Changes to security

This section summarizes the changes that relate to security across supported CICS® releases. Use this information to plan the impact of upgrading from one release to another.

If you are upgrading from an end-of-service release, you can find information about the changes that are relevant to those releases in Summary of changes from end-of-service releases.

For information about changes to RACF classes, see Changes to RACF classes.

Changes to security across supported CICS TS releases are classified into the following security principles as described in What does security mean in CICS?. Liberty related security changes are marked by a Liberty tag.

Identification

Table 1. Identification changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
MQMONITOR MONUSERID NEW      
KERBEROSUSER system initialization parameter NEW with APAR: PI85443 NEW    

Authentication

Table 2. Authentication changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
XPTKT system initialization parameter CHANGED:

The default is changed from NO to YES.

      
GROUPID on VERIFY PASSWORD and VERIFY PHRASE to support password or passphrase verification against supplied group ID   NEW    
Kerberos mutual authentication NEW      
VERIFY TOKEN support for JWT     NEW  
CICS Explorer support for MFA NEW with APAR: PI87691 NEW CHANGED:

ON by default

  
New DISCONNECT option on GMTRANT for terminal sign-on security control   NEW:

Terminal sign-on security control introduced for CESN and CESL

 CHANGED:

Support extended to CESF

  
New parameter GMEXITOPT on ASSIGN       NEW
Liberty oauth-2.0 NEW with APAR: PI91554 NEW    
Liberty JWT and OpenID Connect NEW with APAR: PI91554 NEW    
Liberty Wait for angel at JVM server startup NEW with APAR: PI92676 NEW    
Liberty Multiple Liberty servers per CICS region using an angel NEW with APAR: PI98174 NEW    
Liberty Java™ EE 8 Security-1.0 API with JSR 375   NEW with APAR: PH15017 NEW  

Authorization

Table 3. Authorization changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
Security for job submission from SPOOL or TDQ commands   NEW: Security for job submission from SPOOL or TDQ commands    
QUERY SECURITY USERID   NEW    
Check on region access to Category 1 transaction on start-up   NEW   REMOVED
Simplifying Category 1 transaction security       NEW
Improved security diagnosis capability for authorization failures       NEW
Controlling the API and SPI used by developers   NEW    
Control of HPO SIT override   NEW    

Integrity

Table 4. Integrity changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
CICS BMS 3270 intrusion detection service CHANGED:

Support for IBM® z/OS® Communications Server IDS

      
Instruction Execution Protection (IEP) for dynamic storage areas (DSAs)       NEW

Confidentiality

Table 5. Confidentiality changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
Providing support to update to TLS 1.3       NEW
  • Requires minimum z/OS 2.4
MAXTLSLEVEL system initialization parameter       NEW
MINTLSLEVEL system initialization parameter   CHANGED:

The default is changed from TLS10 to TLS12.

   NEW OPTION:
  • TLS13
REMOVED OPTIONS:
  • TLS10
  • TLS10ONLY
STABILIZED OPTION:
  • TLS 1.1
KEYRING system initialization parameter   CHANGED with APAR PH49253:

Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.

 CHANGED with APAR PH49253:

Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.

 CHANGED with APAR PH49261:

Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID.
CONFDATA system initialization parameter     CHANGED:

The default is changed from SHOW to HIDE. The HIDE option replaces HIDETC.

  
SNI support in CICS TS communications with an HTTP server over TLS connections NEW with APAR: PH20063 NEW with APAR: PH20063 NEW  
Default cipher file for outbound web requests   NEW with APAR: PH45703 NEW with APAR: PH38091 NEW
Simplifying changing TLS protocol levels or ciphers       NEW
Improved diagnostics for TLS security       NEW
Sets the minimum key size allowed during TLS handshakes NEW with APAR: PH50175 NEW with APAR: PH50175 NEW with APAR: PH50175 NEW with APAR: PH51719

Auditing

Table 6. Auditing changes by release of CICS TS
Change 5.4 5.5 5.6 6.1
IBM Health Checker for z/OS support NEW: Support for IBM Health Checker for z/OS     CHANGED: Enhanced support for seven health checker rules that define the best practices for CICS security.
Classifying CICS regions with region tagging       NEW
Compliance data collection with SMF 1154 subtype 80 records       NEW: CICS regions can generate an SMF 1154 subtype 80 record in response to ENF86 triggered by the z/OSMF Compliance REST API.
Security domain statistics     NEW: Monitoring capability introduced for the security domain  

Performance

Table 7. Performance enhancements by release of CICS TS
Change 5.4 5.5 5.6 6.1
Preset user ID on a terminal can share ACEE NEW      
Performance improvement to QUERY SECURITY   NEW    

Deprecated and removed

Table 8. Deprecated and removed security-related functions by release of CICS TS
Change 5.4 5.5 5.6 6.1
ENCRYPTION system initialization parameter       REMOVED
Numeric CIPHERS       DEPRECATED
EXCI SURROGCHK option REMOVED with APAR: PH09898

Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility.

 REMOVED with APAR: PH09898

Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility.

 REMOVED:

Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility.
SECVFYFREQ system initialization parameter REMOVED      
Removal of XSNEX global user exit       REMOVED