Configuring security for an IPIC connection

IPIC connections can enforce bind security to prevent an unauthorized client system from connecting to CICS®, link security to restrict the resources that can be accessed over a connection to a CICS system, and user security to restrict the CICS resources that can be accessed by a user. If the CICS system supports password phrases, a password phrase can be used for user security.

Bind security

Bind security can be applied to check that the remote system is authorized to connect to CICS. Bind security is implemented by configuring the connection to use TLS client authentication.

Link security

Link security restricts the resources that users can access. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.

You can specify the link user ID for IPIC connections to be either a specific SAF user ID or, if the TCPIPSERVICE is configured to require TLS client authentication, the SAF user ID associated with that client certificate. Specify the link user with the SECURITYNAME attribute, or a TLS certificate, in the IPCONN definition in CICS. You can use a TLS certificate if you have a client-authenticated TLS connection. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. With this method, you can specify different link users depending on which certificate you are using. For more information see Configuring an IPIC connection in CICS.

User security

In addition to the security restrictions set by link security, you can further restrict each remote user's access to the transactions and resources in your system. In z/OS® Connect, user credentials can either be predefined on specific IPIC connection definitions, or authenticated user identities associated with individual requests are automatically passed to CICS.

To predefine user security on an IPIC connection, the CICS IPCONN definition must be configured with USERAUTH=VERIFY, requiring that a user ID and password is sent to CICS on each request. The security credentials are configured on the zosconnect_cicsIpicConnection element in the server.xml file. For more information, see Configuring basic authentication on an IPIC connection.

To enable authenticated user identities that are associated with individual requests to be sent to CICS, the IPCONN definition in CICS must be configured with USERAUTH=IDENTIFY. If the z/OS Connect Server is not in the same sysplex as the CICS region, you must use an IPIC TLS connection that is configured with client authentication. For more information, see Configuring TLS on an IPIC connection.

The user identity can be any of the following.
  • An authenticated distributed identity that is defined in an LDAP registry and mapped to a SAF user ID in the SAF registry that is used by CICS. For more information, see Configuring distributed identity propagation.
  • An authenticated SAF user ID that has originated from any security mechanism supported by Liberty. For example:
    • An X.509 client certificate that is mapped to a SAF user ID. For more information, see API provider authorization.
    • Another security credential such as a JWT token mapped to a SAF user ID.

For more information on IPIC security, see the PIC connection security in the CICS Transaction Server for z/OS documentation.