What's new in CICS TS 6.1?

All the enhancements at a glance

Some enhancements are shown under more than one category; the information is the same in all cases.

Service indicates that the capability is available through APAR after the General Availability of CICS TS 6.1.

For installation

ServerPac installation using z/OSMF

You can now receive CICS as a ServerPac in z/OSMF Software Management portable software instance format. This enables you to deploy the installation using z/OSMF Software Management and ServerPac Workflows instead of the ServerPac ISPF dialog.

Learn more about ServerPac Installation using z/OSMF.

For developer experience

@CICSProgram annotation now available for use with OSGi JVM servers

First introduced for the Link-to-Liberty capability, this annotation offers a more convenient and less error-prone alternative to the CICS-MainClass approach for designating Java methods as the target of CICS PROGRAM LINKs.

Learn more about preparing an OSGi application to be called by a CICS program using @CICSProgram.

Easier system management, efficient application development, and advanced client authentication available in single CICS regions with CMCI JVM server

The CICS Management Client Interface (CMCI) is a set of APIs that enable management of your CICS regions using tools such as CICS Explorer. When served from a JVM server, the CMCI provides additional capabilities such as multi-factor authentication (MFA), the GraphQL API, and the CICS bundle deployment API.

The CMCI JVM server is now able to be configured in a single CICS region outside of a CICSPlex® SM environment to create an SMSS, enabling the following features:

• Enhanced security offered by multi-factor authentication (MFA), even in SMSS environments. Users can now sign on to a SMSS with MFA credentials in CICS Explorer for Aqua 3.2 (Fix Pack 5.5.20) or later.
• Easier system management with the CMCI GraphQL API, which supports queries about multiple CICS resources and inter-resource relationships in a single request. CICS Explorer as of Fix Pack 5.5.20 also uses the GraphQL API to provide the aggregation function when connected to SMSS regions at CICS TS 5.6 with APAR PH35122, or a later release.
• Efficient application development with the How it works: CICS bundle deployment APICICS bundle deployment API, which allows Java developers to use the CICS-provided Gradle or Maven plug-ins to deploy bundles into single CICS development environment. This way, developers can see their application changes reflected in a running CICS region within seconds, and integrate the CICS bundle build and deployment into a toolchain to increase productivity, whilst the system programmer retains control.

Learn more about setting up CMCI in a single CICS region.

STACKTRACE action for PERFORM JVMSERVER

JVM server administration is enhanced with the addition of a new action for the PERFORM JVMSERVER command. JVM STACKTRACE offers facilities to take a stacktrace of CICS task that is running in a JVM server.

Learn more about administering JVM servers with the CICS SPI.

Alternative Liberty install

If you choose, you can now specify a different value for WLP_INSTALL_DIR in your JVM profile to use an alternative version of Liberty - one that is not supplied with CICS.

Learn more about configuring a Liberty JVM server.

Infusing AI into CICS applications

Applications that run in CICS TS can make more timely and better decisions, and achieve improved business outcomes, by capitalizing on AI within their transactions.

IBM® zSystems™ and the IBM Integrated Accelerator for AI incorporated in IBM z16® can optimize the processing of machine learning and deep learning algorithms. In particular, the centralized on-chip AI accelerator on IBM z16 leverages AI at speed and scale, and is designed to provide high performance and consistent low latency inferencing for processing transactional workloads, such as those run on CICS TS.

Enterprises using any in-service release of CICS TS can exploit those capabilities by choosing suitable AI models. When using deep learning AI models, enterprises can leverage the IBM Integrated Accelerator for AI by using existing options for invoking AI models in their applications.

Learn more about infusing AI into CICS applications.

Updates to the JVM profiles

The supplied sample profiles for a CMCI JVM server are updated as follows:

• The sample for a CMCI JVM server in a WUI region is changed to add -Dcom.ibm.ws.zos.core.angelRequiredServices=SAFCRED,PRODMGR,ZOSAIO.
• A new sample profile for a CMCI JVM server in a single CICS region has the angelRequiredServices property set as follows: -Dcom.ibm.ws.zos.core.angelRequiredServices=SAFCRED,PRODMGR,ZOSAIO.

Learn more about connecting a Liberty JVM server to the angel process.

Improved handling of unexpected errors in JVM servers

This function improves the handling of errors that cause the Java™ (JVM) or Language Environment® Enclave, managed by a JVM server resource, to stop unexpected. When a POSIX signal or abend is received into the runtime of the JVM server, it is restarted.

Learn more about CICS task and thread management.

Support for Node.js 18

Developers can use Node.js 18 to build microservices and web applications using the latest JavaScript features and frameworks, with optimized access to CICS TS programs with the ibm-cics-api API. This support requires IBM Open Enterprise SDK for Node.js.

Learn more about developing Node.js applications.

Liberty JVM server bundle processing improvements

This function improves the processing of bundle parts that are installed into Liberty JVM servers. CICS avoids invalidating the Liberty workarea cache by preserving the contents of installedApps.xml when enabling a Liberty JVM server. The location of installedApps.xml and the installedApps directory is changed to the Liberty configuration directory (${liberty.config.dir}).

