Configuring security for an IPIC connection
IPIC connections can enforce bind security to prevent an unauthorized client system from connecting to CICS®, link security to restrict the resources that can be accessed over a connection to a CICS system, and user security to restrict the CICS resources that can be accessed by a user.
Bind security can be applied to check that the remote system is authorized to connect to CICS. Bind security is implemented by configuring the connection to use TLS client authentication.
Link security restricts the resources that users can access. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.
- A SAF user ID specified in the IPCONN definition that is authorized to establish IPIC
connections. In the IPCONN definition, set the link user with the
SECURITYNAMEattribute and set
- A TLS client certificate that has been mapped to a SAF user ID that is authorized to establish
IPIC connections. The TCPIPSERVICE must be configured to require TLS client authentication. In the
IPCONN definition, set
Certuser. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. With this method, you can specify different link users depending on which certificate you are using.
In addition to the security restrictions set by link security, you can further restrict each remote user's access to the transactions and resources in your system. In IBM® z/OS® Connect , user credentials can either be predefined on specific IPIC connection definitions, or authenticated user identities associated with individual requests are automatically passed to CICS.
To predefine user security on an IPIC connection, the CICS
IPCONN definition must be configured with
USERAUTH=VERIFY, requiring that a
user ID and password is sent to CICS on each request. The
security credentials are configured on the
element in the server.xml file. For more information, see Configuring IPIC connection level user security.
To enable authenticated user identities that are associated with individual requests to be sent
to CICS, the IPCONN definition in CICS must be configured with
USERAUTH=IDENTIFY. If the IBM z/OS Connect server is not in the same sysplex as the
CICS region, you must use an IPIC TLS connection that is
configured with client authentication. For more information, see Configuring TLS on an IPIC connection.
- An authenticated distributed identity that is defined in an LDAP registry and mapped to a SAF user ID in the SAF registry that is used by CICS. For more information, see Configuring distributed identity propagation.
- An authenticated SAF user ID that has originated from any security mechanism supported by
Liberty. For example:
- An X.509 client certificate that is mapped to a SAF user ID. For more information, see API provider authorization.
- Another security credential such as a JWT token mapped to a SAF user ID.
For more information on IPIC security, see the CICS Transaction Server documentation.