CICS transactions subject to security checking

6.2 and later Applies to 6.2 and later.

To conform with a zero trust strategy and various compliance regulations such as PCI-DSS, as of CICS® TS 6.2, all CICS transactions, excluding CJXA and CICSPlex® SM transactions (CO**), are defined with CMDSEC(YES) and RESSEC(YES). This might impact your security definitions.

The following table lists CICS Category 1 transactions that require extra security to be configured.

Table 1. CICS Category 1 transactions requiring extra security
Transactions Recommended security configuration
CPLT Security for PLT programs. See PLTPIUSR.
CWXN Security for static responses. See Resource-level security for static responses using document templates.

The following table lists CICS Category 2 transactions that require extra security to be configured in addition to transaction security.

Table 2. CICS Category 2 transactions requiring extra security in addition to transaction security
Transactions Recommended security configuration
CEBR Users need access to any TS queue that they browse.
CEDA Users need surrogate authority to install definitions that contain user IDs.
CESD See Security for CICS shutdown.
CJSA Configure security for Java applications.

Learn more: Security for Java applications
CKAM Users need to define transaction security by specifying the transaction attribute for the MQMONITOR resource. See Defining and installing MQMONITOR resources.

The specified transaction can be the default CKTI, user MQ adapter transaction, or CKBR. See Setting up an MQMONITOR resource for the CICS-MQ bridge.

Learn more: Security for the CICS-MQ bridge, Security for the CICS-MQ adapter
CKBC Users need to define security on transactions specified in the request message body. See DPL message structure for the CICS-MQ bridge.
CKBP Users need to define security on transactions specified in the request message body. See DPL message structure for the CICS-MQ bridge.
CKBR Users need permission to run transaction CKBC or CKBP.

Learn more: Security for the CICS-MQ bridge
CKCN Users need permission to run transaction CKRT.
CKDP Users need permission to run transaction CKRT.
CKQC

Users need permission to run transactions CKCN, CKDL, CKRS, CKSD, and CKSQ.

Users might need permission to run transaction CKAM when starting or stopping the MQ connection. See Starting a CICS-MQ connection and Stopping a CICS-MQ connection.

Learn more: Security for the CICS-MQ adapter
CKRS Users need permission to run transaction CKRT.
CKRT Users need permission to run transactions CKBM and CKDB.
CKSD Users need permission to run transaction CKRT.
CKSQ Users need permission to run transactions CKTI and CKRT.
CKTI Users need to define transaction security by specifying the transaction attribute for the MQMONITOR resource. See Defining and installing MQMONITOR resources.
CLER Users need READ and UPDATE access to the temporary storage queues (TS QUEUEs) whose names begin with TR1.
CPIH Configure security for web services.

Learn more: Security for SOAP web services
CPIL

Users need to configure permission of transactions driven by CPIL.

Note: CPIL drives CPIQ by default, but you can specify a different transaction or user in the URIMAP resource definition. URIMAP routing determines which user ID and transaction will be used. For more information, see URIMAP resources and Routing provider mode CICS Web Services.
CPIQ Configure security for web services.

Learn more: Security for SOAP web services
CPMI Configure security for the intercommunication method in use. See Implementing LU6.2 security.
CRPA See CRPC.
CRPC Users need to configure security for commands issued by this transaction, such as SYSTEM for the INQUIRE SYSTEM command, and any other related resources, including any programs that are called (see the DFHRPC row in Table 1 in CICS-supplied groups not in DFHLIST).
CRPM See CRPC.
CSHR Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), and Implementing LU6.1 security.
CSMI Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), Implementing LU6.2 security, and Implementing LU6.1 security.
CSM1 Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), Implementing LU6.2 security, and Implementing LU6.1 security.
CSM2 Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), Implementing LU6.2 security, and Implementing LU6.1 security.
CSM3 Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), Implementing LU6.2 security, and Implementing LU6.1 security.
CSM5 Configure security for the intercommunication method in use. See Intercommunication security, Security for MRO, Security for IPIC (IP interconnectivity), Implementing LU6.2 security, and Implementing LU6.1 security.
CWBA See Resource and transaction security for application-generated responses.
CVMI Configure security for the intercommunication method in use. See Implementing LU6.2 security.
These remaining changed CICS Category 2 transactions only require transaction security. No additional security definitions are required to run these transactions:
  • CADP
  • CDBC
  • CDBF
  • CDBI
  • CDBM
  • CDBQ
  • CDBT
  • CDFS
  • CECS
  • CEDB
  • CEDC
  • CEOT
  • CETR
  • CIDP
  • CKBM
  • CKDL
  • CLDM
  • CMSG
  • CPIA
  • CPIW
  • CRTE
  • CRTX
  • CSFE
  • CWTO
  • CXSD
  • DSNC

Obsolete or stabilized transactions also have command security and resource security enabled. Use them at your own risk. For a complete list of CICS transactions, see List of CICS transactions.