Support for Java 11

This release adds support for Java 11 using IBM Semeru Runtime® Certified Edition for z/OS. A minimum version of 11.0.15.0 is required. The CICS documentation will be updated to describe considerations for using Java 11.

Java 8 continues to be supported.

Support for Java 17

Service Available with APAR PH55279.

CICS supports Java 17 using IBM Semeru Runtime Certified Edition for z/OS. A minimum version of 17.0.7.0 is required.

Java 17 is not supported for use with SAML JVM servers at all CICS releases.

To enable Db2® type 2 connectivity when you are running Java 17, add LIBPATH_SUFFIX=/usr/lpp/db2v13/jdbc/lib to the JVM profile.

Java 8, Java 11 and Java 17 continue to be supported.

Learn more about CICS and Java.

Support for Java 21

Service Available with APAR PH64035.

CICS supports Java 21 using IBM Semeru Runtime Certified Edition for z/OS. A minimum version of 21.0.4.0 is required.

Calling CICS services on virtual threads is not supported.

Java 21 is not supported for use with SAML JVM servers at all CICS releases.

To enable Db2 type 2 connectivity when you are running Java 21, add LIBPATH_SUFFIX=/usr/lpp/db2v13/jdbc/lib to the JVM profile.

Java 8, Java 11 and Java 17 continue to be supported.

Learn more about CICS and Java.

Support for Java 25

Service Available with APAR PH69930.

CICS supports Java 25 using IBM Semeru Runtime Certified Edition for z/OS. A minimum version of 25.0.1.0 is required.

Calling CICS services on virtual threads is not supported.

Java 25 is not supported for use with SAML JVM servers at all CICS releases.

To enable Db2 type 2 connectivity when you are running Java 25, add LIBPATH_SUFFIX=/usr/lpp/db2v13/jdbc/lib to the JVM profile.

Java 8, Java 11, Java 17 and Java 25 continue to be supported.

Learn more about CICS and Java.

Support for Liberty collectives

In a system that hosts multiple Liberty servers, including Liberty JVM servers, it can be useful to manage and monitor these servers, and their applications, from a centralized administrative control point.

Learn more about collectives with Liberty JVM servers.

Support for Jakarta Enterprise Edition 10

Service Available with APAR PH60795.

The CICS Liberty JVM server now supports Jakarta Enterprise Edition (EE) 10.

Learn more about Liberty features supported for Jakarta EE 10.

Support for Spring Boot 3

Service Available with APAR PH60795.

Developers can use the latest features in Spring Boot 3 to build modern and lightweight applications with optimized access to CICS services and data.

Learn more about Spring Boot applications.

Support for MicroProfile 6.0 and MicroProfile 6.1

Developers can use the latest features in MicroProfile 6.0 and MicroProfile 6.1 to build resilient, secure and easy to monitor microservices.

Learn more about Developing microservices with MicroProfile .

For system management

Ansible® IBM z/OS CICS collection to automate CICS resource and region actions

Red Hat® Ansible is a popular open-source tool to automate configuration management and deployments on IBM z/OS and many other platforms with a consistent approach, architecture, and set of skills. It supports automation tasks through Ansible playbooks, which you can run from command line interfaces (CLI), browser dashboards, within editors, or DevOps pipelines.

The IBM z/OS CICS collection collection uses the CMCI REST API to automate tasks in either a CICSPlex System Manager environment or a single CICS region that is not part of a CICSPlex SM. The automation tasks can define, install, and perform actions on CICS definitions and resources such as creating a PROGRAM definition, installing and updating it, and then deleting the definition.

To use this collection, a CICS management client interface (CMCI) (CMCI) connection is required in the CICSPlex SM or the single CICS region.

The IBM z/OS CICS collection collection is developed as an open-source project at IBM z/OS CICS collection GitHub and is available on Ansible Galaxy and Ansible Automation Hub.

Infusing AI into CICS applications

Applications that run in CICS TS can make more timely and better decisions, and achieve improved business outcomes, by capitalizing on AI within their transactions.

IBM zSystems and the IBM Integrated Accelerator for AI incorporated in IBM z16 can optimize the processing of machine learning and deep learning algorithms. In particular, the centralized on-chip AI accelerator on IBM z16 leverages AI at speed and scale, and is designed to provide high performance and consistent low latency inferencing for processing transactional workloads, such as those run on CICS TS.

Enterprises using any in-service release of CICS TS can exploit those capabilities by choosing suitable AI models. When using deep learning AI models, enterprises can leverage the IBM Integrated Accelerator for AI by using existing options for invoking AI models in their applications.

Learn more about infusing AI into CICS applications.

Support for force purge of transaction CDBT

If a CDBT task is waiting on the DBCTL resource DLSUSPND, you can now issue a request to force purge CDBT.

Learn more about DBCTL error scenarios.

New SPI command to overwrite the user correlator data

A new SPI command SET ASSOCIATION USERCORRDATA provides a way to overwrite the user correlator data of the originating task.

