Configuring security for CICS connections

CICS® can enforce bind security to prevent an unauthorized client system from connecting, link security to restrict the resources that can be accessed over a connection, and user security to restrict the resources that can be accessed by a user.

Connections between IBM® z/OS® Connect and CICS use the IPIC protocol. For more information, see IP interconnectivity (IPIC) overview. Connections can also use TLS.

z/OS Connect server on z/OS AT-TLS can be used only in cases where CICS does not require client certificate authentication.

Bind security

Bind security can be applied to check that IBM z/OS Connect is authorized to connect to CICS. Bind security is implemented by configuring the connection to use TLS client authentication.

Link security

Link security restricts the resources that users can access. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.

The link user ID for an IPIC connection can be configured to be one of the following:

  • A SAF user ID specified in the IPCONN definition that is authorized to establish IPIC connections. In the IPCONN definition, set the link user with the SECURITYNAME attribute and set LINKAUTH to Secuser.

  • A TLS client certificate that has been mapped to a SAF user ID that is authorized to establish IPIC connections. The TCPIPSERVICE must be configured to require TLS client authentication. In the IPCONN definition, set LINKAUTH to Certuser. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. With this method, you can specify different link users depending on which certificate you are using.

For more information, see Configuring TLS on an IPIC connection

User security

In addition to the security restrictions set by link security, you can further restrict each remote user's access to the transactions and resources in your system. In IBM z/OS Connect, user credentials can be specified by one of the following methods:
  • A user ID and password can be specified on an IPIC connection definition. This requires the CICS IPCONN definition to have USERAUTH=VERIFY set.
  • The authenticated user identity associated with individual API requests can be automatically passed to CICS, as an asserted identity. This requires the CICS IPCONN definition to have USERAUTH=IDENTIFY set.
The security credentials are configured on the zosconnect_cicsIpicConnection element in the configuration file. For more information, see Configuring basic authentication on an IPIC connection.

If using asserted identities and the IBM z/OS Connect server is not in the same sysplex as the CICS region, you must use an IPIC TLS connection that is configured with client authentication. For more information, see Configuring TLS on an IPIC connection.

The asserted user identity can be any of the following:
  • An authenticated distributed identity that is defined in an LDAP registry and mapped to a SAF user ID in the SAF registry that is used by CICS. For more information, see Configuring distributed identity propagation.
  • An authenticated SAF user ID that has originated from any security mechanism supported by Liberty. For example:
    • An X.509 client certificate that is mapped to a SAF user ID. For more information, see API provider authorization.
    • Another security credential such as a JWT token mapped to a SAF user ID.

For more information on IPIC security, see the CICS Transaction Server documentation.