EXCI connection security
EXCI connections enforce link, bind and user security. Link security restricts the resources that can be accessed over a connection to a CICS® server, bind security prevents an unauthorized client system from connecting to CICS, and user security restricts the CICS resources that can be accessed by a user.
By default, the link user ID that CICS uses for these security checks is the user ID under which the Gateway daemon runs; to override this, specify a USERID parameter in the SESSIONS definition.
The client application is treated in the same way as a CICS server for MRO logon and connect (bind-time) security checking; when the client connects, the CICS interregion communication program (IRP) performs logon and bind-time security checks against the user ID under which the client is running.
A number of settings and security checks ensure validation of user IDs, passwords, and password phrases.
- The user ID and password or password phrase coded on the ECI request object can be validated in the CICS Transaction Gateway through IBM® RACF® for every EXCI call. This is controlled through the setting of the AUTH_USERID_PASSWORD environment variable. For more information, see Environment variables referencethe CICS Transaction Gateway: IBM z/OS Administration.
- The ECI user ID can then be subjected to an optional surrogate security check, if the flowed user ID is different from the user ID in the EXCI address space. This option is specified using the SURROGCHK parameter in the EXCI options module DFHXCOPT, for more information, See the CICS Transaction Server documentation . Note that any password supplied on an ECI request is not flowed on to CICS from CICS Transaction Gateway.
- The flowed user ID is subject to CICS authorization checks. For more details, see the CICS Transaction Server for IBM z/OS® RACF Security Guide.
A user ID can also be obtained from a mapping of an SSL client certificate. For more information, see User authentication using SSL client certificates.