A global user exit program that runs in the originating task can now overwrite the USERCORRDATA field with user-defined user correlator data (for example, from HTTP headers or IBM MQ messages). The global user exit program must issue INQ ASSOCIATION USERCORRDATA to retrieve any existing user correlator data. Then, the program must issue SET ASSOCIATION USERCORRDATA to overwrite the USERCORRDATA field after consideration of any existing data that might have been set by a previous global user exit program.

Learn more about SET ASSOCIATION USERCORRDATA.

Enhancements to CICS policies

• Ability to specify Transaction ID and User ID conditions for policy task rules.

  When you define a policy task rule, you can now limit this rule to be triggered when status changes are made in relation to a specific transaction or a range of transactions, a specific user ID or a range of user IDs, or both. To specify this limit, you can set Transaction ID and User ID filters in the Condition section in the Rules tab of the Policy definition editor.

  This capability is also available on CICS TS 5.4, 5.5, and 5.6 with APAR PH26145.

• New option ALL added to the following types of policy task rules:
  • File requests
  • Storage allocation
  • Storage requests
  • TD queue requests
  • TS queue requests

  This enhancement allows you to apply a threshold to the total cumulative count.

• New task rule type: Container storage.

  Use this rule type to define a threshold for the amount of container storage allocated to a user task, and take an automatic action when the threshold is exceeded. This rule does not apply to EXCI containers or BTS containers.

  This capability is also available on CICS TS 5.6 with APAR PH29187.

Learn more about Policy task rules.

• New system rule type: Transaction dump threshold.

  Use this rule type to set a maximum threshold for the total number of transaction dumps in a CICS region and take an automatic action when the threshold is exceeded.

  With this system rule, you can monitor transaction dumps and prevent excessive dumping in a CICS region.

  This capability is also available on CICS TS 5.6 with APAR PH34348.

• New system rule type: Compound condition.

  Use this rule type when you want to define a system rule that specifies two or more conditions. CICS takes the defined action when all the specified conditions are met. Note that only selected condition types can be specified for compound condition system rules.

Learn more about Policy system rules.

• Enhanced support for policy statistics.

  The sample statistics program DFH0STAT can now produce Policy reports. The Policy report shows information and statistics about installed policy rules in the region. In support for this enhancement, the EXTRACT STATISTICS system programming command supports a new RESTYPE option POLICY and a new SUBRESTYPE option POLICYRULE, which can be used to obtain statistics about a policy rule that is contained in a POLICY resource.

  In addition, two new system programming commands INQUIRE POLICY and INQUIRE POLICYRULE have been introduced to support inquiries on information about installed POLICY resources and the policy rules contained within.

  Learn more about Policy report.

• Enhanced data capture for policy events emitted for transaction abend system rules.

  When a transaction abend system rule is triggered, the name of the program to which the unhandled transaction abend occurred is now captured and contained in container DFHEP.DATA.00005. However, the program name data is not captured for the other system rules, so DFHEP.DATA.00005 remains 8 blanks for them.

  Learn more about data captured for a policy event.

• Service New option to set the WLMHEALTH time interval is supported by the Set z/OS WLM health open status system rule action.

  Available with APAR PH58295

  You can now change the region's WLMHEALTH time interval as part of the system rule action. This enhancement makes it easier for you to manage the z/OS WLM health of a CICS region by using a variety of policy system rules.

• Service

  Available with APAR PH62711

  CICS policies that have an action to issue a message to the CSSL destination now also send the message to the system console.

  This enables system automation products that monitor the CICS system console to take further action when these messages are issued.

  This capability is also available in CICS TS 5.6 with APAR PH62710.

Learn more about Policy actions.

Override resource definitions

You can provide a consistent approach to the creation of certain resources by applying environment-specific overrides through a resource overrides file. You can override the resource definition for any supported resource type that can be defined by using resource definition online (RDO). You specify the required overrides in a resource overrides file that is loaded during CICS startup. The overrides are applied when CICS resources are installed.

This support is intended for infrequent system-wide changes to tailor the resources for a specific CICS environment.

If this support is in use and the resource overrides file includes override rules for specified resource types, resource overrides are applied to the relevant resources when they are installed. Therefore, you must consider the effects of resource overrides when you install resources.

This capability is also available on CICS TS 5.6 with APAR PH30590.

Learn more about resource definition overrides.

Monitoring auxiliary temporary storage usage

You are now alerted when auxiliary temporary storage data set usage is approaching a high percentage of its capacity so that you have time to free up storage before the auxiliary temporary storage becomes full.

CICS issues message DFHTS1316 when 75% or more of the maximum auxiliary temporary storage is in use, and message DFHTS1317 when storage usage falls below 70% of the maximum auxiliary temporary storage.

New statistics are available in Temporary storage: Global statistics to provide information about the current and peak percentage of auxiliary temporary storage being used.

This capability is partially available on CICS TS 5.6 with APAR PH28145.

Learn more about Auxiliary temporary storage: monitoring and tuning.

Enhanced adapter tracking for CICS Db2 applications

The CICS Db2 attachment facility is enhanced to pass adapter data to Db2. If a CICS task that is accessing Db2 has adapter data in the CICS origin data, the adapter ID is passed as appl-longname and the adapter data is passed as an accounting-string. Db2 writes the data in its SMF accounting records and the data is also available online through the Db2 special registers CURRENT CLIENT_APPLNAME and CURRENT CLIENT_ACCTNG. This capability requires Db2 12 with APAR PH31447 or higher.

