Changes to security

This section summarizes the changes that relate to security across supported CICS® releases. Use this information to plan the impact of upgrading from one release to another.

If you are upgrading from an end-of-service release, you can find information about the changes that are relevant to those releases in Summary of changes from end-of-service releases.

For information about changes to RACF® classes, see Changes to RACF classes.

Changes to security across supported CICS TS releases are classified into the following security principles as described in What does security mean in CICS? Liberty related security changes are marked by a Liberty tag.

Identification
Authentication
Authorization
Integrity
Confidentiality
Auditing
Performance
Deprecated and removed

Identification

Table 1. Identification changes by release of CICS TS
Changes	5.6	6.1	6.2	CICS TS 6.3
KERBEROSUSER system initialization parameter

Authentication

Table 2. Authentication changes by release of CICS TS
Changes	5.6	6.1	6.2	CICS TS 6.3
SIGNON			CHANGED: New options CHANGETIME, DAYSLEFT, EXPIRYTIME, INVALIDCOUNT, and LASTUSETIME reveal more information about the sign-on user ID and password.
VERIFY TOKEN	CHANGED: VERIFY TOKEN is enhanced to support JSON Web Tokens (JWTs) provided by RACF.
CICS Explorer® support for MFA	CHANGED: ON by default
Terminal sign-on security control	CHANGED: Option DISCONNECT on GMTRAN system initialization parameter also applies to CESF.
ASSIGN		CHANGED: New option GMEXITOPT shows the GMTRAN terminal session behavior option on a PF3 or PF15.
Certificate expiry warning			NEW: The CERTEXPIRYWARN SIT parameter allows CICS to warn about expiring certificates received from the partner system over TLS connections. NEW: Message DFHSO1100I provides diagnostic information about the expiring certificate. NEW: The socket domain trace point (SO 0863) returns diagnostic information about the expiring certificate.
Liberty Java EE 8 Security-1.0 API with JSR 375	NEW
MFA terminal signon has been improved for users with expired credentials.		NEW with APAR PH63625	NEW with APAR PH63625	NEW

Authorization

Table 3. Authorization changes by release of CICS TS
Changes	6.1	6.2	CICS TS 6.3
Security for CICS-supplied transactions	REMOVED: Authorization check for Category 1 transactions is removed. There's no need to define Category 1 transactions to RACF anymore.	CHANGED: To conform with a zero trust strategy, all CICS transactions, excluding CJXA and CICSPlex® SM transactions (CO**), are defined with `CMDSEC(YES)` and `RESSEC(YES)` to perform command and resource security checking. For a list of affected CICS transactions, see CICS transactions subject to security checking.
Security for user-defined transactions		CHANGED: To conform with a zero trust strategy, the default values of `CMDSEC` and `RESSEC` attributes are changed to `YES` for all newly defined TRANSACTION resources.
CICS security discovery		NEW
Security definition capture (SDC) and security definition validation (SDV)		NEW
Security for job submission from SPOOL or TDQ commands		CHANGED: CICS surrogate user checking is made if system initialization parameter XUSER=YES is in effect. The default job user ID for a JOB card that is submitted, without a USER parameter, by using SPOOL commands to the internal reader, is subject to the INTRDRJOBUSER system initialization parameter instead of a feature toggle that is now made obsolete. By the default of INTRDRJOBUSER, the task user ID is assumed while in 5.5 through 6.1 the CICS region user ID is assumed.
INTRDRJOBUSER system initialization parameter		NEW
INQUIRE TERMINAL behavior		CHANGED: Command security checking is not performed if the task or program that issues the command was started or attached to the same terminal that is being inquired or modified by the command, with a few exceptions.
INQUIRE NETNAME behavior		CHANGED: Command security checking is not performed if the task or program that issues the command was started or attached to the same terminal that is being inquired or modified by the command, with a few exceptions.
SET TERMINAL behavior		CHANGED: Command security checking is not performed if the task or program that issues the command was started or attached to the same terminal that is being inquired or modified by the command, with a few exceptions.
Security request recording	NEW
Surrogate security			NEW: Tasks that are started at a terminal by using the START command, are now subject to surrogate security checks. If the user that issued the start (surrogateUserID) is different to the user ID currently signed on to the target terminal at the time the started task executes (executionUserID), a surrogate check will be made against executionUserID.DFHTRMID. If surrogate security is active in CICS (XUSER=YES) then you need to ensure that the appropriate profiles exist in the RACF SURROGAT class to allow for any required terminal START commands to succeed. See Surrogate security.

Integrity

Table 4. Integrity changes by release of CICS TS
Changes	5.6	6.1	6.2	CICS TS 6.3
Support for HTTP strict transport security (HSTS)	NEW with APAR PH55369	NEW with APAR PH55370	NEW
Instruction execution protection		NEW

