This post explores some of the key improvements made by the foundation team in the CICS TS V5.3 Open Beta.
The foundation team, as the name suggests, are the foundation of CICS development, responsible for and making changes to the heart of CICS. We have made many improvements in CICS TS V5.3, satisfying 60 customer requirements with more to come. Improvements have been made to monitoring, statistics, API, messaging, dump and trace, as well as to the internal workings of CICS. Here is a short overview of some of the key changes.
Increased security capabilities delivered by the foundation team include ways to avoid transmitting passwords over the network. One method is to request a PassTicket from an external security manager (ESM) such as RACF®, with the new EXEC CICS REQUEST PASSTICKET command. A PassTicket is a secure representation of a password that a program can use to sign on to an application. Using a PassTicket in place of a password means that applications don't have to store passwords, nor ask users to re-enter them, in order to sign on to the target system. Another way to avoid transmitting passwords over the network that provides stronger encryption algorithms than PassTickets is to use the new ability to sign on from 3270 with a Kerberos token rather than a password. The new EXEC CICS SIGNON TOKEN command enables applications to validate a Kerberos token, as determined by an ESM, and to associate the user ID associated with the token with the current terminal.
We have also made it easier to achieve audit compliance, removing HTTP TRACE support and making the HTTP Header Server and User-Agent fields customizable. You can now specify the minimum level of Transport Level Security (TLS) that you want connections to use with the new MINTLSLEVEL option, and have removed support for SSL version 3.0. We have also delivered support for the Enhanced Password Algorithm to enable stronger encryption of passwords, and now allow authentication requests to run on open TCBs so that this function doesn't cause a bottleneck on the system.
We have made several improvements in the area of cloud enablement. You can you can now scope threshold policies to a particular transaction ID, whether deployed within CICS cloud applications or in standalone CICS bundles, as you can now define a TRANSACTION resource as an application entry point. New commands added this release that can be controlled by threshold policies are:
- Shared TSQs
- WebSphere MQ MQI commands
- DLI commands (EXEC DLI or CALLDLI)
- Named counter commands
- Total EXEC CICS commands (API or SPI)
We have made the handling of DB2® data in a cloud environment easier and more flexible by allowing CICS to issue the EXEC SQL SET CURRENT PACKAGESET command on behalf of your application, enabling you to specify different DB2 collections across different environments. This is done through use of the new PACKAGESET resource. The availability status of an CICS cloud application is now restored if you start or restart a CICS region in the platform after the time when you make the application available; no need to take any additional action to make the application available for use.
New PHASEIN support for bundles enables the registration of a new version of an OSGi bundle with the OSGi framework, to replace any version currently registered. The new version of any OSGi services that are implemented by the new version of an OSGi bundle will then be used by any new invocation of a Java program defined to use this OSGi service. Existing requests will continue to use the old version until the request completes.
Many changes have been made to the internals of CICS to improve performance. We have improved efficiency especially for trace, monitoring, and MRO connections with high session counts. This is accomplished by exploiting new hardware instructions in the IBM System z9® such as store clock fast, cache alignment of some key CICS control blocks, the use of prefetch and reduced lock contention within monitoring algorithms. Over thirty more commands have been made threadsafe.
We have also introduced performance tuning for HTTP connections to protect CICS regions from unconstrained resource demand. If the region becomes overloaded CICS temporarily stops listening for new HTTP connection requests. If overloading continues, CICS closes existing HTTP persistent connections and marks all new HTTP connections as non-persistent. These actions prevent oversupply of new HTTP work from being received and queued within CICS, allowing feedback to TCP/IP port sharing and Sysplex Distributor, promoting a balanced sharing of workload with other regions that are sharing the same IP endpoint and allowing the CICS region to recover more quickly.
In the CICS TS V5.3 Open Beta we have extended the existing "storm drain" avoidance support to connections from CICS to IMS™, WebSphere® MQ and VSAM RLS. The “storm drain effect” is when workload manager is deluded into routing more work to a CICS region whose connection to a resource manager is not active. When an application running on that region receives a return code indicating the connection is not active and issues an error message and returns normally, the workload manager sees good response times are being achieved by this CICS region for work involving the resource manager, and therefore routes more work down the “storm drain”.
Enhancements made to CICS Explorer for the CICS TS V5.3 Open Beta include the ability to automatically connect to a default connection at startup and improved customization options for table views to make it easier to see the data you are interested in, which can be saved for future use. CICS Explorer is newly available for the OS X Yosemite (10.10) operating system and now provides the ability to connect to a CICS TS for z/VSE® 2.1 system to browse and process supported resources.