Service With APAR PH52668, you can disable the passing of adapter origin data to Db2 by specifying the feature togglecom.ibm.cics.db2.origindata=false

This capability is also available on CICS TS 5.4 through 5.6 with APARs PH30252 and PH49408.

Learn more about Transaction tracking.

Inquire on 64-bit storage that belongs to a task

A new SPI command, INQUIRE STORAGE64, and a new DFHSMMCX XPI call, INQUIRE_TASK_STORAGE64, can be used to retrieve information about 64-bit task storage.

Support for daisy-chaining of non-terminal-related START requests

Routing programs can now indicate daisy-chaining support of non-terminal-related START requests. If you are using a user-written distributed routing program to daisy chain non-terminal START requests over APPC connections, you must change the program to put the value Y into the DYRDCYN field (which replaces the DYRFILL1 field) in the DFHDYPDS copybook.

Learn more about .

Easier system management, efficient application development, and advanced client authentication available in single CICS regions with CMCI JVM server

The CICS Management Client Interface (CMCI) is a set of APIs that enable management of your CICS regions using tools such as CICS Explorer. When served from a JVM server, the CMCI provides additional capabilities such as multi-factor authentication (MFA), the GraphQL API, and the CICS bundle deployment API.

The CMCI JVM server is now able to be configured in a single CICS region outside of a CICSPlex SM environment to create an SMSS, enabling the following features:

• Enhanced security offered by multi-factor authentication (MFA), even in SMSS environments. Users can now sign on to a SMSS with MFA credentials in CICS Explorer for Aqua 3.2 (Fix Pack 5.5.20) or later.
• Easier system management with the CMCI GraphQL API, which supports queries about multiple CICS resources and inter-resource relationships in a single request. CICS Explorer as of Fix Pack 5.5.20 also uses the GraphQL API to provide the aggregation function when connected to SMSS regions at CICS TS 5.6 with APAR PH35122, or a later release.
• Efficient application development with the How it works: CICS bundle deployment APICICS bundle deployment API, which allows Java developers to use the CICS-provided Gradle or Maven plug-ins to deploy bundles into single CICS development environment. This way, developers can see their application changes reflected in a running CICS region within seconds, and integrate the CICS bundle build and deployment into a toolchain to increase productivity, whilst the system programmer retains control.

Learn more about setting up CMCI in a single CICS region.

Classify CICS regions by using region tagging

CICS regions can now be tagged or classified according to the key attributes of APPLID, region user ID, or job name. These tags can use exact or combine with specific wildcard characters, which you can use with any existing naming conventions. These tags can be viewed by using the INQUIRE TAG system command. They are also recorded in the SMF 1154 record.

In addition to classifying regions, the CICS region tag facility can be used to control the running of selected health checks. Region health check status is available through the INQUIRE SYSTEM or CEMT INQUIRE SYSTEM commands.

Learn more about classifying CICS regions with region tagging.

Messages reporting changes to APPC and IRC log names

DFHRS2112 messages are issued when log name mismatches are detected for connections by using the APPC and IRC protocols. The message explanation provides advice about how to resynchronize any outstanding units of work but it can be difficult to work out what caused the mismatch and how to prevent a recurrence. To help you diagnose log name mismatches, the following three messages that report changes to log names are introduced:

• DFHRM0240 reports the local log name that is set during CICS initialization and sent to a remote system when CICS establishes an APPC or IRC connection.
• DFHRM0241 reports a log name that has been set for an APPC or IRC connection.
• DFHRM0242 reports a log name that has been deleted for an APPC or IRC connection.

This capability is also available on CICS TS 5.3, 5.4, 5.5, and 5.6 with APAR PH03691.

Learn more about the exchange lognames process.

Automatic recovery of failed user journals

When a log stream failure occurs, in addition to issuing message DFHLG0772 and taking a system dump, CICS now attaches CLGR at the time DFHLG0772 is issued. The new transaction CLGR attempts to recover and reset the failed user journal automatically for up to 60 minutes. This gives you an opportunity to fix the log stream problem, then allowing CICS to automatically recover journals for you. However, this feature comes with a cost in potential more system dumps being taken following a failed user journal, but you can control the number of system dumps taken.

Learn more about some conditions that cause CICS log manager error messages.

Prepare for a future release of CICS TS

Service Available with APAR PH66142 (supercedes PH54840).

The DFHCSVC and DFHIRP modules for future CICS TS releases have been shipped as modules DFHNCSVC and DFHNIRP on current releases ahead of the general availability of the newest CICS TS release. If you wish to install the future release modules DFHCSVC and DFHIRP to fit in with your scheduled z/OS IPLs, follow the instruction in Installing newest release CICS Type 3 SVC and DFHIRP modules supplied through maintenance.

Enabling multiple client URIMAPs that point to the same endpoint

Multiple client URIMAPs that point to the same host, port and path can now be installed and enabled in a CICS region. This enhancement removes the limitation in earlier CICS releases that only one client URIMAP for an endpoint can be enabled in a CICS region. As best practice, always use a URIMAP by name.

