
personnel file can have a primary index using the unique employee numbers
and an alternate index using employee names. You can then retrieve a record
by using either the employee number or name.
Adding files to an SFS server
To add files to an SFS server, you can either add each file interactively or use
schema file definitions, as follows:
v The interactive method (cicssdt) prompts you for the required attributes of
the file; for example, the file organization and the names and types of
fields. However, the file definitions are not stored, and so must be entered
again each time you want to add them. For example, if an SFS server is
cold started, all its files are discarded and must be added again.
v A schema file definition is a set of file and index specifications that can be
reused as required to add files to any SFS server.
For the general type of queue, transactions add (enqueue) elements to the tail
of the queue and remove (dequeue) elements from the head of the queue in a
first-in first-out (FIFO) manner. Each element must be read sequentially and
when read is removed from the queue. Queues support multiple simultaneous
requests to enqueue and dequeue elements, growing and shrinking in size
according to the volume of requests. A transaction can requeue elements to
another queue for alternative processing.
You can use some queues differently; for example, as a common scratchpad of
elements to be written, updated, read, and deleted by any transactions. You
can also dequeue elements in a different order from the order in which they
were enqueued.
Before a queue can be used, you must define it. For example, a queue definition
is used by CICS to identify the symbolic name and type of a queue, and to
define the queue to the appropriate queue manager.
CICS queues
Transient data queues provide the general queue functions. Temporary storage
queues are typically used for shared reading, writing, and updating by
multiple transactions; for example, as a scratchpad for shared data.
Application programs can write, read, and delete data in a transient data
queues, but cannot update such data.
Typically, the triggered transaction processes the records on the queue. The
transaction uses a principal facility to determine how it runs, as follows:
v File—the transaction runs as a background task on the same CICS region as
the queue
v Terminal—the transaction writes to a local or remote terminal
v System—the transaction takes part in a Distributed Transaction Processing
(DTP) conversation with a back-end transaction on another CICS region
Once the queue has been emptied, a new ATI cycle begins. That is, a new task
is scheduled for initiation when the specified trigger level is again reached,
whether or not execution of the earlier task has ended.
Extrapartition destinations are queues residing on any file system file (disk,
tape, and so on) that are accessible by programs on any CICS region. Data can
also be routed to output devices, such as printers. Examples of such
extrapartition data are logging data, statistics, and transaction error messages.
In general, extrapartition destinations are used for storing and retrieving data
outside the CICS region and for storing data for input to non-CICS programs.
Indirect destinations
Temporary storage queues are typically used for shared reading, writing, and
updating of data by multiple transactions; for example, as a scratchpad for
shared data.
As shown in Figure 32, temporary storage queues can be used to store data
either in main storage of the operating system, or in auxiliary storage on a
direct-access storage device. Generally, main storage is used if small amounts
of data are needed for short periods of time; auxiliary storage is used if data
is to be kept for long periods of time. Transactions can write, update, read,
and delete data in a temporary storage queue any number of times until the
queue is deleted.
Temporary storage queues are not predefined to a region, but created the first
time you write to a queue by using a new symbolic name. Any transaction
can retrieve temporary data by using the symbolic name assigned to the
queue. Specific elements (logical records) within a queue are referred to by
relative position numbers.
A temporary storage queue having only one record can be treated as a single
unit of data that can be accessed by using its symbolic name, for example, as
a scratchpad for multiple transactions. In general, use temporary storage
queues of more than one record only when direct access or repeated access to
records is necessary; transient data control provides facilities for efficient
handling of sequential files.
A CICS region can automatically delete temporary storage queues that have
not been accessed for a specified number of days. The storage occupied by
these queues is freed and becomes available again.
Encina queues
Element types are independent of queues; a single queue can contain elements
of several different element types. For example, a financial application can
have several element types defined: one each for debit, credit, and cancellation
data. Element type specifications are designed to be compatible with SFS
record specifications.
The selection of queues in a queue set can be based strictly on each queue’s
priority class (called strict prioritization) or on the weights defined by their
service levels (called weighted prioritization).
In a queue set with strict prioritization, dequeueing takes place strictly in the
order of the priority classes. Queues at the highest priority class are
considered for dequeueing first, until empty. Queues at the next highest
priority class are considered next until empty; and so on.
The priority classes and service levels collectively determine the flow of traffic
through a queue set. By altering priority classes and service levels, the
selection behavior can be adjusted in response to demands on the server or to
the requirements of client applications.
Relational databases
DB2 supports XA dynamic registration, which means that the CICS region can
drive a syncpoint in the database when the database is updated for a given
transaction. Dynamic registration can reduce the time it takes to syncpoint
when you are running in an environment with multiple XA databases and file
managers. It is particularly useful if the majority of your transactions do not
need to access a database.
SQL restrictions for non-XA-enabled relational databases
CICS can store files and queues (used by application programs or by the
system) in a DB2 database instead of an SFS server. However, consider the
following when using DB2:
v A CICS region can use only one DB2 database for its files, but can use one
or more SFS servers for user files. (The CICS region can also access remote
files through other CICS regions.)
v Some COBOL External File Handler facilities are not supported; for
example, you cannot mix transactional and nontransactional access to files
within a single application.
v Nonrecoverable files, nonrecoverable auxiliary temporary storage queues,
and transient data queues are supported as recoverable files on DB2. This
means that data is not written to a file or queue until a syncpoint is taken,
but data can be recovered after failures.
v The set of DB2 data types that can be accessed by CICS is limited. For CICS
family portable applications, use DB2 data types that are not associated
with a coded character set.
v DB2 can use either of the following table spaces:
Use DMS Table Space with CICS because, in general, it provides better
performance than SMS Table Space.
Application programs can use SQL access to a DB2 database that is also used
for CICS file and queue management.
Journals
CICS can write data to either its system journal or any of its user journals.
When a journal record is built, the data is moved to the journal buffer area.
All buffer space and other work areas needed for journal operations are
acquired and managed by CICS. An application program does not need to
know anything about the journal; it knows only which journal to use, and
what user data to supply to be written to the journal. Journal records are
written to extrapartition queues in variable-length record format.
Synchronizing journal output
When a task creates a journal record, the task can wait until the output has
been completed. The application program can then be sure that the journal
record is written to the journal’s external storage device before processing
continues; the task is said to be synchronized with the output operation.
The application program can also request asynchronous journal output. This
causes a journal record to be created in an operating system file buffer and,
optionally, initiates the data output operation from the buffer to the external
Files and queues that are accessed directly by a CICS region are defined as
local to that region. If the data is accessed by way of another CICS region, it is
defined as remote. A CICS region sends requests for a remote resource to the
remote region by means of CICS function shipping.
Note: A resource definition is also used on the remote CICS region to identify
the remote resource, and can also specify that it is on another CICS
region. In this way, function shipping requests can be passed from one
CICS region to another several times. The requesting application
remains unaware of any remote routing.
Data integrity is an issue with all shared data. When even one user updates
data, there is a risk to read integrity, in that data can become obsolete while
other users are reading it. Read integrity becomes critical, for example, when
a user is reading the data on a customer’s charge card balance to authorize a
large purchase.
If more than one user can update the files, there is greater risk to data
integrity. If two tasks try to update the same data item, they can interfere with
each other or override the change made by one task with data that does not
To work, locks must be imposed by a program that has control over all the
potential users of the data. Database managers, the access methods, the
transaction processing monitor, and the operating system all use locking to
prevent conflicts among the users they control. For example, among the tasks
in a single region, CICS enforces write integrity and, optionally, partial read
integrity.
In CICS, logical units of work (LUWs) provide the internal data consistency
required when there are processing relationships between two or more items
of data. For example, a single LUW can be used to transfer money between
two bank accounts and to record the transfer. The LUW ensures that the three
operations are all completed together so that both accounts contain consistent
data that also matches the transfer record.
Recovery
Users communicate with servers through clients. Clients are typically products
dedicated to communicating with servers and providing interfaces to users
and their application programs. Clients run on a range of platforms, for
example, laptop computers and Open Systems workstations.
If you have other devices for communicating with users, these are connected
to IBM CICS Clients. For example, an automatic teller machine (ATM) can be
connected to a client to provide its user interface to CICS. Similarly, a printer
attached to a client can be used for output from CICS.
Chapter 6. Communications 91
Figure 37. Communication between CICS clients and a CICS region
CICS Clients and CICS DCE-enabled clients provide the following user
interfaces:
The External Call Interface (ECI)
This enables a non-CICS application program running on the client
machine to call a CICS program synchronously or asynchronously, as
a subroutine. Client-based applications use simple ECI calls to pass
blocks of data to CICS regions, without needing any special
communication code.
The External Presentation Interface (EPI)
This enables an application program running in the client to invoke a
CICS transaction on the server. The transaction is executed as though
it is started from a 3270 terminal. The transaction returns a 3270 data
stream to the client, which can present it in a graphical user interface
(GUI). This enables technologies such as graphical or multimedia
interfaces to be used with traditional 3270 CICS applications without
changing the CICS applications.
3270 terminal and printer emulation
This enables the client workstation to function as a 3270 terminal or
printer. Existing CICS applications can be ported to the TXSeries
environment (for example, from mainframe CICS regions) without
change, as long as users have client machines that run the 3270
emulator. The user of a CICS client can enter cicsterm commands to
IBM CICS Clients can communicate directly with IBM mainframe-based CICS
via APPC, usually through a local area network (LAN) and an SNA gateway.
