IPIC connection security

IPIC connections enforce link security to restrict the resources that can be accessed over a connection to a CICS® server, bind security to prevent an unauthorized client system from connecting to CICS, and user security to restrict the CICS resources that can be accessed by a user. If the CICS server supports password phrases, a password phrase can be used for user security.

Link security

There are two ways that you can specify the link user for IPIC connections. You can use the SECURITYNAME attribute, or an SSL certificate in the IPCONN definition in CICS. You can use an SSL certificate if you have a client authenticated SSL connection. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. This means that you can specify different link users, depending on which certificate you are using.

To specify a link user, set LINKAUTH in the IPCONN definition in CICS to one of the following settings:
  1. SECUSER to use the user ID that is specified in the SECURITYNAME attribute to establish link security.
  2. CERTUSER to use an SSL client certificate mapped to a user ID to establish link security.

    The IPCONN resource must refer to a TCPIPSERVICE definition that is configured for SSL and client authentication. The certificate must be mapped in RACF to your chosen user ID. For more information on certificate mapping, see the CICS Transaction Server documentation.

Bind security

For IPIC connections bind security is implemented using a client authenticated SSL connection. In this configuration the Java client application or CICS Transaction Gateway need to be authenticated by the CICS server before they are able to successfully connect. This prevents an unauthorized system from connecting.

User security

IPIC connections enforce user security to restrict the CICS resources that can be accessed by a user. The level of user security checking is specified by setting the USERAUTH attribute in the IPCONN definition in CICS. The USERAUTH setting in the IPCONN definition is comparable to the ATTACHSEC setting on other connection definitions.
  • If USERAUTH=IDENTIFY is specified, a user ID that is already verified must be supplied. If the CICS TG and CICS server are not in the same sysplex, an SSL connection is required.
  • If USERAUTH=VERIFY is specified, a user ID and password or password phrase must be supplied. If password phrases are used the CICS server must support password phrases.

If you are using the ECI base classes, set the user ID and password or password phrase (if required) on the ECIRequest.

To set custom properties for the ECI resource adapter set the following properties:
  1. Set the flowed user ID in the UserName property.
  2. Set the password or password phrase (if required) in the Password property.
To override ECIConnectionSpec settings:
  1. Create an ECIConnectionSpec object with the required user ID and password.
  2. Use this object for requests on the selected connection and in the getConnection() method of your ECI ConnectionFactory.

Identity propagation can be used as an alternative to specifying a user ID, for more information, see Identity propagation.

A user ID can also be obtained from a mapping of an SSL client certificate.