This capability is also available on CICS TS 5.4, 5.5, and 5.6 with APAR PH44683.

Learn more about creating a URIMAP resource for CICS as a HTTP client.

Running the Link3270 bridge with a custom transaction ID

The Link3270 bridge runs under CSMI by default. If you want to use a transaction ID other than CSMI for the Link3270 bridge, specify an INITPARM system initialization parameter for program DFHL3270.

Learn more about configuring the Link3270 bridge.

Automating the process of defining CICS application resources with CICS Transaction Server resource builder

CICS Transaction Server resource builder is a DevOps utility, complementary to the CSD update batch utility program DFHCSDUP, that provides a way to automate the creation and maintenance of CICS application resource definitions by using a configuration-as-code approach.

With CICS TS resource builder, system programmers can create resource models in YAML that describe which resources and attributes developers are allowed to specify and how to specify them (for example, by enforcing naming conventions on particular attributes). System programmers provide application developers with these resource standards by generating a resource definition schema from the resource models, which is used by developers in their IDEs to create valid application resource definitions in YAML. CICS resource builder builds the application resource definitions that are defined in YAML into a DFHCSDUP commands file to be consumed by the DFHCSDUP utility program, which runs to update the CICS system definitions data set (CSD) for a CICS region.

CICS TS resource builder makes it easier for system programmers to enforce best practices and organization standards. Application developers can also enjoy a guided and controlled experience for creating and modifying CICS resource definitions in which they can have the confidence to be standards-compliant and pre-approved.

Learn more at Automating the process of defining CICS application resources with CICS Transaction Server resource builder and the CICS TS resource builder product documentation.

CICS TS resource builder is provided as a container image

Service Available with CICS TS resource builder 1.0.4.

CICS TS resource builder 1.0.4 is available as a container image for Linux®® AMD64 and z/OS® s390x.

Learn more about CICS TS resource builder.

JVM server thread logging

Service Available with APAR PH57953.

The JVMLOG will report any non-daemon threads which are still running during shutdown.

Learn more about troubleshooting Java applications.

For security

TLS enhancements

• CICS supports TLS 1.3 for improved TCP/IP security.

  TLS 1.3 does not support sysplex caching by specifying the SYSPLEX option on the SSLCACHE SIT parameter.

  To assist with migration to TLS 1.3, CICS provides the new MAXTLSLEVEL system initialization parameter that specifies the maximum TLS protocol for secure TCP/IP connections.

  Learn more about Enabling TLS 1.3 in CICS.

• Changing TLS protocol levels or ciphers is simplified with new statistics and monitoring data

  Improvements to CICS statistics and monitoring allow you to collect detailed data about which ciphers and TLS protocols are in use before changing the ciphers or TLS protocol levels. TLS protocols include both CICS-configured TLS and AT-TLS.

  New cipher resource statistics and the enhanced TCP/IP global statistics reveal what TLS protocol levels and ciphers are being used in your system.

  Improved monitoring information allows you to identify individual tasks that use specific TLS protocol levels or ciphers, and what system they are connected to:

  • New monitoring fields called SOTLSLVL and SOFLAG are available in performance class data. For more information, see Performance data in group DFHSOCK.
  • New monitoring fields called MNR_URIMAP_TLSLVL and MNR_URIMAP_FLAG are available in transaction resource class data. For more information, see Transaction resource class data: Listing of data fields.

  Learn more about Changing TLS protocol level or ciphers safely.

• Default cipher suite specification file for outbound web requests.

  A new feature toggle, com.ibm.cics.web.defaultcipherfile, enables CICS to use a set of ciphers from the default cipher suite specification file defaultciphers.xml instead of the default list of two-digit ciphers (3538392F3233). This allows a greater set of ciphers to be used for outbound requests without having to create a URIMAP for each potential endpoint. If the feature toggle is enabled but a problem exists with the defaultciphers.xml file, message DFHWB0112 is issued and CICS reverts to using the default list of two-digit ciphers. This capability is also available in CICS TS 5.6 with APAR PH38091.

  With APAR PH60212, the com.ibm.cics.web.defaultcipherfile feature toggle is extended to apply to URIMAP resources with no ciphers specified. Message DFHWB1561 is issued to indicate that a URIMAP defined with CIPHERS() is being installed and list the ciphers that CICS uses instead.

  Learn more about feature toggles.

• Service Key rings can be shared between regions in an easier way.

  APAR PH49261 required

  With the support of more acceptable formats of key ring names on the KEYRING system initialization parameter, you can now use key rings that are not owned by the current region user ID. To share a key ring owned by one region user ID with another region, grant that other region authority to use the key ring.

  This capability is also available on CICS TS 5.5 and 5.6 with APAR PH49253.

• Service Minimum key size can be set during TLS handshakes for increased key strength.

  APAR PH51719 required

  With the new feature toggle com.ibm.cics.tls.minimumkeystrength, you can set a minimum key size for ECC, RSA, DSA, and Diffie-Hellman keys during TLS handshakes to increase the key strength.

  This feature is also available in CICS TS 5.4, 5.5, and 5.6 with APAR PH50175.

