Security considerations

CICS® Transaction Gateway can perform authentication and authorization checks at different points during the processing of requests.

Authentication verifies that the user is who they say they are. Depending on topology, authentication can be based on the user ID passed with the ECI request, an SSL client certificate, or a distributed identity (identity propagation).

Authorization verifies that a user is allowed to access a particular resource for a given intent. For example to execute a method in a bean or to update a CICS resource.

Security options available

  • User authentication by CICS Transaction Gateway. The user ID can be passed to CICS without a password.
  • Identity propagation. This is a unified security solution that enables additional user auditing and authorization by passing a distributed identity to CICS instead of a user ID and password. Available only when using IPIC.
  • SSL client authentication. A trust relationship is established between IBM® WebSphere® Application Server and the Gateway daemon so that the application server can be trusted to pass the user ID on an ECI request to CICS.
  • Component-managed sign-on. With this option, security credentials are propagated to CICS by application.
  • Container-managed sign-on. With this option, security credentials are propagated to CICS by a Web or EJB container.
  • Link user ID authorization checking. This provides an additional check on whether the link user ID is authorized to access the CICS resource.
  • MRO bind security. This prevents unauthorized attached MRO regions from starting transactions in a CICS server, and determines whether or not a particular CICS Transaction Gateway can connect (bind) to a particular CICS server. Available only when using EXCI.
  • Link security. This Ensures that the link user ID used for authorization checks in CICS is the user ID associated with the started task of the Gateway daemon.
  • Surrogate security. This authorizes the user ID associated with the CICS Transaction Gateway started task to switch the security context of an EXCI request to the user ID that was passed to CICS. Available only when using EXCI.
  • RACF® keyring support. With this option SSL key stores are stored in RACF.
  • IBM z Systems® hardware cryptographic support. SSL handshakes can be offloaded to hardware to reduce the CPU load due to handshakes and encryption.
  • SSL cipher suite selection. This allows only certain algorithms and strengths of ciphers to be used for SSL connections