IPIC link security

Link security establishes the user ID, if any, that is associated with requests that are passed across the connection from the local CICS® region to the remote CICS region. This user ID is known as the link user ID. The remote CICS region verifies that the link user ID has the authority to initiate requests in the remote CICS region and that it has access to the resources used by the initiated tasks.

Purpose of link security

Link security has two purposes. First, it identifies where a request came from, which can be useful both in problem diagnosis and in audit. Second, it allows the remote CICS region to authorize requests based on whether the local CICS region is trusted.

Determining link security

Link security is configured with the LINKAUTH and SECURITYNAME attributes on the IPCONN resource definition of the receiving system. It acts as an extra security check for all intercommunication requests from the connected system. The practical effect of link security is to prevent remote users from attaching a transaction or accessing a resource for which the link user ID has no authority, regardless of the authority of the user ID that is flowed.

Additionally, if you use TLS client authentication, link security can set the task user ID based on the user ID that is associated with the client’s TLS certificate. This is configured by using the attributes USERAUTH(LOCAL) and LINKAUTH(CERTUSER).

For more information about the types of user ID used in CICS, see How it works: Identification in CICS.

The link user ID is determined according to the following table.

Local CICS region: cicsA Remote CICS Region: cicsB and default User: DefaultUseridB
Region user ID Region user ID IPCONN resource definition Link user ID
LINKAUTH attribute SECURITYNAME attribute
regionUseridA regionUseridB CERTUSER   certUseridA
regionUseridA regionUseridB SECUSER regionUseridB No link user ID
regionUseridA regionUseridB SECUSER functionalUseridB functionalUseridB
regionUseridA regionUseridB SECUSER   defaultUseridB
Recommended: A default user ID must not be used as a link user ID. Instead, a functional user ID must be used. The default user ID must not have authority to run transactions or access resources.