  Learn more about feature toggles.

• Service HTTP strict transport security (HSTS) is supported.

  APAR PH55370 required

  HTTP strict transport security (HSTS) helps servers prevent man-in-the-middle attacks by instructing compliant user agents to only interact with the server through secure connections (HTTPS).

  You can now configure a CICS server to use HSTS with a set of com.ibm.cics.web.hsts feature toggles.

  This feature is also available in CICS TS 5.5 and 5.6 with APAR PH55369.

  Learn more about support for HSTS.

New parameter GMEXITOPT on ASSIGN

New parameter GMEXITOPT is added to the ASSIGN command to show the GMTRAN terminal session behavior option on a PF3 or PF15.

Learn more about ASSIGN.

Instruction Execution Protection (IEP) for dynamic storage areas (DSAs)

Instruction Execution Protection allows storage to be allocated in a non-executable state. This helps to protect systems from malicious attacks or from errors, such as stack overflow.

If the hardware and the version of z/OS that CICS runs on support Instruction Execution Protection (IEP), CICS can use IEP to protect certain dynamic storage areas (DSAs) from instruction execution. IEP is supported on z/OS 2.4 and later. z/OS 2.4 and z/OS 2.5 require APAR PH39134. By default, DSA protection is off; activate it with a feature toggle com.ibm.cics.sm.iep=true.

It is still possible to request storage that is not protected from instruction execution, for example, for GLUE and TRUE work areas or for dynamic storage for assembler programs. To enable this, there are four new DSAs: PCDSA, PUDSA, EPCDSA, and EPUDSA. These four DSAs, along with the existing RDSA and ERDSA, are never protected from instruction execution. Depending on the attributes of the program, CICS loads the program into one of the four new DSAs or into the RDSA or ERDSA. When IEP is enabled, all other DSAs are protected from instruction execution.

In a related change, the ETDSA is removed and any storage that was allocated from this DSA is now allocated from the ECDSA.

Although the allocation of storage used by individual tasks running in the CICS region is not increased by IEP, the distribution of that storage within the DSAs is changed and you should expect an increase in DSA storage requirements.

Learn more about Instruction execution protection.

Enhanced support for IBM Health Checker for z/OS

CICS TS now supports several health checks that define best practices for CICS TS security. If a CICS region becomes non-compliant with these security best practices, warning or exception messages are issued so that you can take corrective actions.

Learn more about Auditing CICS configuration with IBM Health Checker for z/OS.

Simplifying Category 1 transaction security

Previously, when starting a CICS TS Category 1 transaction, a call to RACF® validated that the configuration was correct. RACF is no longer checked when starting a CICS Category 1 transaction. This change improves security as only CICS determines that a Category 1 transaction can run. This change also simplifies configuration and upgrades because there is no need to define the Category 1 transactions to RACF, which might create misconfiguration. You will need to define the CICS region user ID to RACF to confirm the ID that is used for running CICS Category 1 transactions. Surrogacy definition is still required as documented in Surrogate security.

Learn more about Transactions in CICS.

Improved security diagnosis with security request recording (SRR)

Security request recording (SRR) collects trace data about security settings in CICS regions by recording security checks conducted by one or more requests. You can use it to diagnose complex security problems.

You can use CICS Explorer or the SPI command (SET SECRECORDING) to enable SRR.

A batch utility and sample JCL are provided to output the logged data to a summary report and a .csv file for diagnosis.

Learn more about diagnosing access issues with SRR.

New message DFHXS1117 reveals more information about security violations

A new message DFHXS1117 is introduced to provide additional diagnostic information, where available, for security violations. The data includes the association data, including origin information related to a security violation.

Learn more about DFHXS1117.

Compliance data collection with SMF 1154 subtype 80 records

To assist evidence providers in collecting evidence for auditors, CICS is able to collect compliance data as part of z/OS compliance evidence collection.

CICS regions can generate an SMF 1154 subtype 80 record in response to ENF86 triggered by the z/OSMF Compliance REST API. This provides much of the data usually requested by an auditor. The data is securely written to SMF. This compliance data can be formatted using a CICS sample, or can be consumed by the IBM Z® Security and Compliance Center.

Learn more about Compliance data collection.

New options on CHANGE PASSWORD and CHANGE PHRASE reveal more sign-on information

Service APAR PH59547 required

New options CHANGETIME, DAYSLEFT, EXPIRYTIME, INVALIDCOUNT, and LASTUSETIME are added to CHANGE PASSWORD and CHANGE PHRASE commands. These options reveal more sign-on information, for example, the last time the password or password phrase was changed, the last time the user ID was accessed, when the password or password phrase will expire, and the number of times when an invalid password or password phrase was entered.

This capability is also available in CICS TS 5.5 and 5.6 with APAR PH59546.

Multi-factor Authentication (MFA) terminal signon improvement for users with expired credentials

Service Available with APAR PH63625.

You can now activate the IDTDATA class in RACF to logon and change expired credentials.

Learn more about How it works: Multi-factor authentication (MFA).

