Configuring security for an IPIC connection

IPIC connections can enforce bind security to prevent an unauthorized client system from connecting to CICS®, link security to restrict the resources that can be accessed over a connection to a CICS system, and user security to restrict the CICS resources that can be accessed by a user.

Bind security

Bind security can be applied to check that the remote system is authorized to connect to CICS. Bind security is implemented by configuring the connection to use TLS client authentication.

Link security

Link security restricts the resources that users can access. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.

The link user ID for an IPIC connection can be configured to be one of the following:
  • A SAF user ID specified in the IPCONN definition that is authorized to establish IPIC connections. In the IPCONN definition, set the link user with the SECURITYNAME attribute and set LINKAUTH to Secuser.
  • A TLS client certificate that has been mapped to a SAF user ID that is authorized to establish IPIC connections. The TCPIPSERVICE must be configured to require TLS client authentication. In the IPCONN definition, set LINKAUTH to Certuser. The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. With this method, you can specify different link users depending on which certificate you are using.
For more information see Configuring an IPIC connection in CICS.

User security

In addition to the security restrictions set by link security, you can further restrict each remote user's access to the transactions and resources in your system. In IBM® z/OS® Connect, user credentials can either be predefined on specific IPIC connection definitions, or authenticated user identities associated with individual requests are automatically passed to CICS.

To predefine user security on an IPIC connection, the CICS IPCONN definition must be configured with USERAUTH=VERIFY, requiring that a user ID and password is sent to CICS on each request. The security credentials are configured on the zosconnect_cicsIpicConnection element in the server.xml file. For more information, see Configuring IPIC connection level user security.

To enable authenticated user identities that are associated with individual requests to be sent to CICS, the IPCONN definition in CICS must be configured with USERAUTH=IDENTIFY. If the IBM z/OS Connect server is not in the same sysplex as the CICS region, you must use an IPIC TLS connection that is configured with client authentication. For more information, see Configuring TLS on an IPIC connection.

The user identity can be any of the following:
  • An authenticated distributed identity that is defined in an LDAP registry and mapped to a SAF user ID in the SAF registry that is used by CICS. For more information, see Configuring distributed identity propagation.
  • An authenticated SAF user ID that has originated from any security mechanism supported by Liberty. For example:
    • An X.509 client certificate that is mapped to a SAF user ID. For more information, see API provider authorization.
    • Another security credential such as a JWT token mapped to a SAF user ID.

For more information on IPIC security, see the CICS Transaction Server documentation.