In an IBM LAN, gateway communication facilities are provided by SNA
running on the gateway machine.
You can also communicate between a CICS client and IBM mainframe-based
CICS through an intermediate CICS region to which the client is connected.
This makes use of CICS intercommunication facilities, described in “CICS
intercommunication facilities” on page 112.
CICS regions support requests from IBM CICS Clients by means of TCP/IP
and SNA listener processes running on the CICS regions. (See Figure 37 on
page 92.) The listener process communicates with a corresponding process on
the client machine and imitates the flows between CICS regions. (For more
information about listeners, see “CICS listeners” on page 112.) When a CICS
Client connects to a CICS region, the server automatically installs a
communications definition that identifies the CICS Client and other
Chapter 6. Communications 93
communication attributes for it. For an EPI or cicsterm request, the server also
installs a terminal definition that it uses to identify the 3270 characteristics of
the CICS Client.
The server can require that the client provide a userid and password for the
connection to be made. If so, the client can get the userid and password from
either of the following:
v Its file of servers that it can connect to. In this file, the client administrator
can define the default userids and passwords to be used for connections to
the servers.
v A user entry, prompted by a pop-up box displayed by the client if there are
no defaults defined for the connection. The values entered are used for the
connection, and stored as the default for connections to the server.
For additional security, a server can require that clients provide a userid and
password on any ECI, EPI, or cicsterm request made for an existing
connection, as follows:
v An ECI application can have a userid and password coded in it. On an ECI
request, the client can automatically pass those values to the server. If the
values are invalid, a security error is returned to the ECI application.
v For EPI and cicsterm requests, there is no facility to automatically provide a
userid and password.
v For EPI and cicsterm requests, and ECI requests without a valid userid and
password, the client displays a pop-up box prompting the user to enter
new values. Those values are sent to the server and stored by the client as
the default for connections to the server.
If a valid userid and password are not provided, the request is refused but the
connection remains in place.
The CICS clients can communicate with CICS regions by using the following
protocols:
v TCP/IP
v APPC
You can provide access to CICS from the Internet by using the CICS
Transaction Gateway. This gateway enables Internet access to existing CICS
2370 applications and allows a Java-enabled Web browser or network
computer to download a Java applet and transparently access CICS data and
applications.
The CICS Transaction Gateway incorporates the CICS Universal Clients and is
available on OS/2, Windows NT, AIX, and Solaris platforms.
Chapter 6. Communications 95
accessed by Web browsers on diverse platforms with no change to either the
browser or the CICS application.
Figure 38. The CICS Transaction Gateway (from standard HTTP browser)
The CICS Transaction Gateway resides on the Web server machine and
dynamically builds Web pages containing the CICS data and transmits them
to the Web browser.
The CICS Transaction Gateway is a Java application that runs on the same
Web server machine as the CICS Client. Access to the Web server and so to
the CICS applications is from any Java-enabled browser such as Netscape
Navigator, or a network computer (NC). A typical configuration using the
CICS Transaction Gateway is shown in Figure 39 on page 97.
CICS DCE-enabled clients (both RPC-only clients and clients that use the full
services of DCE) use DCE remote procedure calls (RPCs) to communicate with
CICS regions and provide the same EPI, ECI, and 3270 interfaces as other IBM
CICS Clients.
When a CICS DCE-enabled client connects to a CICS region, it can pass its
DCE principal to the CICS region. If that principal is not associated with a
user definition for that CICS region, or if a principal is not passed, the user is
signed on to CICS with the region’s default userid. If the principal is
associated with a user definition, the user is signed on with that userid.
If you are using DCE security, CICS DCE-enabled clients are authenticated
when they start up and use authenticated RPCs for communication with CICS
regions.
Chapter 6. Communications 97
Communicating with CICS Telnet clients
A CICS Telnet server enables Telnet clients to connect to CICS regions running
on the same machine as the server. Telnet clients are available on a number of
operating systems, including Windows NT, OS/2, MVS, AIX, and other Open
Systems platforms.
CICS regions use DCE RPCs to communicate with other CICS regions, SFS
servers, PPC Gateway servers, DCE-enabled CICS clients, PPC applications,
and other CICS regions that use DCE RPCs. The Encina Monitor uses DCE
RPCs for all its communications. In a DCE cell, authenticated RPCs can be
used for greater communications security.
For two servers to communicate, each server needs information to locate the
other server. Servers use a name service to provide this information, called
binding information. Binding information consists of the following:
v A protocol sequence, which indicates the network protocol to be used
v A server host, which indicates the machine the server is running on
v The endpoint, which indicates how to contact the server
On each machine in the network, an endpoint map database stores the endpoint
information (the process address for contacting a system) for all systems on
that machine.
If the communicating systems are using the DCE CDS, then all of the binding
information is created and maintained automatically. If you move a system
from one machine to another within that DCE cell, you do not have to change
any of the binding information. In addition, the DCE CDS is required by DCE
security services.
The DCE CDS Server provides a central naming service for a DCE cell,
enabling principals in that cell to be located by simple names regardless of
where they are located. The CDS lookup process used to determine the names
within a DCE cell is shown in Figure 40 on page 100.
Chapter 6. Communications 99
Figure 40. CDS components performing a CDS lookup
If a CDS Server receives a lookup request with a global name for a system in
another (remote) DCE cell, it sends the request to the DCE Global Directory
Agent (GDA). The GDA sends the request to a DCE global name service,
which returns the address (binding information) to the CDS Server in the
remote DCE cell. The local CDS clerk that made the lookup request then
connects to the remote CDS server to obtain the information as if that remote
CDS server was in the local DCE cell. The server in the local DCE cell can
then use DCE RPCs to communicate with the system in the remote DCE cell.
Network protocols
When two systems communicate, they need to agree on the set of rules to use
to interpret the data they exchange. These rules are known as network
protocols, and they are defined in a network architecture. The network protocol
also defines the form of acknowledgment processing that transactions on two
communicating systems use to ensure that their data updates are
synchronized. The form of this acknowledgment depends on the
synchronization levels defined by the IBM Systems Network Architecture (SNA).
In addition, CICS on Open Systems can emulate SNA LU 6.2 across TCP/IP
networks. This allows connectivity across TCP/IP between a local region and
the following:
v Other CICS on Open Systems regions
v CICS for OS/2 and CICS for AIX regions
v IBM CICS Clients
v Encina PPC-based applications
For more information about the effect of network protocols, see the following
sections:
v “SNA synchronization levels”
v “Communicating across TCP/IP connections”
v “Communicating across SNA connections” on page 105
v “Mixing the communications methods” on page 109
CICS and the Encina Monitor support all three synchronization levels defined
by SNA, across both SNA and TCP/IP networks. The SNA synchronization
levels are as follows:
Synchronization level 0 (NONE)
SNA provides no synchronization support. The application must code
its own.
Synchronization level 1 (CONFIRM)
SNA provides the ability to send simple acknowledgment requests.
Synchronization level 2 (SYNCPOINT)
SNA provides the ability for two or more systems to treat the updates
made by an application on these systems as one logical unit of work
(LUW).
Communicating across TCP/IP connections
IBM CICS Clients can also use CICS family TCP/IP to connect to a CICS
region. When the first request is made, a TCP/IP connection is acquired
between the two systems. This connection remains acquired while both
systems are active, and it can carry many concurrent intersystem requests
flowing in either direction.
A CICS region can accept TCP/IP connections on one or more TCP/IP ports
in the local machine and on one or more TCP/IP network adapters. This
flexibility enables your region to connect to a large number of remote regions
and clients.
Note: CICS family TCP/IP support does not provide the same level of
security as PPC TCP/IP. This is discussed in “An introduction to secure
communications” on page 114.
Figure 41 on page 104 illustrates a CICS on Open Systems region using CICS
family TCP/IP to communicate with a CICS for OS/2 system and an IBM
CICS Client.
PPC TCP/IP
CICS can use PPC TCP/IP for all types of intercommunication with CICS
regions. It also allows DTP with Encina applications and communication with
SFS servers and PPC Gateway servers.
The Encina Monitor uses TCP/IP for all communication between Encina
Monitor clients, servers, and resource managers.
Systems communicating with PPC TCP/IP must be in the same DCE cell if
they use the CDS. If the system you wish to communicate with is running on
a machine in a different DCE cell, then you must make use of DCE’s global
naming services. If the system you wish to communicate with is not running
on a machine in a DCE cell, then consider using CICS family TCP/IP support
or SNA support.
When an intersystem request is made, CICS uses the name service to locate
the remote region. Then a TCP/IP connection is set up between the two
Local SNA support provides the fastest SNA connectivity offered by CICS. It
enables CICS applications to communicate with every other member of the
CICS family, and IBM CICS Clients to use SNA to communicate with CICS.
Local SNA support requires SNA to be installed and configured on the same
machine as the CICS region.
As shown in Figure 44, CICS and Encina can communicate with an SNA
network by using a PPC Gateway server. Communication with the PPC
Gateway server uses PPC TCP/IP, and the PPC Gateway server provides
synclevel 2 communication across the SNA network. This allows applications
to ship or accept transactions from other systems that use LU 6.2, such as IBM
mainframe-based CICS, CICS for OS/2, and CICS/400. The PPC Gateway
uses a mechanism (called the PPC Executive) to ensure that transaction
semantics are preserved across distributed processes and can emulate APPC
protocol. If you are using the DCE CDS as a name service, the PPC Gateway
server must be in the same DCE cell as the CICS or Encina servers that use
the gateway. The PPC Gateway server uses SNA to connect to the remote SNA
systems. SNA must be on the same machine as the gateway.
