CICS system and resource security for CICS web support

When CICS® is an HTTP server, the CICS system must be protected from access by unauthorized users. If a system is not properly protected, users might be able to access confidential data or obstruct the system to cause denial of service to other users.

To police access to CICS web support in general, you request identification from each user that makes an HTTP client request and then authenticate the identity stated by the user. You use the TCPIPSERVICE definitions for inbound ports to specify these requirements. Refer to CICS as an HTTP server: authentication and identification.

All the user IDs used by web clients must have a user profile in RACF® or your equivalent external security manager. Refer to RACF Profiles.

For application-generated responses, CICS system defaults specify that no resource security checking is carried out, but transaction security checking is carried out (specifically, transaction-attach security for the alias transaction). Assuming that transaction security is active in your CICS region, you must therefore take some actions relating specifically to security for application-generated responses, even if you do not plan to use web client authenticated user IDs for security checking.

For static responses, transaction-attach security does not apply to web client user IDs. However, CICS system defaults specify that resource-level security checking is carried out if a user ID is available for web clients. If you are obtaining authenticated user IDs from web clients, you must therefore either set up resource permissions for these user IDs or take action to disable resource-level security checking.