Intercommunication security

You can connect a number of CICS® regions together by using intercommunication; for example, intersystem communication over SNA (ISC over SNA) which uses an SNA access method, such as ACF/VTAM, to provide the required communication protocols. The basic security principles apply to interconnected systems, but the resource definition is more complex and there are additional security requirements.

APPC (LU6.2) session security
One of the ISC over SNA protocols that CICS uses is for advanced program-to-program communication (APPC), which is the CICS implementation of the LU6.2 part of the SNA architecture. CICS treats APPC sessions, connections, and partners as resources, all of which have security requirements. CICS provides the following security mechanisms for the APPC environment:
  • Bind-time (or session) security prevents an unauthorized remote system from connecting to CICS.
  • Link security defines the complete set of CICS transactions and resources that the remote system is permitted to access across the connection.
  • User security checks that a user is authorized both to attach a CICS transaction and to access all the resources and SPI commands that the transaction is programmed to use.

See Implementing LU6.2 security for more information.

Multiregion operation (MRO)
Another means of using intercommunication is multiregion operation (MRO). This is available for links between CICS regions in a single sysplex, independent of the systems network architecture (SNA) access method. See Implementing MRO security for information about MRO security.
IP interconnectivity (IPIC) security
The security mechanisms for IPIC connections are similar to those provided for APPC (LU6.2) connections, although they are implemented differently:
  • Bind-time security prevents an unauthorized remote system from connecting to CICS. On IPCONNs, bind security is enforced by the exchange of Secure Sockets Layer (SSL) client certificates.
  • Link security defines the complete set of CICS transactions and resources that the remote system is permitted to access across the IPCONN.
  • User security checks that a user is authorized both to attach a CICS transaction and to access all the resources and SPI commands that the transaction is programmed to use. User security is a subset of link security: that is, a user cannot access a resource, even if it is included in the set defined as accessible by his user ID, if is not also included in the set of resources accessible by the link user ID.
For information about IPIC connections, see Communication between systems.