IPIC link security
Link security restricts the resources a user can access, depending on the remote system from which they are accessed. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.
When link security is in use, all requests are given an authority defined by the link user ID. For IPCONNs, all requests for a connection have the same link user ID.
Specifying IPIC link security
- CERTUSER
- TCP/IP communication with the partner system must be configured
for SSL and a certificate must be received from the partner system
during SSL handshake.
The IPCONN resource must refer to a TCPIPSERVICE resource that is defined with SSL(CLIENTAUTH).
The received certificate must be defined to the external security manager so that it is associated with a user ID, which is used to establish link security.
- SECUSER
- Specifies that the user ID specified in the SECURITYNAME attribute
is used to establish link security.
The default value is LINKAUTH(SECUSER)
In a CICS system with security initialized (SEC=YES), the link user ID is used to establish the authority of the remote system. The link user ID must be a valid RACF® user ID on this region. Access to protected resources on this region is based on the RACF user profile and its group membership.
How the task user ID associated with the user request is determined
The user request will run under the task user ID that is shown in Table 1, depending on the setting of the link user ID and the USERAUTH option. In some cases, there is a secondary user ID associate with the task. Security checks are also run against the secondary user ID.
- link_user is either the SECURITYNAME if LINKAUTH(SECUSER) is used, or the user ID associated with the certificate if LINKAUTH(CERTUSER) is used.
- remote_user is the user ID from the remote system in the message. For connections between CICS regions, this is the user ID of the remote CICS task.
Link user ID | USERAUTH | Task user ID | Second user ID |
---|---|---|---|
link_user | LOCAL | link_user | |
link_user | IDENTIFY/VERIFY | remote_user | link_user |
link_user | DEFAULTUSER | Default user 1 | link_user |
link_user = region user ID | LOCAL | Default user 1 | |
link_user = region user ID | IDENTIFY/VERIFY | remote_user | |
link_user = region user ID | DEFAULTUSER | Default user 1 |
- Use the default user only if the user task requires no authority.
If a failure occurs in establishing link security, the link is given the security of the local region's default user. This can happen, for example, when the link user ID has been revoked.