Security for ISC TCP/IP connections

ISC TCP/IP connections with CICS® can be secured by authentication of the user name or subpool name, transaction authorization, the Signon exit routine, a security product, such as RACF®, and message encryption.

When a parallel session is initiated, IMS authenticates the user ID that is associated with the initiation request. IMS derives the user ID from the value of the USER keyword on the /OPNDST command or, for statically defined terminals, from the value of the NAME parameter on the SUBPOOL macro. Passwords are not used.

For each transaction sent on the connection, IMS checks the authority of the user ID to schedule the transaction.

For statically defined ISC TCP/IP terminals, IMS authenticates the user ID during session initiation and checks the transaction authority of the user ID only if the AUTOSIGN option is enabled.

For IMS, message encryption on ISC TCP/IP connections can be provided by the Application Transparent Transport Layer Security (AT-TLS) of the z/OS® TCP/IP stack. AT-TLS encrypts and decrypts messages independently from IMS Connect. The messages that are sent and received by IMS Connect are unencrypted. Because IMS Connect uses separate send and receive sockets for a parallel session, your AT-TLS administrator must configure AT-TLS to support both sockets.

You can also use AT-TLS to perform client authentication on ISC TCP/IP connection requests that are received by IMS. CICS must be configured to provide a security certificate when initiating an ISC TCP/IP connection. If a certificate is not provided with a connection request, AT-TLS issues a message and rejects the connection request. IMS Connect issues error message HWSV5000E.

The configuration of AT-TLS encryption and client authentication support in IMS must be coordinated with the configuration of SSL support in CICS. In CICS, SSL support is enabled for ISC TCP/IP connections by implementing IPIC bind time security in the IPCONN and TCPIPSERVICE resource definitions.

Restriction: ISC TCP/IP connections with CICS do not support the IMS /SIGN command.

For more information about AT-TLS, see the z/OS Communications Server: IP Configuration Guide