Confidentiality

Table 5. Confidentiality changes by release of CICS TS
Changes	5.6	6.1	6.2	CICS TS 6.3
Enabling TLS 1.3 in CICS		NEW Requires minimum z/OS® 2.4
MAXTLSLEVEL system initialization parameter		NEW		REMOVED OPTION: TLS11
MINTLSLEVEL system initialization parameter		NEW OPTION: TLS13 REMOVED OPTIONS: TLS10 TLS10ONLY STABILIZED OPTION: TLS 11		REMOVED OPTION: TLS11
KEYRING system initialization parameter	CHANGED with APAR PH49253: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.	CHANGED with APAR PH49261: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.	CHANGED: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.
CONFDATA system initialization parameter	CHANGED: The default is changed from SHOW to HIDE. The HIDE option replaces HIDETC.
SNI support in CICS TS communications with an HTTP server over TLS connections	NEW
Default cipher suite specification file	NEW with APAR PH38091: Feature toggle `com.ibm.cics.web.defaultcipherfile` is available and applies to outbound HTTP requests using EXEC CICS WEB OPEN or EXEC CICS INVOKE SERVICE commands that do not specify CIPHERS or URIMAP.	NEW: Feature toggle `com.ibm.cics.web.defaultcipherfile` allows you to use ciphers from the default cipher suite specification file (defaultciphers.xml). It applies to outbound HTTP requests using EXEC CICS WEB OPEN or EXEC CICS INVOKE SERVICE commands that do not specify CIPHERS or URIMAP. CHANGED with APAR PH60212: `com.ibm.cics.web.defaultcipherfile` is extended to apply to URIMAP resources with no ciphers specified.	CHANGED: `com.ibm.cics.web.defaultcipherfile` is extended to apply to URIMAP resources with no ciphers specified. Cipher suites that use NULL, Triple DES (3DES) and RC4 encryption are removed from the sample default cipher suite specification file (defaultciphers.xml). See Changes to samples.	CHANGED: Feature toggle `com.ibm.cics.web.defaultcipherfile` is removed. Use of the default cipher suite specification file (defaultciphers.xml) is always enabled.
TLS diagnostics		CHANGED: New fields SOTLSLVL and SOFLAG in Performance data in group DFHSOCK. New fields MNR_URIMAP_TLSLVL and MNR_URIMAP_FLAG in Transaction resource class data: Listing of data fields. New message DFHXS1117 provides additional diagnostic information. New cipher resource statistics provide details of the ciphers that are used in inbound and outbound connections. TLS protocol level usage is available in the TCP/IP global statistics.		CHANGED: TLS 1.1 usage fields removed from TCP/IP global statistics
Key sizes for TLS handshakes	NEW with APAR PH50175: Feature toggle `com.ibm.cics.tls.minimumkeystrength` allows you to set a minimum key size for ECC, RSA, DSA, and Diffie-Hellman keys during TLS handshakes.	NEW with APAR PH51719: Feature toggle `com.ibm.cics.tls.minimumkeystrength` allows you to set a minimum key size for ECC, RSA, DSA, and Diffie-Hellman keys during TLS handshakes.	NEW: Feature toggle `com.ibm.cics.tls.minimumkeystrength` allows you to set a minimum key size for ECC, RSA, DSA, and Diffie-Hellman keys during TLS handshakes. CICS uses a minimum key size of 256 for ECC keys and 2048 for RSA, DSA and Diffie-Hellman keys during TLS handshakes. SeeIncrease minimum key size for TLS connections
SSL cache			CHANGED: Sysplex caching for TLS 1.3 is supported. See SSLCACHE system initialization parameter.
Message DFHIS2041 indicates an attempt to acquire the named IPCONN failed because of unsecured TCPIP connections with a partner system that is located outside the sysplex			NEW
Initialization parameters for WUI or SMSS			CHANGED: For a CICSPlex SM WUI server (CPSMCONN=WUI), TCPIPSSL is mandatory if security is active. CHANGED: For a CICS System Management Single Server (SMSS) defined with CPSMCONN=SMSSJ, CMCISSL is mandatory if security is active.
WS-Security requirements			CHANGED: WS-Security now requires IBM® XML Toolkit for z/OS v1.11.	REMOVED OPTION: CICS TS 6.3 does not support signing and encrypting SOAP messages using the WS-Security protocols. The ability to secure SOAP messages using Transport Layer Security (TLS) is unaffected by this change. This partial withdrawal of WS-Security support has also removed the dependencies on the XML Toolkit for z/OS.

Auditing

Table 6. Auditing changes by release of CICS TS
Changes	5.6	6.1	6.2
IBM Health Checker for z/OS support		CHANGED: New health checks that define best practices for CICS security: CICS_CAT3_CONFIGURATION CICS_REGION_CONFIGURATION CICS_RESOURCE_CONFIGURATION CICS_RESOURCE_SECURITY CICS_USS_CONFIGURATION	CHANGED: New health check: CICS_STABILIZED_FUNCTIONS
Classifying CICS regions with region tagging		NEW: Allows you to suppress IBM Health Checker for z/OS messages by excluding certain CICS health checks.
Compliance data collection with SMF 1154 subtype 80 records		NEW: CICS regions can generate an SMF 1154 subtype 80 record in response to ENF86 triggered by the z/OSMF Compliance REST API.
Security domain statistics	NEW: Monitoring capability introduced for the security domain		CHANGED: When logging is disabled for QUERY SECURITY, CICS security domain statistics are still written to XSG_AUTHOR_FAIL_NL_NA and XSG_AUTHOR_FAIL_NL_NF fields, with DFHSTUP names Failed authorizations NOLOG NOTAUTH and Failed authorizations NOLOG NOTFND respectively.
CICS monitoring			CHANGED: When logging is disabled for QUERY SECURITY, CICS monitoring data is still written to XSNLNACT and XSNLNFCT fields.

Performance

Table 7. Performance enhancements by release of CICS TS
Changes	5.6	6.1	6.2	CICS TS 6.3
New `DPLONLY` option on XPPT allows you to secure remote program at a lower cost			NEW
CICSPlex SM capability of processing type 71 ENF events for a CICSplex			NEW

Deprecated and removed

Table 8. Deprecated and removed security-related functions by release of CICS TS
Change	5.6	6.1	CICS TS 6.3
ENCRYPTION system initialization parameter		REMOVED
Numeric CIPHERS		DEPRECATED
EXCI SURROGCHK option	REMOVED: Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility.
Removal of XSNEX global user exit		REMOVED
Removal of SAML using the CICS STS			REMOVED
Removal of signing and encrypting SOAP messages for the WS-Security feature			REMOVED