CICS and the Encina Monitor are the only transaction processing monitors
that can do this at synclevel 2, and CICS is the only one to integrate seamlessly
the mainframe-based transaction processing environment with the distributed,
workstation-based environment.
Figure 45 on page 108 illustrates a CICS on Open Systems region using the
PPC Executive to connect to a PPC Gateway server machine, which in turn
connects to a SNA network.
A CICS region can use more than one PPC Gateway server. Using multiple
gateway servers enables you to do the following:
v Spread the network links from a large number of remote machines across
more than one gateway machine, and thus across multiple SNAs
v Introduce redundancy, so that if one PPC Gateway server fails, there is
another available as a backup
You can mix the communication methods used to connect your CICS regions.
For example, a CICS region can communicate with another CICS region over
TCP/IP, while also communicating over SNA using both local SNA support
and a PPC Gateway server. Figure 46 on page 110 shows a CICS on Open
Systems region that is communicating with another CICS on Open Systems
region using TCP/IP. PPC TCP/IP is used because both regions are in the
same DCE cell. The CICS on Open Systems region is also communicating
across an SNA network to another CICS system, some APPC workstations and
a CICS for MVS/ESA system. The communications with the CICS system and
the workstations is using local SNA support. Local SNA support was chosen
because CICS and the APPC workstations do not support synchronization
level 2. The communications with CICS for MVS/ESA is using a PPC
Gateway server because synchronization level 2 support is required. The PPC
Gateway server is running on the same machine as the CICS region and is
using the same SNA.
Communication between a CICS region and IBM CICS Clients uses either the
TCP/IP listener or the local SNA listener, depending on whether the clients
are connected via TCP/IP or SNA.
When two SNA systems first establish contact, they agree on the maximum
synchronization that they will use. The synchronization level for each
individual task is then determined either by the system or by the application
program.
If the remote system and the communication network are able, CICS uses the
following synchronization levels across both SNA and TCP/IP:
v Synchronization level 2 for function shipping, asynchronous processing, and
DPL requests to a remote system
Some of the systems that your CICS region can connect to store data in
different character encodings. For example, data is held in the Extended
Binary-Coded Decimal Interchange Code (EBCDIC) format on a IBM
mainframe-based CICS system, and in the American Standard Code for
Information Interchange (ASCII) format on CICS for OS/2. There are also
differences between CICS on Open Systems data and CICS for OS/2 data,
where the codes used for some characters vary and the method used for
representing numbers is different.
If data is transferred between two systems, it can require conversion from the
format used on the sending system to that used by the receiving system. CICS
converts some data, such as the filenames in function shipping requests,
without user setup. For other data, such as file records, you can define the
types of conversion to be applied to specified fields in data records. Exits and
user-replaceable conversion programs are available.
Note: Microsoft SNA Server does not provide mechanisms needed by CICS
for Windows NT to receive data conversion information from other
The most secure model uses DCE cell security. It is required for use with the
Encina Monitor but is optional for Customer Information Control System
(CICS).
Note: For CICS regions, you can start with the CICS security services, which
can be sufficient for a basic CICS environment. You can then migrate to
a DCE security model at a later date. For comprehensive security, such
as required by production CICS regions, the security services of DCE
are recommended.
More detail about the security services used by TXSeries is shown in Figure 48
on page 119. The authentication and authorization services shown are
described in this chapter. Other communication security services, such as
flowed userids and encrypted bind flows are described in “Ensuring secure
communications” on page 132.
Within a DCE cell, the DCE Security Server provides a centralized security
service, based on its database of security information about network resources.
A CICS region that does not participate in a DCE cell has its own database of
users and processes logon requests by itself. (See “The TXSeries security
model using CICS” on page 126.) Users and systems that do not participate in
a cell but access the cell are treated as unauthenticated principals, for which
you assign special security privileges.
To take part in a DCE cell, a principal (user or system) proves its identity by
authenticating to DCE. A user typically logs into DCE and specifies a
principal and password. A system authenticates automatically when it starts
up by getting its private key (encrypted password) from its DCE keytab file,
which is located on the machine on which it runs. In both cases the DCE clerk
on the principal’s machine sends the principal’s identifier and password to the
DCE Security Server to be checked by its authentication service.
The DCE Security Server authenticates the principal and gives it an encrypted
time-stamped ticket that is passed to any process that the principal starts.
Tickets are used to indicate that the principal has been authenticated and
enable the principal to communicate in a secure way with the DCE Security
Server and with other principals in the DCE cell.
When a principal requests access to a resource, the privilege service of the DCE
Security Server adds the principal’s authorization credentials to the ticket that
the principal passes to the resource manager. The resource manager
communicates with the DCE Security Server to decrypt the ticket and verify
that the principal is authorized to access the resource. The DCE Security
Server compares authorization credentials with the access control list (ACL) for
the resource. The ACL, stored in the DCE security database, identifies the
principals that are authorized to access the resource, and the type of access
that they can use. For example, the ACL for a Structured File Server (SFS) file
indicates whether a principal can read, write, create, or delete records.
The DCE process for authenticating users of a CICS region is based on the
authentication outlined in “The general DCE security process” on page 120.
The extra steps, shown in Figure 50 on page 122, are as follows:
Each CICS region has a special userid called the default userid. This userid is
for users who access the CICS region but do not have a userid predefined in
that region’s runtime database. To maintain the security of the CICS region,
predefine the default userid with limited access to public resources only.
Systems outside a DCE cell can communicate with servers within it. (See
“Using the CDS to locate systems outside the DCE cell” on page 101.)
Preventing unauthorized access from those systems depends on whether or
not they are running in another DCE cell. If the remote system is running in
another DCE cell, you can configure both DCE cells for secure
communication. To do this, you create a principal representing the remote cell
in both DCE cells. Both principals share the same private key. The two
security databases (one in each DCE cell) are known as mutual authentication
surrogates, and the two DCE cells that maintain those surrogates are known as
trust peers. It is through those surrogates that the DCE Security Servers in each
DCE cell can convey to each other the information about their respective
principals. This enables a principal in one DCE cell to acquire a ticket to a
principal in the other cell.
If the remote system is not part of any DCE cell, then special precautions need
to be taken to validate and secure communication from that system. For
example, communication from a CICS region outside a DCE cell can be
treated as secure (if it is across a trusted connection) or as insecure. For
insecure communication, the receiving CICS region can assign a userid with
limited authorization specifically for that connection.
This section outlines the DCE security information used to provide security in
a CICS environment. For more information, see the following sections:
v “Using CICS user definitions with DCE security”
v “DCE groups used by CICS”
v “Principals for CICS regions” on page 125
v “ACLs for SFS files” on page 125
v “DCE ACLs used in CICS” on page 125
Each CICS region has a table of predefined user definitions that are loaded into
its runtime database when the region starts up. These user definitions define
the userids, CICS passwords, and DCE principals for people who can access
the CICS region.
With DCE security, the user definitions determine the DCE principal to be
authenticated for a user. When you define a CICS userid, it automatically
creates the associated DCE principal.
Users who have been authenticated by DCE are signed in to a CICS region
with either their predefined CICS userid, or a special default userid for the
CICS region. This userid is then used to control access to CICS transactions
and resources, as described in “CICS authorization security” on page 128.
When the DCE Security server is configured for CICS, it defines the following
DCE Security groups for that DCE cell:
v cics_admin. Contains principals, such as the DCE principal cell_admin, for
user accounts that are permitted to administer CICS regions and the servers
that it uses. For example, to administer an SFS server, you must be
authenticated as a member of the cics_admin group.
v cics_regions. Contains principals for CICS regions.
v cics_user. Contains principals for users.
v cics_sfs. Contains principals for SFS servers.
v cics_ppcgwy. Contains principals for Peer-to-Peer Communications (PPC)
Gateway servers.
The DCE Security Server uses the principals for CICS regions, SFS servers,
and PPC Gateway servers to authenticate those servers.
Each CICS region establishes a DCE principal in the DCE security database
with a name derived from the region name and the prefix cics/. This principal
is known as the region principal. For example, the principal for region SALES
can be cics/SALES. The account for that region principal is made a member of
the DCE groups cics_users and cics_regions. The password for the account is
randomly generated and stored in encrypted form in the keytab file when the
region is started and is regenerated periodically as required. Only the CICS
region and a properly authorized CICS systems administrator can access the
keytab file to obtain the password of the region principal.
To provide security for SFS files, the SFS server can be configured to permit
access by authenticated RPCs only. When such an SFS server is started in a
CICS environment, ACLs for the SFS files are set so that only CICS region
principals are permitted access. This means that CICS users cannot access the
files directly. They must use CICS because only a CICS region can access the
files.
If the SFS server is run unauthenticated, ACLs are set to permit access to the
server by any principal and unauthenticated user. SFS files then permit access
by any principal.
CICS uses the following types of DCE ACLs to define the privileges of the
DCE groups used by CICS:
v Parent container objects. These ACLs control access to the types of servers
and services used by CICS.
v Server container objects. These ACLs control access to individual CICS
regions, SFS servers, and PPC Gateway servers in the DCE cell.
v Leaf (file) objects in SFS container objects. These ACLs control access to
individual files and queues in an SFS.
The ACLs for parent container objects are created automatically when DCE is
configured for CICS. When a CICS region, SFS server, or PPC Gateway server
is created, its ACL is created automatically.