For performance

Support for association data of DPL requests by EXCI clients

You can now identify the job names of DPL requests by EXCI clients from their performance records. If a task was initiated by an EXCI client, in the performance record of the DPL request, field 374 (PHAPPLID) contains the EXCI job name, field 378 (PHCOUNT) contains a value of 1, and field 376 (PHTRANNO) has a value of 0.

As the performance record of a DPL request can provide association data for DPL requests by EXCI clients as well as for CICS-to-CICS DPL requests, you can distinguish whether PHAPPLID contains a CICS applid or an EXCI job name as follows:

• If PHCOUNT is 1, PHTRANNO is 0, and PHAPPLID is not blank, the PHAPPLID value is the EXCI job name.
• If PHTRANNO is not 0, the record is of a CICS-to-CICS DPL request, and the PHAPPLID value is a CICS applid.

Learn more about Performance data in group DFHCICS.

Enhanced capability for monitoring shared pool TS queue usage

This enhancement makes it easier for you to monitor capacity usage change for shared pool TS queues. When the percentage of entries or elements in use in a pool structure reaches a specified threshold, DFHXQ0422 or DFHXQ0423 is issued. When the percentage of entries or elements in use drops below a threshold, DFHXQ0420 or DFHXQ0421 is issued.

This capability is also available on CICS TS 5.6 with APAR PH28145.

Learn more about Operator messages reporting on pool structure usage.

For resilience

Enhanced outbound web support: WEB OPEN URIMAP command can use cached IP address and HTTP information

The EXEC CICS WEB OPEN URIMAP command is enhanced to use the cached IP address that is held in the URIMAP after the initial connection was established. It uses this address for subsequent outbound web requests that use the same URIMAP, thus eliminating unnecessary DNS lookups. If a connection that uses the cached IP address fails, WEB OPEN performs a DNS lookup and updates the URIMAP with the IP address upon a successful connection. If you want to reset or remove the cached IP address that is held in the URIMAP, disable and then re-enable the URIMAP to force CICS to perform a DNS lookup. If you have multiple URIMAPs that reference the same HOST, then only one of the URIMAPs needs to be disabled and re-enabled to reset the cached IP address for all of them. The EXEC CICS INVOKE SERVICE command also benefits from the IP address caching if a URIMAP is used.

If you also specify the HTTPVNUM and HTTPRNUM options with WEB OPEN URIMAP, or if you issue WEB SEND with the ACTION(EXPECT) or CHUNKING option, CICS obtains the HTTP version information when it opens the connection. It caches the host HTTP information for subsequent outbound requests that use the same URIMAP, thus reducing HTTP OPTIONS requests.

Learn more about WEB OPEN.

Cap on concurrent TLS handshakes

CICS limits the number of concurrent TLS handshakes to 90% of the MAXSSLTCBS value specified at startup. If the maximum limit is reached, a task that is requesting a TLS handshake is suspended with a resource name of S8TLSHS of resource type DSWC.

To help you monitor concurrent TLS handshakes in a CICS region, new statistics are introduced in TCP/IP Global statistics. These statistics provide information about the maximum, current, and peak numbers of TLS handshakes that are running in parallel or that are waiting.

This enhancement helps avoid issues such as high CPU, MAXTASK, or lack of S8 TCBs when many TLS handshakes are performed concurrently. It also allows in-flight web alias or pipeline tasks to obtain an available S8 TCB to send a reply back to the client in the same situation.

Learn more about Socket waits.

START CHANNEL supports NOCHECK and PROTECT options

This enhancement makes it easier to migrate from passing data by interval control (START FROM) to passing data by using a channel (START CHANNEL). When you use a channel to pass data for a START request, you can now use the NOCHECK option to indicate that the request must be shipped to a remote system and no response is expected by the starting task, thus improving CICS performance. With the PROTECT option, you can make the START request effectively recoverable by instructing the starting task to take a syncpoint before committing the START request.

Learn more about START CHANNEL.

Extended short on storage (SOS) notification

CICS has long provided monitoring and short on storage (SOS) support for CICS-managed storage in dynamic storage areas (DSAs), which includes the capability of the CICS storage manager domain to notify other CICS domains so that they can take action upon an SOS event in CICS DSAs. In CICS TS 5.6, the CICS storage manager domain was enhanced to monitor the use of user region (24-bit) and extended user region (31-bit) MVS storage not managed by CICS, but this enhancement did not support SOS notification to other domains. In CICS TS CICS TS 6.1, the SOS notification is enhanced to provide the same notification support for MVS storage SOS events as for CICS DSA SOS events.

The DFHUS domain is notified of z/OS MVS SOS conditions so that any eligible user ID and its associated attributes are freed, including RACF control blocks. The freeing of these control blocks is normally subject to USRDELAY processing, but in the event of an SOS condition in 31-bit MVS storage, these control blocks are now freed immediately by the US and XS domains.

The Region status domain is notified of z/OS SOS conditions so that CICSPlex SM factors z/OS SOS conditions into its routing algorithm, in the same way as it does for CICS-managed storage SOS conditions.

