IPIC bind-time security

A security check can be applied when a request to establish a connection is received from, or sent to, a remote system. This is called bind-time security. Its purpose is to prevent an unauthorized system from connecting to CICS.

When CICS uses IPIC to communicate with another CICS region, each CICS system must have an IPCONN resource and a TCPIPSERVICE resource defined.

Each CICS system uses the IPCONN to transmit data to the partner system TCPIPSERVICE, which acts as a receiver. The CICS region that starts the communication is the client, the remote system is the server.

For IPIC, bind security is supported by the exchange of Secure Sockets Layer (SSL) client certificates. To allow two CICS regions to connect successfully, and to prevent an unauthorized system from connecting:

The SEC system initialization parameter must be YES on both regions.
The IPCONN definitions on both the local and remote regions must specify:
- SSL(YES).
- CIPHERS(value). The CIPHERS attribute can be specified in either of two ways:
  - A string of up to 56 hexadecimal digits that is interpreted as a list of up to 28 2-digit cipher suite codes.
  - The name of the SSL cipher suite specification file, which is a z/OS® UNIX file in the /security/ciphers subdirectory of the directory that is specified by the USSCONFIG system initialization parameter. For more information, see Cipher suites and cipher suite specification files.
  When you use CEDA to define the resource, CICS automatically initializes the attribute with a default list of acceptable codes, depending on the level of encryption that is specified by the ENCRYPTION system initialization parameter system initialization parameter.
- Optionally, CERTIFICATE(X.509_certificate_label). The named certificate is used as the client certificate, during the SSL handshake when the IPCONN is acquired. If CERTIFICATE is not specified, the default certificate defined in the key ring for the CICS region user ID is used.
The IPCONN defines the outbound side of the connection: these settings tell CICS to initiate an SSL handshake. During the SSL handshake, CICS will ask the partner region for the certificate specified on the TCPIPSERVICE. If the remote region TCPIPSERVICE specifies SSL(CLIENTAUTH), the remote system requests the certificate of the originating system as part of the handshake.
The TCPIPSERVICE resources definitions on both the local and remote regions specify:
- PROTOCOL(IPIC).
- SSL(CLIENTAUTH) or SSL(YES).
- CIPHERS(value).
- Optionally, CERTIFICATE(X.509_certificate_label). The named certificate is used as the server certificate. If CERTIFICATE is not specified, the default certificate defined in the key ring for the CICS region user ID is used.

The TCPIPSERVICE definitions define the inbound side of the connection: these settings tell CICS that it must receive a valid SSL client certificate before allowing the client to acquire the IPCONN. These settings also specify that CICS will send the TCPIPSERVICE CERTIFICATE, or the default, when not specified, as a server certificate to the client.

If the TCPIPSERVICE is specified with SSL(YES), the server does not ask for, nor receive, a client certificate during the handshake.

If the TCPIPSERVICEs in both CICS regions are specified with SSL(YES), both CICS regions are authenticated.

If the TCPIPSERVICEs in both CICS regions are specified with SSL(CLIENTAUTH), both CICS regions are authenticated twice.

For most circumstances, an adequate level of security is achieved by specifying TCPIPSERVICE with SSL(YES) in both regions, or SSL(NO) in one region and SSL(CLIENTAUTH) in the other.

Note: If LINKAUTH is specified CERTUSER, the IPCONN must refer to a TCPIPSERVICE that is defined with SSL(CLIENTAUTH).

When the TCPIPSERVICE is specified SSL(NO) on both regions, bind-time security is not possible

If the remote client is trusted by the CICS server, bind time security is not required, however, any user ID and password passed for transaction attach must be valid in the server region's external security manager.