User registries

User registries, also known as security registries, store user account information, such as user ID and password, that can be accessed during authentication and authorization. CICS® Transaction Server for z/OS® supports different user registries.

SAF registry
RACF® is a SAF registry and the primary z/OS user registry. RACF is an external security manager (ESM) and it provides more functions than user registry. For more information, see How it works: Securing CICS with RACF. An ESM is accessed through the SAF interface. In documentation about CICS Liberty support, you might see the term SAF registry. It means RACF or an alternative ESM.
On z/OS, access to the SAF registry is considered an authorized service. To access such authorized services, the caller needs to use one of the following methods:
  1. An SVC routine to call an authorized service.
  2. A program call (PC) instruction to another address space, which is itself authorized.
When the CICS security domain makes calls to SAF, it can use its SVC routine, DFHCSVC, which is loaded from the authorized LPA to make authorized calls to SAF (option 1). However, this option is not available to Liberty JVM servers as the CICS SVC is a private interface. Instead, option 2 is the model that is used by Liberty on z/OS. The angel process is a long-running started task that is required for the Liberty JVM server in CICS TS to use SAF-authorized services. The angel process is configured to run authorized and Liberty servers can connect to it to call authorized services. The access to its services is controlled by the SAFCRED resource profiles. When run in a CICS region, use of profiles is the only way for Liberty servers to authenticate users with the SAF registry.

Liberty also offers the ability to fail over to unauthorized UNIX System Services to authenticate requests when the angel process is unavailable. However, this option is not supported when you run a Liberty JVM server in CICS.

Lightweight Directory Access Protocol (LDAP) registry

LDAP is an open industry standard application protocol for accessing distributed directory information services. It is widely used in enterprises to authenticate users and retrieve user groups. CICS TS can use LDAP to retrieve a Certificate Revocation List (CRL) or to create basic authentication credentials for web requests through the LDAP XPI functions and the XWBAUTH global user exit. Liberty JVM servers that run in CICS TS can also connect to an LDAP registry to perform authentication and authorization.

Basic registry
If you use CICS TS with Liberty, an additional option is available with the basic registry. The basic registry provides a simple, text-based registry in the server.xml file. Access to server.xml is not controlled by RACF.
Recommendation: It is not advisable to use this registry type for any purpose other than testing because this registry is not integrated with CICS Liberty security or synchronized with RACF.