Support for passing XID to Db2

Service APAR PH47996 required

A new DB2ENTRY attribute SHARELOCKS is provided to enable CICS to pass an XID to Db2 and instruct Db2 to share locks between threads that pass the same XID. Using the same XID, other threads that originate from other CICS regions or from other transaction managers such as IMS TM can access Db2 in the same global unit of work (UOW). The XID token is not used for recovery between CICS and Db2. The passing of an XID involves a partial signon to Db2 for each UOW. This action closes cursors, so held cursors across syncpoints are not supported when the passing of an XID is enabled. Applications will have to reposition cursors after a syncpoint. Passing an XID avoids having to deal with UOW affinities.

This capability is also available on CICS TS 5.5 and 5.6 with APAR PH39766, but is facilitated by feature toggle com.ibm.cics.db2.sharelocks={true|false}.

Learn more about DB2ENTRY thread operation attributes.

Enhanced shared data tables

The capacity of shared data tables is increased. Shared data tables no longer use the two control data spaces named DFHDT001 (which was used for table entry descriptors and backout elements) and DFHDT002 (which was used for index nodes), and instead are now using 64-bit storage to hold this control information. The use of 64-bit storage to hold the entry descriptors, backout elements, and index nodes removes the constraint on the number of records that can be stored. The records continue to be stored in 31-bit data spaces. Now, two more data spaces are available to hold the records.

Previously, the number of records that could be stored was governed by the size of the key of the records. For example, previously a 45-byte key would mean a limit of 36 million records per file owning region (FOR), and this limit on index information was reached long before all the data space storage available to hold the records was consumed.

Previously, up to 98 data spaces could be used per FOR to hold the records. Now that is increased to 100 data spaces.

You can use the new system initialization parameter SDTMEMLIMIT to set the maximum amount of storage above the bar that is available for shared data tables to use for control information. You can use SPI commands INQUIRE SYSTEM SDTMEMLIMIT and SET SYSTEM SDTMEMLIMIT and their CEMT equivalents to inquire or increase the SDTMEMLIMIT value.

Learn more about Storage use for shared data tables.

Enhanced CICS event processing support

Application events now support the PUT64 CONTAINER capture point. You can capture and emit events when your application program issues an EXEC CICS PUT64 CONTAINER command or when it invokes one of the two put methods or the putString method in the JCICS com.ibm.cics.server.Container class.

Learn more about Application events.

Changes to CICSPlex SM sysplex optimized workload routing behavior

The default behavior of CICSPlex SM workload management routing algorithms has been updated to increase the likelihood that work is routed to healthy, local target regions. This change applies only to the QUEUE and GOAL algorithms, not to the link neutral variants (LNQUEUE and LNGOAL).

Where a routing region might be subject to surges of extremely high frequency, short duration transactions, workload batching might occur. A new feature toggle, com.ibm.cics.cpsm.wlm.surgeresist={true|false}, has been introduced to mitigate these surges by reducing the likelihood that recently selected target regions are reselected. Enabling this feature toggle increases the average routing cost per transaction, but restores the routing behavior of CICSPlex SM at CICS TS 5.6 before APAR PH30768 is applied.

Learn more about feature toggles.

WRITE OPERATOR enhanced to support writing messages to a specific console

The WRITE OPERATOR API command supports a new option CONSNAME, which you can use to specify a specific console to receive messages. This option enables messages to be sent to a specific console.

Learn more about WRITE OPERATOR.

Improved temporary storage expiry processing

The processing of expired temporary storage queues has been improved as follows:

• Firstly, the processing of main and auxiliary tsqueues is separated from the processing of shared tsqueues so that they use separate calculated intervals.
• Secondly, for shared tsqueues, an internal queue is used to hold when the last scan was performed. The internal queue is used to prevent a CICS region from scanning shared TS queues if another CICS region has performed such a scan within the previous minute. This means that even if multiple CICS regions are using a shared TS pool, each with TS models installed that specify short expiry intervals, the shared queues are never scanned more frequently than once per minute.
• Thirdly, the CICS-MQ interface has been improved to only employ a DFHCKBR tsmodel with a nonzero expiry interval when the MQ bridge has been started; otherwise, it has a zero expiry interval. This avoids unwanted tsqueue scans.

This capability is also available on CICS TS 5.6 with APAR PH40863 and PH40409.

Improved processing of WS-AT requests

A new transaction CPIW is introduced to handle WS-AT protocol messages. The DFHRSURI URIMAP is changed to specify TRANSCTION(CPIW) by default. CPIW tasks should not be put into a TCLASS. This allows WS-AT protocol messages to always be handled even if the limit of concurrent application requests has been reached.

If you are using a customized version of DFHRSURI that no longer specifies TRANSACTION(CPIH), no action is needed, and you can continue to use your customized DFHRSURI unchanged.

However, if the CSD is being shared with a back level region, see Changes to resource definitions to determine if any action is necessary.

Learn more about List of CICS transactions.

Automatic redirecting of HTTP response for INVOKE SERVICE command

Service APAR PH63742 required.

The INVOKE SERVICE command has been updated to allow for redirects of the HTTP response to the information contained in the location header.

This capability is also available on CICS TS 5.6 with APAR PH61670.

Learn more about INVOKE SERVICE.

For documentation and other information

Learn more about What documentation is available?.