In the CICS security model, each CICS region authenticates users and
incoming communication and authorizes access to the resources of that
system. The security service provided by a CICS region can be enhanced or
replaced by using an external security manager (ESM) called from CICS.
For incoming work requests, a CICS region can check userids and passwords
to provide basic authentication of users. This sign-on process, shown in
Figure 51, can be enhanced by using an ESM called from the CICS region. The
server logs all unsuccessful sign-on attempts.
Note: A CICS region does not have to authenticate users. It can rely on
authorization checking and secure communications, or run without
security (for example, in a standalone development CICS region).
You can use an ESM instead of, or with, CICS internal security to authenticate
CICS users and authorize access to CICS transactions and other resources. The
ESM is a user-supplied program that allows you to define your system’s own
security mechanism for preventing unauthorized access to resources from
application programs and the unauthorized initiation of CICS transactions.
(CICS provides a sample ESM module to demonstrate the interface that you
need to conform to if you choose to write your own ESM.) You must identify
the ESM to the CICS region at startup; you possibly need to identify the CICS
region to the ESM.
CICS passes information about the user, transaction, and resource to the ESM.
The ESM uses this, and possibly other information such as DCE ACL entries,
to determine whether authorization is allowed. The CICS region must then be
informed, through the interface, of the ESM’s authorization decision.
If you change the ESM during the life of a region, you must perform a warm
start to make the ESM valid for all application servers. Otherwise, the
changed ESM applies only to tasks running under application servers started
after the ESM was changed, which can lead to inconsistencies in security
within the region.
It is best to design your ESM so that it stores its data separately from the
program itself. You can then access security data at all times, without needing
to restart CICS.
In a DCE cell, RPCs can be used to restrict access to resource managers from
only properly authenticated servers. To restrict access for specific users, you
can use CICS authorization security or an ACL manager for DCE ACLs.
Both techniques are based on the use of security keys. Each transaction and
other resource in the CICS region has a predefined key. Several resources can
have the same key, forming a group of resources with the same
authorizations. Resources can also be defined as public (if available to all
users) and private (if available to only specially trusted transactions). Each
user has a predefined set of keys that must match the keys of transactions and
other resources that the user needs. Keys used to authenticate user
transactions are called transaction level security (TSL) keys, and keys used for
other resources are called resource level security (RSL) keys.
Consider the example shown in Figure 52 where a user attempts to run two
transactions and use them to access two files. The following actions take
place:
v The user is predefined to run transactions with TSL keys 1, 2, 4, and 7, and
to use those transactions to access resources with RSL keys 1, 5, 8, and 11.
v A request for TRN1 (predefined with TSL key 7) succeeds, because the user
has a matching TSL key. However, a request for TRN2 (predefined with TSL
key 6) fails, because the user does not have that TSL key.
v The user runs TRN1, which tries to read several files. The request for FILE1
(predefined with RSL key 1) succeeds, because the user has a matching RSL
key. The request for FILE2 (predefined with RSL key 3) fails, because the
user does not have that RSL key.
v Any attempt to access an unauthorized transaction or resource returns an
error to the application program and adds an entry in the system log.
CICS internal security cannot use DCE ACLs and authenticated RPCs to
restrict access to specific users. Instead, it uses RSL and TSL keys to determine
which users can run which transactions and access which resources. You can,
however, write an ESM that uses ACLs to authorize specific users to run
transactions and access resources. For example, an ESM can enable you to
restrict some users of a CICS region to read-only access for a file while other
users of that CICS region have write access for that file.
When a CICS Client connects to a CICS region, the region can require that the
client provide a default userid and password to be used for all requests from
the client. The client can automatically provide the default userid and
password (by using a file); otherwise, the client user is prompted to enter
appropriate values. The server then uses its standard user authentication to
determine the identity and authorization of the userid. (See “The TXSeries
security models” on page 117.)
If this userid has insufficient authority to process a request, the client can
automatically send a new userid and password for External Call Interface
(ECI) requests or, for External Presentation Interface (EPI) and 3270 terminal
emulation requests, prompt the client user to enter a new userid and
password. For 3270 terminal emulation requests, you can also specify that the
first transaction used (on the server) is the CICS sign-on transaction, CESN.
This forces the user to enter a valid userid and password.
For more information, see “Connecting and authenticating IBM CICS Clients”
on page 93.
Notes:
1. You can restrict the ability of client users to connect to servers by
protecting the command used to connect clients.
2. You can use normal workstation security facilities to restrict use of a client
workstation.
3. If a client uses the CICS Transaction Gateway, you can also use Web
security to secure user access to CICS from web browsers.
Web security services
You can make your own network secure by using authentication and
authorization. If your network is connected to the Internet, you can create a
security barrier, called a firewall, between your network and the Internet, and
you can make your communications across the Internet more secure. A
firewall forms a barrier between a secure, internal, private network and
The security from a web browser to the CICS Transaction Gateway (via the
web server) is provided by the following Internet communication standards:
v Secured Hypertext Transport Protocol (S-HTTP)
v Secured Sockets Layer (SSL)
These ensure that information is encrypted and arrives safely at its intended
destination. In addition, the CICS Transaction Gateway offers the following:
v Authentication, via built-in support for userids and passwords that are
authenticated by CICS applications servers. The gateway also provides an
External Security Interface (ESI) that enables customer applications to verify
userids and passwords and to change expired passwords.
v Authorization, which is provided as a standard function of each CICS
server, enabling customers to control what transactions a given end user
can run and what data that user can access.
Any Telnet client that knows the port that a CICS Telnet server is listening on
can use that server to access CICS. Therefore, to create a secure CICS Telnet
environment, the following actions are recommended:
v Require Telnet clients to sign on to CICS by ensuring that the Telnet Server
always invokes the CESN transaction as the first transaction. (You do this
by starting the Telnet Server with a special option.) If CESN fails, the user
is signed on as the default userid. Therefore, define the default userid with
restricted access.
v Restrict execution access to the Telnet server program to a small and
controlled set of operating system userids. You can do this by altering the
permissions on the program executable.
v If you are using DCE security, set up the Telnet server program to run with
the DCE principal that you have defined for the region’s default userid.
This means that Telnet client users are given the same access as you have
set up for unauthenticated users. Alternatively, you can create a principal
In a DCE cell, both CICS and Encina can use authenticated RPCs to protect
communication between systems. The authentication checks are made by the
DCE Security Service.
A CICS Client or CICS region can send a userid (and optionally a password)
on a CICS intersystem request. The receiving CICS region can then use that
flowed userid or a userid that is defined locally to control access to its
resources.
The SNA LU 6.2 architecture has optional support for flowing userids and
passwords between SNA connected systems. This is called conversation-level
security (or sometimes attach security or conversation security). As this security is
optional, each system needs a definition of the level of security it is able (or
wishes) to accept from a particular remote system. You can set up a different
conversation security acceptance level on each end of a connection between two
systems. The possible levels of security acceptance are as follows:
Conversation-level security not supported or required
Userids and passwords cannot be sent to this system. Sending them is
considered an SNA protocol violation.
Conversation-level security supported
Userids can be sent to this system but must be accompanied by a
valid password. This level is used to receive userids from a system
that does not have its own security manager and so cannot verify its
own users (as with CICS for OS/2).
Already verified supported
Userids can be sent to this system without a password because the
remote system is trusted to have verified the userid against a
password before the intersystem request was sent. CICS for
MVS/ESA, CICS/ESA, CICS/MVS, CICS/VSE, and CICS on Open
Systems always send verified userids. A SNA-connected system that
wishes to receive userids from those CICS regions must accept
already-verified userids.
Persistent verification supported
The verification for a userid and password pair persists over a
number of intersystem requests. Both the userid and password are
sent on the first request. Then, if they are valid, only the userid is
required on subsequent requests. The userid can be sent without a
password for a user-defined period of time, or until the initiating
system sends a sign-off request.
Note: Microsoft SNA Server does not allow CICS regions to flow
already-verified userids with intersystem communication outbound
requests.
Authorizing access to resources
Presentation logic
Presentation logic is used for communications between the end user
and the transaction processing system. Presentation logic in an
CICS provides the following two APIs that enable non-CICS applications on a
client machine to use the facilities of connected CICS regions. These APIs,
common to all IBM CICS Clients, are as follows:
v “The External Call Interface” on page 140
v “The External Presentation Interface” on page 141
IBM CICS Clients also provide you with access to CICS regions from the
Internet.
With the ECI, you can write applications that do the following:
v Call a CICS program in a CICS region from a non-CICS program
v Connect to several servers at the same time
v Have several outstanding program calls at the same time
v Access CICS programs, files, transient data queues, temporary storage, and
transactions
v Exchange data between the client and the server
Synchronous calls made by an ECI application return control when the called
server program completes; the information returned is immediately available.
Asynchronous calls return control without waiting for the called server
program to complete, and the ECI application is notified when the
information becomes available.
With the ECI, you can also retrieve information about available servers to
which the calls are directed.
With the EPI, you can write applications that do the following:
v Allow a non-CICS application program to be viewed as a 3270 terminal by
a CICS region to which it is connected
v Connect to several servers at the same time
v Have several outstanding program calls at the same time
v Schedule transactions that send output to client applications
When a transaction is initiated, 3270 data streams and events are passed
between the CICS region and the EPI-connected application. The application
can present the contents of the terminal I/O to its user in any appropriate
The EPI consists of functions, data structures, and events. The EPI functions
define application programming calls, such as installing new terminals to be
controlled by a process, sending data from a terminal, and terminating the
process. The EPI data structures define EPI data, such as reason codes, details
of events, terminal details, and sense codes. The EPI events are used to
respond to events, for example, when a transaction sends data and expects a
reply.
