Changes to security
This section summarizes the changes that relate to security across supported CICS® releases. Use this information to plan the impact of upgrading from one release to another.
If you are upgrading from an end-of-service release, you can find information about the changes that are relevant to those releases in Summary of changes from end-of-service releases.
For information about changes to RACF classes, see Changes to RACF classes.
Identification
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
MQMONITOR MONUSERID | NEW | |||
KERBEROSUSER system initialization parameter | NEW with APAR: PI85443 | NEW |
Authentication
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
XPTKT system initialization parameter | CHANGED:
The default is changed from NO to YES. |
|||
GROUPID on VERIFY PASSWORD and VERIFY PHRASE to support password or passphrase verification against supplied group ID | NEW | |||
Kerberos mutual authentication | NEW | |||
VERIFY TOKEN support for JWT | NEW | |||
CICS Explorer support for MFA | NEW with APAR: PI87691 | NEW | CHANGED:
ON by default |
|
New DISCONNECT option on GMTRANT for terminal sign-on security control | NEW: Terminal sign-on security control introduced for CESN and CESL |
CHANGED: | ||
New parameter GMEXITOPT on ASSIGN | NEW | |||
Liberty oauth-2.0 | NEW with APAR: PI91554 | NEW | ||
Liberty JWT and OpenID Connect | NEW with APAR: PI91554 | NEW | ||
Liberty Wait for angel at JVM server startup | NEW with APAR: PI92676 | NEW | ||
Liberty Multiple Liberty servers per CICS region using an angel | NEW with APAR: PI98174 | NEW | ||
Liberty Java™ EE 8 Security-1.0 API with JSR 375 | NEW with APAR: PH15017 | NEW |
Authorization
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
Security for job submission from SPOOL or TDQ commands | NEW: Security for job submission from SPOOL or TDQ commands | |||
QUERY SECURITY USERID | NEW | |||
Check on region access to Category 1 transaction on start-up | NEW | REMOVED | ||
Simplifying Category 1 transaction security | NEW | |||
Improved security diagnosis capability for authorization failures | NEW | |||
Controlling the API and SPI used by developers | NEW | |||
Control of HPO SIT override | NEW |
Integrity
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
CICS BMS 3270 intrusion detection service | CHANGED: Support for IBM® z/OS® Communications Server IDS |
|||
Instruction Execution Protection (IEP) for dynamic storage areas (DSAs) | NEW |
Confidentiality
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
Providing support to update to TLS 1.3 | NEW
|
|||
MAXTLSLEVEL system initialization parameter | NEW | |||
MINTLSLEVEL system initialization parameter | CHANGED:
The default is changed from TLS10 to TLS12. |
NEW OPTION:
REMOVED OPTIONS:
STABILIZED OPTION:
|
||
KEYRING system initialization parameter | CHANGED with APAR PH49253: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
CHANGED with APAR PH49253: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
CHANGED with APAR PH49261: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
|
CONFDATA system initialization parameter | CHANGED: The default is changed from SHOW to HIDE. The HIDE option replaces HIDETC. |
|||
SNI support in CICS TS communications with an HTTP server over TLS connections | NEW with APAR: PH20063 | NEW with APAR: PH20063 | NEW | |
Default cipher file for outbound web requests | NEW with APAR: PH45703 | NEW with APAR: PH38091 | NEW | |
Simplifying changing TLS protocol levels or ciphers | NEW | |||
Improved diagnostics for TLS security | NEW | |||
Sets the minimum key size allowed during TLS handshakes | NEW with APAR: PH50175 | NEW with APAR: PH50175 | NEW with APAR: PH50175 | NEW with APAR: PH51719 |
Auditing
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
IBM Health Checker for z/OS support | NEW: Support for IBM Health Checker for z/OS | CHANGED: Enhanced support for seven health checker rules that define the best practices for CICS security. | ||
Classifying CICS regions with region tagging | NEW | |||
Compliance data collection with SMF 1154 subtype 80 records | NEW: CICS regions can generate an SMF 1154 subtype 80 record in response to ENF86 triggered by the z/OSMF Compliance REST API. | |||
Security domain statistics | NEW: Monitoring capability introduced for the security domain |
Performance
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
Preset user ID on a terminal can share ACEE | NEW | |||
Performance improvement to QUERY SECURITY | NEW |
Deprecated and removed
Change | 5.4 | 5.5 | 5.6 | 6.1 |
---|---|---|---|---|
ENCRYPTION system initialization parameter | REMOVED | |||
Numeric CIPHERS | DEPRECATED | |||
EXCI SURROGCHK option | REMOVED with APAR: PH09898 Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility. |
REMOVED with APAR: PH09898 Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility. |
REMOVED:
Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility. |
|
SECVFYFREQ system initialization parameter | REMOVED | |||
Removal of XSNEX global user exit | REMOVED |