Configuring security for CICS connections
CICS® can enforce bind security to prevent an unauthorized client system from connecting, link security to restrict the resources that can be accessed over a connection, and user security to restrict the resources that can be accessed by a user.
Connections between IBM® z/OS® Connect and CICS use the IPIC protocol. For more information, see IP interconnectivity (IPIC) overview. Connections can also use TLS.
AT-TLS can be used only in cases where CICS does not require client certificate authentication.
Bind security can be applied to check that IBM z/OS Connect is authorized to connect to CICS. Bind security is implemented by configuring the connection to use TLS client authentication.
Link security restricts the resources that users can access. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.
The link user ID for an IPIC connection can be configured to be one of the following:
- A SAF user ID specified in the IPCONN definition that is authorized to establish IPIC
connections. In the IPCONN definition, set the link user with the
SECURITYNAMEattribute and set
A TLS client certificate that has been mapped to a SAF user ID that is authorized to establish IPIC connections. The TCPIPSERVICE must be configured to require TLS client authentication. In the IPCONN definition, set
Certuser. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. With this method, you can specify different link users depending on which certificate you are using.
- A user ID and password can be specified on an IPIC connection definition. This requires the CICS IPCONN definition to have USERAUTH=VERIFY set.
- The authenticated user identity associated with individual API requests can be automatically passed to CICS, as an asserted identity. This requires the CICS IPCONN definition to have USERAUTH=IDENTIFY set.
zosconnect_cicsIpicConnectionelement in the configuration file. For more information, see Configuring basic authentication on an IPIC connection.
If using asserted identities and the IBM z/OS Connect server is not in the same sysplex as the CICS region, you must use an IPIC TLS connection that is configured with client authentication. For more information, see Configuring TLS on an IPIC connection.
- An authenticated distributed identity that is defined in an LDAP registry and mapped to a SAF user ID in the SAF registry that is used by CICS. For more information, see Configuring distributed identity propagation.
- An authenticated SAF user ID that has originated from any security mechanism supported by
Liberty. For example:
- An X.509 client certificate that is mapped to a SAF user ID. For more information, see API provider authorization.
- Another security credential such as a JWT token mapped to a SAF user ID.
For more information on IPIC security, see the CICS Transaction Server documentation.