ECI and EPI application programs that run on CICS clients can be written in
COBOL, C, or C++. Programs that do not make operating-system-specific calls
are portable between the CICS client products. Client application programs
can use both the ECI and the EPI. To use the ECI and EPI, programs must be
linked to the appropriate ECI and EPI libraries.
For more information about client programming, see the CICS Family:
Client/Server Programming book.
Reference information about the CICS commands available (on all CICS
platforms) is in the CICS Application Programming Reference. For information
about preparing applications developed on other platforms to run with CICS
on Open Systems, see the CICS Application Programming Guide.
The CICS Internet Inter-ORB Protocol (IIOP) Object Request Broker (ORB)
enables CICS applications to communicate with applications that use the IIOP
protocol that was defined as part of the Common Object Request Broker
Architecture (CORBA). CORBA clients can use communicate with CICS
applications, and CICS applications can send requests to CORBA servers.
Interface Definition
Each interface is made up of one or more related functions. Servers can offer
one or more interfaces to clients. The clients then invoke the functions in that
interface by using RPCs.
Transactional Interfaces
The Encina Toolkit provides several interfaces for managing transactions. Each
of these interfaces includes methods for starting and ending (committing or
aborting) transactions, retrieving information about transactions, and
performing other transactional work. The interfaces are as follows:
v Tran-C
v TX (the X/Open standard transactional interface)
v The Distributed Transaction Service (TRAN)
v Tran-C++
v The Object Management Group Object Transaction Service (OMG OTS)
RQS applications queue and dequeue elements to queues that are maintained
by an RQS server. Applications queue elements to specific queues.
Applications can dequeue from specific queues or from a queue set (a group
of queues that implements prioritized dequeueing). Applications can also
access elements by element IDs, by key, or by using cursors to scan elements
in a queue.
Applications can access SFS files sequentially and randomly. For random
access, an index is used to locate a single record that matches an index key
value. Sequential access involves using key values to select multiple records
and then sequentially stepping through those records (either forward or
backward).
One of the most important aspects of COM is that a COM component can be
used to create an application in any language. Once instantiated in a client, a
COM object acts as a proxy for the client, marshaling and unmarshaling data
to contact a server and returning data and status information back to the
client.
From an Encina point of view, COM enables you to develop clients that use
Encina COM components to contact Encina servers, manage transactions, and
manage DCE login contexts simply by instantiating Encina COM objects and
calling standard members functions on those objects. The Encina COM
components transparently handle many of the tasks normally required of an
Encina client.
Because Encina COM-based clients use DCE, the machine on which such a
client is developed or run must be configured as a DCE client.
The Encina COM component completely wraps the Encina interface and stub
functionality. To the client programmer using an Encina COM component,
nearly all of the underlying client/server interactions are transparent.
Of the components that make up Encina++, some can be used only with
Encina++/DCE or only with Encina++/CORBA, while some can be used by
either or both.
The Encina++ programming interfaces that are supported only for DCE
(including mixed applications) provide object-oriented access to two types of
Encina servers offering specialized services:
v The Recoverable Queueing Service C++ interface (RQS++) defines C++
classes and functions for enqueueing and dequeueing data transactionally
at an RQS server.
v The Structured File Server C++ interface (SFS++) defines C++ classes and
functions for manipulating data stored in record-oriented files at an SFS
server while maintaining transactional integrity.
The Encina Data Definition Language (DDL) compiler is used to generate the
classes used by RQS++ and SFS++ applications.
Encina++ provides two programming interfaces that are supported only for
CORBA (including mixed applications): one defines a locking mechanism for
CORBA-based servers, and the other enables you to develop Java
transactional clients that can communicate with Encina++ servers.
Encina tools available only on Windows platforms
For more information on developing applications that use the Encina COM
API, see “Encina COM API” on page 148.
Application programs running under CICS or Encina can access data held in
relational databases. To access such data, the application programs issue SQL
calls to the database. An application program must be precompiled with the
appropriate Relational Database Management System (RDBMS) precompiler,
linked to appropriate RDBMS libraries, and generally needs some way of
defining which database the program’s SQL calls are to be used on.
Both CICS and Encina use the underlying Transaction Manager Service
(TM-XA) to map transaction events to XA calls. TM-XA translates all
information about transaction context and scope into appropriate XA calls that
it sends to the XA resource manager (database). It uses the XA protocol to
communicate transaction prepare, commit, and abort states to resource
managers involved in those transactions.
You can develop presentation interfaces that make use of client ECI and EPI
interfaces and the local 3270 terminal interface. With ECI calls, the
presentation interface on the client makes no use of CICS presentation
functions and communicates directly with a user application program on the
CICS region. With client EPI calls and calls to local 3270 terminals, the
presentation interface makes use of CICS 3270 terminal support on the CICS
You use the CICS BMS processor to translate BMS source files, which contain
the definitions of map sets, into a symbolic map and a physical map. The
symbolic map is a programming source language data structure (a C or C++
structure) used by the compiler to resolve source language references to fields
in the map. The physical map contains the information necessary to display
the map on a physical terminal and instructions for embedding control
characters within a data stream to achieve this display. You can create
different national language versions of the same physical map, and leave it to
the CICS region to determine automatically the appropriate map to display
for the language defined for a client user.
Application programs that include CICS API commands are processed by the
command language translator that translates the CICS API commands into
statements in the language used. This translator accepts as input a source
program written in COBOL, C, C++, or PL/1 where CICS API commands are
coded, and produces as output an equivalent source program where each
command is translated into statements in the language of the source program.
You can then compile and link-edit your programs by using the COBOL, C,
C++, or PL/1 compilers.
You can also use the CICS-provided CECS transaction to interactively check
the syntax of commands used in your application programs.
The tasks involved are described in other TXSeries books, primarily Planning
and Installation Guide, CICS Administration Guide, and Encina Administration
Guide Volume 1: Basic Administration.
The administrative tool used to configure and manage CICS depends on the
operating system you are using. For example, you can use the IBM TXSeries
Administration Tool for CICS on Windows NT or the System Management
Interface Tool (SMIT) for CICS on AIX. The tools simplify and automate the
administrative procedures. The IBM TXSeries Administration Tool is described
in “The IBM TXSeries Administration Tool (Windows NT only)” on page 158.
You can also use other tools, such as CICS commands and transactions.
The CICS administration tools are designed to manage the CICS environment
on one machine. To use them, you log into the machine as a systems
administrator, then invoke the tool that you want to use. To manage the CICS
environment on several machines, you can use standard techniques to log into
each machine remotely and use the tools on those machines. For example, you
can use one machine as a single point of control (SPOC), with sessions set up
to run tools on other machines. You can control access to the administration
tools by controlling access to the SPOC machine. You can use CICS-supplied
Configuration
Configuration is the stage during which you specify or modify the settings that
define the properties of the CICS environment. You can use the administrative
tools to create CICS regions and SFS servers, and to set up the related settings
in DCE and your operating system.
Configuring CICS
To define the properties of a CICS region to be started, you first create the
CICS region. This adds a region definition to the CICS permanent database on
the machine. In a DCE cell, the administrative tool automatically creates the
DCE principal and account, the access control lists (ACLs), and the keytab file
for the CICS region (using DCE facilities).
As part of configuration, you also create a resource definition for each resource
used by a CICS region, or by user applications that run on the CICS region. A
resource definition describes the properties of the resource and how it is to be
treated by CICS. For example, you create a transaction definition for each
transaction that can be processed by a CICS region.
Configuring DCE
CICS can use a number of DCE services, from DCE remote procedure calls
(RPCs) for communications to the core services of a DCE cell. Configuring
DCE client services for CICS is described in the Planning and Installation Guide
and the CICS Administration Guide. The DCE tools provided with TXSeries (or
DCE) are described in “DCE administration tools” on page 169.
For file management, CICS can use either an SFS server or an IBM DB2
database. The region can be configured to access the file manager either
locally or remotely.
Before your application programs can use data in DB2, you must configure
DB2 for use with CICS.
Starting and stopping servers
You can use your administrative tool to start and stop CICS regions and SFS
servers.
Monitoring systems
While your CICS regions are running, you can monitor their operation and
change runtime settings of the regions and the resources that they use. You
can also use monitoring facilities to resolve any problems that occur.
Besides the routine monitoring of CICS, you can analyze the performance of
CICS in more detail. To do this, you can use CICS tools to create and view the
following information:
Generally, when managing the CICS environment, you use the IBM TXSeries
Administration Tool. If you need to do more specialized tasks you can use
other tools; for example, the CICS SFS Diagnostic Tool and the DCE Director.
The IBM TXSeries Administration Tool uses a number of CICS commands and
offline utilities that can also be entered directly from the command line. The
CICS commands
For a detailed description of the CICS commands, see the CICS Administration
Reference.
The CICS Control Program, cicscp: The main CICS command is the CICS
control program, cicscp. This provides a standard command interface for
configuring, starting, and stopping the components that make up a CICS
environment. This command is designed for users new to the CICS
environment, and makes it easy to configure, start, and stop the environment.
The CICS SFS Diagnostic Tool, cicssdt: This tool provides a powerful,
interactive interface to SFS. You can use it to manage user files on SFS servers.
