IPIC link security

Link security restricts the resources a user can access, depending on the remote system from which they are accessed. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.

When link security is in use, all requests are given an authority defined by the link user ID. For IPCONNs, all requests for a connection have the same link user ID.

Specifying IPIC link security

To specify the link user ID of an IPCONN, use the LINKAUTH option to specify how the user ID for link security is established in a CICS® system with security initialized (SEC=YES). You can specify the following:

CERTUSER

TCP/IP communication with the partner system must be configured for SSL and a certificate must be received from the partner system during SSL handshake.

The IPCONN resource must refer to a TCPIPSERVICE resource that is defined with SSL(CLIENTAUTH).

The received certificate must be defined to the external security manager so that it is associated with a user ID, which is used to establish link security.

SECUSER

Specifies that the user ID specified in the SECURITYNAME attribute is used to establish link security.

The default value is LINKAUTH(SECUSER)

In a CICS system with security initialized (SEC=YES), the link user ID is used to establish the authority of the remote system. The link user ID must be a valid RACF® user ID on this region. Access to protected resources on this region is based on the RACF user profile and its group membership.

How the task user ID associated with the user request is determined

The user request will run under the task user ID that is shown in Table 1, depending on the setting of the link user ID and the USERAUTH option. In some cases, there is a secondary user ID associate with the task. Security checks are also run against the secondary user ID.

In Table 1:

link_user is either the SECURITYNAME if LINKAUTH(SECUSER) is used, or the user ID associated with the certificate if LINKAUTH(CERTUSER) is used.
remote_user is the user ID from the remote system in the message. For connections between CICS regions, this is the user ID of the remote CICS task.

Table 1. The task user ID associated with the user request
Link user ID	USERAUTH	Task user ID	Second user ID
`link_user`	LOCAL	`link_user`
`link_user`	IDENTIFY/VERIFY	`remote_user`	`link_user`
`link_user`	DEFAULTUSER	Default user ¹	`link_user`
`link_user` = region user ID	LOCAL	Default user ¹
`link_user` = region user ID	IDENTIFY/VERIFY	`remote_user`
`link_user` = region user ID	DEFAULTUSER	Default user ¹

Note:

Use the default user only if the user task requires no authority.

If a failure occurs in establishing link security, the link is given the security of the local region's default user. This can happen, for example, when the link user ID has been revoked.