Upgrading security
This topic summarizes the actions that relate to security when you migrate from one release of CICS® to another. Any actions that are shown as optional are strongly advised because they are security enhancements. This information applies to all currently supported CICS TS releases, regardless of your current release and the target release.
All information refers to RACF®. If you use a different external security manager, refer to the documentation of that product. It is assumed that you have the system initialization parameter SEC set to YES.
If you are upgrading from an end-of-service release, you might need to take additional actions that are relevant to your current, end-of-service release, along with the actions summarized in the upgrade instruction of each CICS configuration aspect. You can find additional upgrade actions for migrating from end-of-service releases in Upgrading from end-of-service releases.
Upgrade actions
| Your current version | Action | Mandatory or optional? |
|---|---|---|
| All versions | Review requirements to enable TLS 1.3 | Mandatory if you plan to enable TLS 1.3 |
| All versions | Review the impact of extensions to command and resource security checks | Mandatory |
| All versions | Define new Category 2 transactions to RACF | Mandatory |
| All versions | Migrate from APPC PEM | Mandatory if you want to support authentication with password phrases |
|
5.4 5.5 |
Review external security settings for CMCI | Mandatory if you use the CMCI |
All versions Review requirements to enable TLS 1.3
CICS introduces support for TLS 1.3 including the parameter MAXTLSLEVEL, removes the parameter ENCRYPTION, and requires ciphers to use the XML definition formats. You must review the steps that are needed to complete migration to the TLS 1.3 feature.
All versions Review the impact of extensions to command and resource security checks
Command security applies if the XCMD system initialization parameter is specified (that is, not set to NO) for the CICS region. Resource security applies if any of the Xnnn SIT parameters is specified for the CICS region. Releases of CICS extend the resource types, their resource identifiers, and associated commands that are subject to command security checking and resource security checking. Check the resources and commands that are changed.
All versions Define new Category 2 transactions to RACF
Category 2 transactions are initiated by CICS users or are associated with CICS users. You must define these transactions to RACF, and authorize users or groups of users to use them. Sample CLIST DFH$CAT2is provided to assist with this. For a list of CICS transactions that are Category 1, see All supplied transactions and associated security categories.
All versions Migrate from APPC PEM
Support for CICS Advanced Program-to-Program Communications (APPC) Password Expiration Management (PEM) is stabilized. The APPC PEM server does not support password phrases. To support authentication with password phrases when using CICS Transaction Gateway, you must migrate from APPC to IP interconnectivity (IPIC) and change your application code to use a current External Security Interface (ESI) API such as CICS_VerifyPassword and CICS_ChangePassword as described in the CICS Transaction Gateway for Multiplatforms product documentation. Information about APPC PEM can be found in previous versions of CICS TS documentation, for example APPC password expiration management.
5.4 5.5 Review external security settings for CMCI
The GraphQL API, CICS bundle deployment API, and user of MFA in the CICS Explorer® require the CMCI JVM server. In 5.6 regions, this is enabled by default in regions that use the CMCI. In 5.5 regions, this is off by default. In 5.4 regions, this is enabled by APAR PI87691. If you installed and implemented the change in APAR PI87691, no action is required for 5.4.
If you disable the CMCI JVM server by using the feature toggle, no further action is required, but the GraphQL API, CICS bundle deployment API, and user of MFA in the CICS Explorer will not be available.
If you use the CMCI JVM server, you must define additional security profiles to maintain operation of the CMCI API. You can use the sample CLIST EYU$CMCI in SEYUSAMP, which includes sample RACF profiles. For more information, see Step 11 in Configuring a WUI region to use the CMCI JVM server.
Additionally, if you want to set up the CICS bundle deployment API, which allows Java™ developers to deploy CICS bundles by using the Gradle or Maven plug-in, you need to define additional security settings. You can use the sample CLIST EYU$BUND to define the required RACF profiles. For more information, see Step 3 in Configuring the CMCI JVM server for the CICS bundle deployment API.