For example, you can create new files, list all files on the SFS server, read and
write file records, and transfer and convert a Virtual Storage Access Method
(VSAM) file to SFS.
The CICS SFS Import Tool, cicssfsimport: This tool adds files to SFS based
on predefined schema file definitions.
The CICS DB2 Diagnostic Tool, cicsddt: This tool is used to manage user
files on DB2 databases. For example, you can create new files, list all files on
the database, and transfer and convert a VSAM file to DB2.
You can use several CICS transactions to operate running CICS regions,
including the following:
CEMT
This command is used to dynamically manage a running CICS region
and its resources.
CECI This command is used to run CICS commands.
CEDF
This command is used to debug CICS application programming
interface (API) program statements.
Enconsole can also administer servers that do not use the Encina API. These
generic servers are built with shell programs or the C programming language.
Generic servers do not rely on Encina or DCE capabilities. You can build your
own communications systems, ordering and purchasing systems, financial
systems, and other transaction processing systems that interact with the
Encina Monitor and with other Encina applications.
The Enconsole interface displays three windows into the Encina cell: one that
shows all servers, one that shows all nodes, and one that shows all system
messages. You can use this cohesive view of the Encina cell to monitor the
system and to troubleshoot problems from any network location.
The Enconsole interface includes menus, with which you direct Enconsole to
perform operations; forms, with which you specify the information necessary
for Enconsole to perform operations; and display screens, which provide status
information about servers and the operations being performed on them. Most
aspects of the interface are similar to other graphic interfaces.
Online help is available for Enconsole display screens, forms, and fields. The
help displays information about how to use the online help, how to do
administrative tasks using Enconsole, and about the components of the
current window, for example, the screens, forms, fields, menu options, and
common buttons.
Enconsole provides access to the DCE settings for each Monitor application
server. The settings for principals and keytab files control user access to
critical information and resources, and provide protection from misuse, theft,
and tampering. Additionally, Enconsole uses the DCE Cell Directory Service
(CDS) to manage information about the resources necessary for open,
distributed client/server applications.
Enconsole provides access to the Encina settings for each Monitor application
server. The Encina settings ensure availability and recovery for each server.
The Encina Toolkit components provide fatal and warning messages through
Enconsole. This communication helps you reduce downtime by making it
easier to recognize and respond to errors.
Enconsole provides ways to start and stop Monitor application servers, and
other servers that they use, individually from any network location. You can
also monitor the startup and shutdown messages for all servers.
Enconsole also provides ways to automate server administration. You can use
Enconsole to create a server set that starts or stops a collection of servers, or
you can create schedules–procedural plans that specify times at which to start
or stop servers.
Enconsole also provides ways to correct transaction failures. You can abort
unresolved transactions, and you can release all locks held by a prepared
transaction and force the transaction to abort, commit, or finish.
Many initial tasks required for defining servers (such as creating, allocating,
and mirroring volumes) are performed when you complete the fields on
The tkadmin commands are always available whether or not you choose to
use Enconsole. The two interfaces are compatible; tkadmin commands (as
well as other Encina command suites) can be used to administer a server
started with Enconsole.
The following CICS and Encina resources can be monitored and managed by
GEM:
v CICS regions
v Encina cell managers (ecm)
v Encina node managers (enm)
v Recoverable Queueing Service (RQS) servers
v Peer-to-Peer Communications (PPC) Gateway servers
v Structured File Server (SFS) servers
v Monitor Application servers (MAS)
v Generic servers (GS)
Using the GEM console
The GEM console provides administrators with a way to plan, build, verify,
and control business systems. A business system is a group of network
resources that work together to perform a specific business function. An
Encina Monitor cell or a CICS system can constitute a complete business
system or be part of a larger one.
Control views
Administrative tasks that can be performed in GEM are a small subset of the
overall functionality available through the standard CICS and Encina
administrative interfaces. GEM is not a replacement for the standard CICS and
Encina administrative interfaces. For example, you cannot use GEM to install,
fully configure, or fine tune Encina Monitor cell or CICS system resources.
CDS administration
The DTS clients and servers do not have a configuration file or database, but
are controlled by parameters specified for the commands used to manage
them.
Both CICS and the Encina Monitor are based on standard DCE services that
provide secure, authenticated, client/server interoperability across diverse
platforms. At the heart of DCE is the Remote Procedure Call (RPC), used by
both CICS and the Encina Monitor to open connections, to organize data into
a stream suitable for transmission, and to transmit the data.
For a CICS system you can choose between two types of DCE configurations:
v DCE cell, as shown in Figure 57 on page 173.
The CICS region participates in a DCE cell. A DCE cell is a group of
machines (hosts) or a single machine administered as a unit. Each cell
provides the services needed for a distributed computing environment and
groups the users, systems, and resources that share those services.
The DCE server software—the Cell Directory Service (CDS), Security
Service, and Distributed Time Service (DTS)—is installed on one or more
hosts within the DCE cell. (A host running DCE server software can also
contain a CICS region.)
The DCE client software—the RPC daemon, CDS, Security Service, and DTS
clients (also known as clerks)—is installed on each host within the cell.
You can create a new DCE cell or you can add CICS to an existing DCE
cell.
v RPC only, as shown in Figure 58 on page 173.
The CICS region is not part of a DCE cell but uses only the RPC daemon.
In this case, CICS rather than DCE provides a means of locating server host
names and of performing endpoint mapping. The security facilities of CICS,
the operating system, or an external security manager are used rather than
those of DCE.
Note: For CICS regions, you can start with the CICS security services, which
can be all you need for a basic CICS environment. You can migrate to a
DCE security model later. For comprehensive security, such as required
by production CICS regions, the security services of DCE are strongly
recommended.
CICS queue and file management includes managing data files, auxiliary
temporary storage queues, intrapartition transient data queues, and locally
queued automatic transaction initiation (ATI) requests. In CICS, you can use
one of the following to manage this data:
v A local Encina Structured File Server (SFS) server, that is, one on the same
host as the CICS region.
v A remote SFS server, that is, one shared with another CICS region. The
remote SFS server and CICS must be installed and set up on the same
machine before you set up the local CICS region.
v A DB2 database, which must be installed and set up before you set up the
CICS region.
The Encina Monitor can use the Encina SFS for file management, the
Recoverable Queueing Service (RQS) for queue management, or another
resource manager. The Encina SFS server can be local or remote.
Using an SFS Server to manage CICS queues and data files
Figure 59. A region using an SFS server that is on the same machine
Also with this option, you can use the Encina Fast Local Transport
(FLT) mechanism that significantly improves performance. See the
CICS Administration Guide for more information.
Option 2. Remote SFS server on a machine with CICS
With this option, a region on one machine shares an SFS server with a
region on another machine. See Figure 60.
Both the region and the SFS server must be defined with protection levels
set to none. RPCs cannot be authenticated.
Using DB2 to manage CICS queues and data files
This section compares using DB2 to using SFS for managing CICS files and
queues. It contains some special topics to consider when deciding between the
two.
While DB2 provides a rich set of services, there are limitations and restrictions
when compared to the services provided by SFS. The limitations are as
follows:
The region’s use of a single DB2 database for the data files
A region can only use one DB2 database for data files. This is the
database specified with the Region Definitions (RD) DefaultFileServer
attribute. The File Definitions (FD) FileServer attribute is ignored.
COBOL External File Handler restrictions
Due to limitations imposed by holding files in a relational database,
some facilities of the COBOL External File Handler are not supported.
The following restrictions apply:
v Mixing of transactional access and nontransactional access to files
within a single application is not permitted.
v When access to a file is nontransactional, only single record locking
is enabled.
v The facility to add indexes dynamically to a file at runtime is not
supported.
Additional considerations
When using DB2 to manage queues and files, consider the following points:
v DB2 must be integrated with CICS through the XA interface or the
CICS-DB2 single-phase commit optimization. Implications of this choice are
described in the CICS Administration Guide.
v The queues and files cannot be stored in host database management
systems such as DB2 for MVS.
v Where only one DB2 database is defined to the region, CICS establishes
implicit connections to it and all file control, queue, and SQL operations are
directed to that database. SQL-based transactions that access DB2 databases
other than those supported in the file system must be coded to ensure that
the connection to the file system database is maintained across CICS file
control, queue, and transaction control commands. For example, it can be
necessary to code an explicit EXEC SQL CONNECT prior to some CICS file
control, queue, and transaction control commands.
v DB2 tables must not be redefined while the corresponding file is opened to
CICS. Use CEMT SET FILE to close and disable the file before redefining
the underlying table. See the CICS Administration Guide .
v File locking and concurrency on DB2 differs from file locking and
concurrency in SFS. See the CICS Application Programming Guide.
v Because the DB2 fixed record size limit is 4005 bytes, records larger than
this are treated as if they were variable-length records.
v A CICS application cannot have more than 25 concurrent browse and
read-for-update operations open against a DB2 database at any given time.
Applications must be designed so that this limit is not exceeded.
v Unlike SFS, DB2 does not allow alternate record specification when creating
a secondary index. This does not functionally affect CICS applications, but
should be considered when creating DB2 resources for CICS.
v DB2 tables and their associated indexes that map to CICS files should be
owned by the DB2 user cics.
You can access data in a DB2 database from CICS application programs by
using embedded SQL statements. The CICS Administration Guide describes
how to configure CICS and the database for this type of access.
If the application data is on a different DB2 database from the CICS queue
and file management data, then the region and the database should be
configured for CICS queue and file management before following the
procedures described in the CICS Administration Guide. Certain programming
restrictions apply if you use a separate database for native SQL. See the CICS
Application Programming Guide for details.
