API provider security for service providers

Learn how to configure security between your IBM® z/OS® Connect server and the System of Record (SoR), for example, CICS®, IMS, IBM, Db2®.

Before you study this topic, you should be familiar with the information in Overview of IBM z/OS Connect security.

To secure the connection between the IBM z/OS Connect server and the SoR, you must configure security in both the IBM z/OS Connect server and the SoR. The security options and configuration required is different for each service provider.

Security connection between z/OS Connect and the System of Record. Both must be configured.

CICS service provider

  • Connections can use TLS. However, AT-TLS can be used only in cases where CICS does not require client certificate authentication.
  • Bind, link and user security can be used to secure your IPIC connection with CICS.
  • ID propagation is supported.

For further information, see Configuring security for an IPIC connection.

IMS service provider

  • Secure connections between the IMS service provider and IMS Connect must use AT-TLS.
  • User authentication is supported.
  • ID propagation is supported.

For further information, see Security configuration for the IMS service provider.

IMS database service provider

  • Secure connections between the IMS database service provider and IMS Connect must use AT-TLS.
  • User authentication is supported via basic authentication and with RACF PassTickets.
  • SAF distributed ID propagation is supported.

For further information, see IMS database service security process flow.

IBM MQ service provider

  • Client mode connections to a queue manager support TLS, including mutual authentication.
  • User ID, or user ID and password authentication is supported for both client and bindings mode connections to a queue manager.
  • ID propagation is supported for both client and bindings mode connections to a queue manager.

For further information, see Security requirements for the IBM MQ service provider.

REST client service provider

  • You can configure HTTPS on a REST client connection to secure your connection.
  • Basic authentication for a REST client connection is supported.
  • TLS client authentication for a REST client connection is supported.
  • SAF ID propagation is supported through the use of PassTicket support when invoking Db2 RESTful services.

For further information, see Configuring security for a REST client connection.

WOLA service provider

  • You can use a user ID and password for authentication.
  • If using WOLA with CICS, you can control whether the program link invocation transaction (BBO#) runs under the user ID of the link server transaction (BBO$) or the propagated user ID from the IBM z/OS Connect server.

For further information, see Connection factory properties for optimized local adapters on Liberty and Liberty server transactions for CICS: BBOC, BBO$, and BBO#.

Other service providers

For other IBM z/OS Connect service providers, for example, those from third party vendors, see the appropriate documentation for information on the security configurations supported.