To add support for a database that is already used by another CICS region, do
the following:
v Follow the procedures that describe how to configure the region and DB2
for queue and file management.
v If you require access to data in the same database from application
programs written in Micro Focus COBOL, then set up the COBOL runtime
environment as described in the CICS Administration Guide.
When two systems communicate, they need to agree on the set of rules they
will use to interpret the data that is sent between them. These rules are
known as network protocols and they are defined in a network architecture. CICS
intercommunication is based on the IBM Systems Network Architecture (SNA)
LU 6.2 protocol. This protocol, which is often referred to as advanced
program-to-program communications (APPC), was developed to accommodate
the needs of two systems that wish to share data and applications. Therefore,
it is ideally suited to the CICS intercommunication environment.
A CICS on Open Systems region can communicate across TCP/IP with other
CICS on Open Systems regions, with CICS for OS/2 regions, or with any
application using Encina because it emulates the APPC protocol.
There are many ways to distribute the clients and servers in your distributed
system. The final decision depends on how the system will be used (now and
in the future) and involves many trade-offs. The following sections discuss
possible ways to distribute the resources in Customer Information Control
System (CICS) and Encina systems, and describe performance options to
consider when designing a system.
Distributing CICS
CICS clients can communicate with CICS regions by using either TCP/IP or
Systems Network Architecture (SNA). Both of these can be used for clients on
the same machine as a CICS region, as well as for clients on remote machines.
For more information, refer to the CICS Intercommunication Guide.
If you use a remote SFS server (one already set up for use by CICS) or a DB2
database for file management, these must be in the same TCP/IP network.
In a DCE cell, the CICS region must be in the same cell as any SFS server that
is used.
Distributing Encina
The machines making up a Monitor cell must all be contained within a single
DCE cell. More than one Monitor cell can exist in a single DCE cell, although
each managed node can be part of only one Monitor cell.
In addition to cell and node managers, a Monitor cell contains the following:
v Monitor clients, through which a user interacts with the Monitor, making
requests for services exported by application servers. Clients can run on any
node.
v Monitor applications servers, which export services requested by client
applications. Monitor application servers contain one or more processing
agents (PAs). Processing agents are instances of server code that can handle
either single or multiple client requests for services. Monitor application
servers must run on managed nodes.
v Resource managers.
Figure 62 on page 186 shows an example Monitor cell. This Monitor cell
contains several nodes—Windows NT machines and UNIX workstations.
Nodes A, B, C, and E are managed nodes; each runs a node manager, and
Node C also runs a cell manager process. Node D is not managed by the cell
manager; this node runs a Monitor client. Monitor clients contact the cell
manager to request services from available application servers or from
resource managers.
Terminal users request services from CICS regions as clients. A terminal user
can be:
v A Telnet client with 3270 emulation capability
v A CICS on Open Systems client
v A CICS Universal Client
Telnet clients with 3270 emulation capabilities can connect to a CICS region
through the cicsteld Telnet server. This is described in the CICS Administration
Guide.
The CICS on Open Systems clients can connect to a CICS region by using, for
example, the cicsterm command. These connections use DCE RPCs. Any CICS
on Open Systems client can connect to any CICS on Open Systems region.
The CICS Universal Clients provide their own LU6.2 emulation to connect to
any CICS on Open Systems region over TCP/IP and SNA.
The EPI and the ECI are described in CICS Family: Client/Server Programming
and in the CICS Administration Guide.
CICS uses the Encina PPC Gateway server for intercommunication across an
SNA network and the Encina SFS for CICS queue and file management. When
requesting a service from one of these servers, the region is acting as a client.
This relationship is shown in Figure 64 on page 189.
For more information about using a PPC Gateway server, see the CICS
Intercommunication Guide.
CICS uses the DCE DCE Security Service to authenticate users and the DCE
Cell Directory Service (CDS) to help clients find servers. The components
within the CICS environment that use these services are:
v CICS on Open Systems clients
v CICS on Open Systems regions
v Encina SFS servers
v Encina PPC Gateway servers
Although the CICS client and region software initially request the services,
these requests are made through the DCE CDS clerk and DCE Security clerk
processes. The relationship between DCE servers and CICS regions is shown
in Figure 65 on page 190.
Note: You will also see other DCE processes running on your system, such as
the DCE CDS Advertiser server and the DCE RPC daemon. CICS
administration does not normally require involvement in these
processes. If you require more information about them, see the DCE
documentation.
A simple configuration
Figure 68 shows a variation of a simple configuration that does not use the
DCE Security Service or the CDS. Notice that there are no DCE servers in this
configuration. However, the DCE RPC daemon is still required for data
transmission between clients and servers.
Figure 68. A simple configuration without DCE Security Service and CDS
When you distribute your CICS system across a number of processors, you
need to ensure that the distribution does not adversely affect performance.
What goes where and how it performs depends on many factors: the design
of your data, the number of users, how much the users depend on the system,
your budget, and projected growth requirements.
Consider the following questions when deciding how to design your data:
v What files are needed?
v Is each file entry sequenced, relative-record, or key sequenced?
v What indexes are needed on each file?
v Approximately how many records are in each file?
v Approximately how many bytes are in each file?
v How many reads and writes per second will there be on each file?
v How many transactions per second will update each file (how many
syncpoints will there be when the file is updated)?
Notes:
1. Unique indexes are generally handled more efficiently than indexes that
allow duplicates. Each active index represents an overhead when inserting
records into the file.
2. The smaller the record, the larger the number of records that fit into a
given amount of physical memory and the faster the records are retrieved.
The benefits of a faster record retrieval normally outweigh the increased
cost of formatting more records for display.
3. Consider using binary integer fields rather than packed decimal or
character fields for storing sequence numbers. Use variable-length records
where appropriate.
The many ways of accessing CICS are listed below. Each requires a certain
amount of processing power in a certain place.
v Running cicsterm as an operating system process on a server machine or on
a desktop machine. The cicsterm process, when running on the CICS
region, uses up to 40 percent of the machine’s processing. Running cicsterm
on the CICS region machine greatly undermines performance and is
advisable only for an entry-level system. For short transactions, as much as
40 percent of the path length can be in cicsterm, so the first priority in
scaling up from a single machine configuration is to move the cicsterm
processes off the region machine.
v Running a 3270-capable Telnet client program or a concentrator box such as
a 3174, and running cicsteld as an operating system process.
v Running an application that uses the EPI as well as other UNIX facilities
(typically X Windows or drivers for special hardware).
Set up a virtual network where each machine runs only one of the following:
v A region
v An SFS server managing one file
For simplicity, this section assumes that all machines have the same size
processor.
If you think that the CICS region machine represents a bottleneck, you can
add additional CICS regions on additional machines at this stage. Bear in
mind the following:
v CICS regions do not share queues with each other. This can place
restrictions on the way applications use queues.
v Users have to be told which CICS regions to select.
Identify how much of the processor is used for each machine on the virtual
network. An SFS file that needs to be accessed often uses more of a processor
than an SFS file that is accessed only occasionally. Examine your data design
and try to estimate the potential number of accesses for each file.
Identify the operational effort needed in the virtual network. This does not
affect the performance, but it can affect your decision about whether to select
either a small number of large processors, or a large number of small
processors.
For example, placing all of the SFS files on one machine simplifies backup,
but is not necessarily the most efficient use of the machine’s processor. You
can perform backup tasks remotely, that is, across the network, rather than by
using tape drives on the machine itself. Consider the need for these tasks
when you design your system.
Map the virtual network to the real network, or to a proposed real network. It
is possible to configure the virtual network as a real network, using a large
number of processors and an appropriate LAN. This delivers maximum
performance, but can be costly in terms of initial expense and operational
effort.
Taken to the extreme, you would end up with all processes on one processor.
If this configuration meets your performance requirements, this is what you
should do; but it is important to explore the options for expansion as your
needs grow.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give
you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
The following paragraph does not apply to the United Kingdom or any
other country where such provisions are inconsistent with local law:
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for
this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the
purpose of enabling: (i) the exchange of information between independently
created programs and other programs (including this one) and (ii) the mutual
use of the information which has been exchanged, should contact:
For Component Broker:
IBM Corporation
Department LZKS
11400 Burnet Road
Austin, TX 78758
U.S.A.
For TXSeries:
IBM Corporation
ATTN: Software Licensing
11 Stanwix Street
Pittsburgh, PA 15222
U.S.A.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM International
Program License Agreement or any equivalent agreement between us.
All statements regarding IBM’s future direction or intent are subject to change
or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples may
include the names of individuals, companies, brands, and products. All of
these names are fictitious and any similarity to the names and addresses used
by an actual business enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
AFS IMS
AIX MQSeries
AS/400 MVS/ESA
CICS OS/2
CICS OS/2 OS/390
CICS/400 OS/400
CICS/6000 PowerPC
CICS/ESA RISC System/6000
CICS/MVS RS/6000
CICS/VSE S/390
CICSPlex Transarc
DB2 TXSeries
DCE Encina Lightweight Client VSE/ESA
DFS VTAM
Encina VisualAge
IBM WebSphere
Microsoft, Windows, Windows NT, and the Windows 95 logo are trademarks
of Microsoft Corporation in the United States and/or other countries.
Oracle and Oracle8 are registered trademarks of the Oracle Corporation in the
United States and/or other countries.
Notices 201
UNIX is a registered trademark of The Open Group in the United States
and/or other countries licensed exclusively through X/Open Company
Limited.
OSF and Open Software Foundation are registered trademarks of the Open
Software Foundation, Inc.
Sun, SunLink, Solaris, SunOS, Java, all Java-based trademarks and logos, NFS,
and Sun Microsystems are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States and/or other countries.
Each of the copyright holders listed above has agreed that no person shall be
deemed to have infringed the copyright in the included material of any such
copyright holder by reason of having used the specification set forth herein or
having conformed any computer software to the specification.
Notices 203
204 WebSphere: Concepts and Facilities
Index
application development 137 attach security (SNA) 134
Numerics (continued) authenticated RPC 123
3270 terminal emulation 92
overview 49 authenticating IBM CICS Clients 93
A presentation services 137
relational databases 151
authentication
using a CICS userid and
ACID properties 10
tools 153 password 126
atomicity 10
tools for program using a DCE principal and
consistency 10
development 151 password 120
durability 10
application development tools authentication (DCE)
isolation 10
CICS application development in RPC 123
ACLs
environment 151 authorization
for SFS files 125
CICS application program by CICS 128
adding files to SFS 72
debugging 152 of user access to resources 128
Advanced Application Server 3
CICS application program automatic transaction initiation
advanced program-to-program
translation 152 (ATI) 77
communications (APPC)
CICS presentation interface
DTP applications 113
development 151 B
advertisement protocol (CDS) 100 backout 114
other tools 153
already verified 134 base services 32
application program
alternate indexes of files 72 Basic Mapping Support (BMS)
calling 152
API application development
transactions 152
Toolkit Executive 32 tool 152
Application Server Manager 57
Toolkit Server Core 32 physical map 152
application servers 11
application development 137 symbolic map 152
architecture
associating a program with a bind-time security
CICS Transaction Gateway 27
transaction 152 description of 114
client systems 25
business logic 138 binding
CICS application development communications servers 25
COM 149
environment 151 databases 30
binding information 98
DE-Light Gateway 27
CICS application program
debugging 152
Distributed Computing C
Environment (DCE) 33 C
CICS application program
recoverable queueing service BMS source files 152
translation 152
CICS presentation interface (RQS) 30 translation of source 152
development 151 relational databases 30 CDS, using to locate a server 99
resource managers 29 CDS administration 168
CICS region application
structured file server (SFS) 29 CDS clerk 36, 100
programming 143
Toolkit Executive 32 CDS Server 33
CICS servers 139
Toolkit Server Core 32 CECI, CICS transaction 160
data services 138
designing TP applications 137 transaction base services 31 CEDF
detail 137 transaction processing application development
Encina application monitor 24 tool 152
TXSeries 23 CEDF, CICS transaction 160
programming 144
external call interface (ECI) 140, ASCII to EBCDIC data Cell Directory Services (CDS)
142 conversion 115 Server 33
external presentation interface associating a program with a CEMT, CICS transaction 160
(EPI) 141, 142 transaction 152 checkout, program 152
IBM CICS Clients 139 asynchronous processing CICS
Internet applications for (CICS) 113 application development
CICS 142 atomicity 10 environment 151
Index 207
intercommunication network
F choosing 181
M
facilities provided by TXSeries 23 managing a CICS environment 155
intercommunication security
application development, managing an Encina
authenticating a remote
overview 49 environment 161
system 132
communications, overview 46 MIDL
internal data consistency, compiler 148
data management, overview 45
preserving 87 Monitor 149
security, overview 48
Internet Monitor Cell Manager 184
systems management,
overview 49 developing applications for Monitor Node Manager 184
transaction processing, CICS 142 monitoring a CICS
overview 44 Internet access to CICS 95 environment 157
field name restrictions developing applications 142 MQSeries 6, 28
Internet gateway 27
DB2 179
Internet Inter-ORB Protocol N
file management 174 name lookup (CDS) 100
file organization 70 (IIOP) 144
Internet security services 130 name service options 98
clustered (KSDS) 72 named pipe listener 112
entry-sequenced (ESDS) 71 Interval Control Manager 57
relative (RRDS) 72 intrapartition destinations O
files 69 (queues) 76 Object Management Group
adding to SFS 72 isolation 10 (OMG) 144
alternate indexes 72 Object Request Broker (ORB) 144
indexes 72
J OCCS 150
organization 70 Java gateway 27 online transaction processing
primary indexes 72 Java OTS client 150 ACID properties 10
function shipping (CICS) 112 journal records 85 atomicity 10
journals 85 consistency 10
G CICS records 85 durability 10
gateways synchronizing output 85 isolation 10
DE-Light 27 transactions 9
Internet 27
K what is a region? 53
Java 27 key-sequenced data set (KSDS) 72 Application Server
keytab file Manager 57
Gateways
contains region principal 125 CICS permanent resource
Internet 95
definitions 54
Java 95
L dynamic link libraries 54
I life cycle of a region 59 emergency restart 60
life cycle of a transaction, basic event log 55
IBM CICS Clients
overview 12 Interval Control Manager 57
developing ECI and EPI
link security life cycle of a region 59
programs 142
description of 114 listeners 57
external call interface (ECI) 140
listeners 57 log manager 57
external presentation interface
listeners (CICS) 112 operating system memory 58
(EPI) 141
recovery during restart 60
Internet applications for local 3270 terminal (CICS) 98
Recovery Manager 57
CICS 142 local SNA
runtime resource
programming 139 security considerations 133
definitions 56
IBM HTTP Server 28 local SNA listener 112
system log 58
IBM Tivoli management servers 7 local SNA support 102 when a region is stopped 54
IBM TXSeries Administration local SNA support (CICS) 106 when the region is
Tool 158 synchronization levels 107 running 55
IDL (DCE) lock service 32 Windows NT services 55, 56
compiler 148 log service 32 operating system memory 58
indexes of files 72 logical unit of work (LUW) 114 process data segment 58
indirect destinations (queues) 78 LU 6.2 181 processor text segment 58
indoubt condition 115 LUTYPE6.2 101, 105 shared text segment 58
Index 209
security 117 (continued) synchronization levels 102 systems management 155
intercommunication 114 (continued) (continued)
Internet security services 130 local SNA (CICS) 107 tools for a CICS
link security (CICS PPC Gateway server 109 environment 158
communications) 135 PPC TCP/IP support for 105 trace in a CICS environment 158
overview 48 two-phase commit 115 transactions for CICS 160
security models 117 synchronization point 11 transactions for CICS, CECI 160
SNA flowed userids 134 synchronizing journal output 85 transactions for CICS, CEDF 160
Telnet clients 131 transactions for CICS,
user security (CICS system log 58 CEMT 160
communications) 135 System Managed (SMS) Table Systems Network Architecture
Web security services 130 Space 85 (SNA)
XA-enabled databases and System Network Architecture communicating across 105
CICS 132 (SNA) 181 local SNA support (CICS) 106
security administration (DCE) 168 system shared segment 58 PPC Gateway server 107
security clerk 36 systems management 155 synchronization levels 102
SFS
queue and file control 174 CDS administration 168 T
SFS++ 150 commands for CICS 159 table space
SFS (structured file server) 29 commands for CICS, Database Managed Space
sfsimport, the CICS SFS Import cicscheckup 160 (DMS) 85
Tool 160 commands for CICS, cicscp 159 System Managed (SMS) 85
shared text segment 58 commands for CICS, cicsddt 160 task shared segment 58
sharing and distributing data 86 commands for CICS, tasks 62
SNA cicssfsimport 160 TCP/IP 102
BIND request 114 commands for CICS, RDO 160 CICS family TCP/IP 102
conversation-level security 134 configuring a CICS use of 101
password verification 134 environment 156 TCP/IP listener 112
synchronization level 114 DCE tools 169
Telnet clients (CICS) 98
use of 101 DCEsetup 169
security considerations 131
SNA (System Network DTS administration 168
temporary storage queues 78
Architecture) 181 dumps in a CICS
Thread-to-Tid Mapping Service 32
solicitation protocol (CDS) 100 environment 158
Encina command-line ThreadTid 32
source code translation 152 Tivoli management servers 7
SQL restrictions for non-XA-enabled interfaces 163
Enconsole 162 TM/XA interface 33
databases 84
IBM TXSeries Administration Toolkit Executive 31
SQL servers 82
Tool for CICS 158 Toolkit Server Core 31
Standard Application Server 3
managing a CICS tools for program development 151
starting servers in a CICS
environment 155 CICS application development
environment 157
managing an Encina environment 151
startup CICS application program
environment 161
recovery and restart 65 managing DCE 168 debugging 152
statistics in a CICS messages in a CICS CICS application program
environment 158 environment 157 translation 152
stopping servers in a CICS monitoring a CICS CICS presentation interface
environment 157 environment 157 development 151
strict prioritization of queue sets 81 overview 49 other tools 153
structured file server (SFS) 29 security administration 168 tools for systems management
sync point 114 starting servers in a CICS CICS commands 159
synchronization level 114 environment 157 CICS commands,
synchronization levels 102 statistics in a CICS cicscheckup 160
CICS family TCP/IP support environment 158 CICS commands, cicscp 159
for 104 stopping servers in a CICS CICS commands, cicsddt 160
CICS use of 114 environment 157 CICS commands,
indoubt resolution (CICS) 115 systems management 155 cicssfsmimport 160
Index 211
212 WebSphere: Concepts and Facilities
© Copyright IBM Corp. 1999 213
IBMR
SC09-4455-00
Spine information: