What's new?
While IBM values the use of inclusive language, terms that are outside of IBM’s direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
You might also like to refer to the CICS Transaction Server for z/OS V5.5 announcement letter. New features in CICS Explorer® are described in CICS Explorer product documentation.
The following features and enhancements are delivered as part of CICS Transaction Server for z/OS, Version 5 Release 5 , and cover the following areas:
The features in the following tables are not exclusive to each of the job roles shown; several are of interest across roles.
Language support features:
System management features:
Security features:
Performance features:
| For application developers | For system programmers |
|---|---|
| Performance improvement for channels and containers | Access to coupling facility data tables is now threadsafe |
| Performance improvement to QUERY SECURITY | CICS-MQ alert monitor CKAM enhanced to react to MXT conditions |
| Web client use of 64-bit (above-the-bar) buffers | Service CICS capability of exploiting IBM® z/OS Workload Interaction Correlator |
| Service Support for passing XID to Db2 | Service CICS-MQ trigger monitor and CICS-MQ bridge improvements |
Continuous delivery APAR updates:
New parameter GROUPID in VERIFY PASSWORD and VERIFY PHRASE to support password or passphrase verification against supplied group ID
With the new parameter GROUPID in VERIFY PASSWORD and VERIFY PHRASE, CICS can perform password or password phrase verification against the group ID in addition to a user ID and password, or password phrase that are recorded in the external security manager.
Learn more about VERIFY PASSWORD...
QUERY SECURITY extended to support an application to query the security authorization of a different user ID
The QUERY SECURITY command has a new option USERID in which an application that is running under one user ID can specify another user ID to query whether the supplied user ID has access to specified resources.
CICS runs a surrogate user check with an external security manager such as RACF® to verify whether a query on a different user ID is authorized.
New parameter LOCALCCSID on ASSIGN
New parameter LOCALCCSID is added to the ASSIGN command to support inquiry on the code page that is being used by the CICS region.
CICS-MQ alert monitor CKAM enhanced to react to MXT conditions
If CICS encounters an MXT condition, CKAM calculates the maximum number of MQGET calls that an MQMONITOR can issue per second when this condition exists; effectively imposing a restriction on the number of tasks being started by MQMONITOR resources while CICS is at MXT.
Inquiring enablement and configuration settings of toggle-enabled features through SPI, XPI, and CICSPlex SM
- A new SPI command INQUIRE FEATUREKEY
INQUIRE FEATUREKEY also supports browsing through the feature toggles.
- A new XPI function, called DFHPAIQX INQUIRE_FEATUREKEY
- CICSPlex SM queries on feature toggles, supported by the new FEATURE resource table
Feature toggles are used to enable and set configuration options for toggle-enabled features. The new SPI command and XPI function and the enhancement to CICSPlex SM make it easier for you to inquire enablement and configuration settings for toggle-enabled features for your CICS region.
Monitoring outbound web requests
You can now monitor in real time the URIMAPs and WEBSERVICEs that are opened or invoked by CICS as a web client. CICS monitoring is enhanced with new monitoring records URIMAP and WEBSERVICE in the resource monitoring class. Multiple URIMAP or WEBSERVICE records can be monitored for one task.
A URIMAP record monitors the completion of WEB OPEN URIMAP, WEB RECEIVE, WEB SEND, and WEB CONVERSE requests that are issued by the user task for a URIMAP.
A WEBSERVICE record monitors the completion of INVOKE SERVICE requests that are issued by the user task for a WEBSERVICE, and tracks the name of the PIPELINE resource definition that was used.
This enhancement makes it easier to identify the URIMAPs or WEBSERVICEs associated with prolonged socket wait time and diagnose troublesome destinations.
Check on the region user ID's authority to access all category 1 transactions at startup
At startup, CICS now checks whether the region user ID is authorized to access all category 1 transactions. If any unauthorized category 1 transactions are found, CICS issues message DFHXS1113 for each unauthorized transaction and fails to initialize.
Node.js application support
Node.js is a server-side runtime for applications that are written in JavaScript. It is lightweight, efficient, and best suited for I/O-intensive applications. It can use the underlying asynchronous I/O support in z/OS and provides a module-driven, highly scalable approach to application design and development that encourages agile practices.
CICS now supports running Node.js applications inside the CICS address space. You can write Node.js applications as you would for any other platform. You can run them in CICS to take advantage of proximity to CICS data and operational integration with existing tools and procedures. CICS provides a locally optimized API for Node.js applications to call CICS services, taking advantage of CICS JSON web services support to handle transformation between application data and JSON.
Service With APAR PH18618, CICS supports running Node.js applications using IBM SDK for Node.js - z/OS Version 12. IBM SDK for Node.js - z/OS Version 8 is still supported.
Changes in CICS handling of USS processes associated with X8, X9, L8, and L9 TCBs
CICS now manages the release of USS processes from X8, X9, L8, and L9 TCBs when the TCB is released from the CICS task and returned to the relevant CICS dispatcher pool of open TCBs.
Enhanced replication logging for VSAM files
A new system transaction, called CFCT, and its associated program, DFHFCLJ1, are supplied to provide tie-up records for VSAM files (including non-recoverable VSAM files) to a replication log at specified intervals. You enable this capability by setting the INITPARM system initialization parameter.
This capability is also available on CICS TS 5.3 and 5.4 with APAR PI97207.
External CICS interface (EXCI) clients can query and browse containers on a channel
The external CICS interface (EXCI) provides four new commands: QUERY CHANNEL, STARTBROWSE CONTAINER, GETNEXT CONTAINER, and ENDBROWSE CONTAINER. EXCI clients can use these commands to query the number of containers on a channel and to browse containers on a channel.
New options on GMTRAN for terminal sign-on security control
If you use the CICS-supplied sign-on transaction CESL or CESN to log on, new options, EXIT or DISCONNECT, on the GMTRAN system initialization parameter allow you to control what happens if the user fails to complete the sign-on.
If the DISCONNECT option is in effect, when PF3 or PF15 is used, the sign-on transaction terminates and the terminal session is disconnected. EXIT is the default. If the EXIT option is in effect, when PF3 or PF15 is used, the sign-on transaction terminates but the terminal session remains connected, and all subsequent transactions use the CICS default user ID.
Specifying CESN or CESL with the DISCONNECT option on the GMTRAN system initialization parameter allows terminal users either to enter with a valid sign-on credential or disconnect the terminal session. This increases your control over terminal session security.
The new option takes effect only on CESL or CESN.
Enhanced data management from pseudo conversations
A new option on the system initialization parameter GNTRAN allows you to control the handling of the pseudo-conversation at a terminal that is the subject of a timeout. The new KEEP | DISCARD option instructs CICS whether to attempt to keep a pseudo-conversation in use at a terminal that is the subject of a timeout sign-off, or to discard it.
Default minimum TLS level changed to 1.2
CICS TS uses the MINTLSLEVEL system initialization parameter to specify the minimum TLS protocol for secure TCP/IP connections. The default value for MINTLSLEVEL is changed to TLS12.
Enhanced management of requests that are canceled by another task
The CICS command DELAY is enhanced so that you can distinguish between a delay that completes successfully and a delay that completes as a consequence of a cancel request. If a DELAY command is canceled by command CANCEL REQID from another task, the DELAY command completes with RESP(NORMAL) and a RESP2 value of 23.
New count of DFHEP.DATA and DFHEP.CHAR containers for CFE and CCE format CICS events
A new count of the number of capture data items, EPFE-ITEMCOUNT, is added to the CICS event processing contextual header (EPFE). This header is included in both CICS Flattened Events (CFE) and CICS Container-based Events (CCE). CCE events include this new count in a context container, called DFHEP.CCECONTEXT, and the count equals the number of DFHEP.DATA and DFHEP.CHAR containers that are passed to tasks started by the transaction start EP adapter.
Web client use of 64-bit (above-the-bar) buffers
The Web domain (WB) now uses internal 64-bit (above the bar) buffer storage when it sends and receives HTTP outbound messages. This change relieves constraint on 31-bit virtual storage and enables more 31-bit application use in a CICS region.
Learn more about WEB SEND (Client)...
Learn more about WEB RECEIVE (Client)...
Statistics for CICS policy rules
Statistics are now available for CICS policy rules. CICS collects resource statistics for each rule that is defined in a policy, and supplies a summary report.
You can retrieve policy rule statistics by using the EXEC CICS PERFORM STATISTICS RECORD POLICY system command.
Changes to the translation of Cobol programs by CICS translator
The CICS translator no longer inserts the COBOL LIB parameter into the CBL card when it compiles COBOL programs. This change does not affect the integrated translator.
The CICS translator has been changed to match the behavior of the integrated translator by generating fields defined as PIC S9(4) COMP-5 rather than PIC S9(4) COMP to avoid truncation problems when using TRUNC(OPT). This allows exploitation of COBOL 5 and COBOL 6 performance improvements when using TRUNC(OPT).
FREEMAIN and FREEMAIN64 enhanced to reject an attempt to release CICS-maintained storage
The CICS commands FREEMAIN and FREEMAIN64 are enhanced to reject an attempt to release CICS-maintained storage (for example, storage returned by a GET CONTAINER SET command) with RESP(INVREQ) and a RESP2 value of 3.
Restriction on the use of CICS-supplied MQ trigger monitor program DFHMQTSK
The CICS-supplied MQ trigger monitor program DFHMQTSK is reserved for use with the CICS-MQ trigger monitor and task initiator transaction CKTI. Any attempt to invoke DFHMQTSK as a user transaction will cause the user transaction to abend with abend code AMQO.
If you want to use a user transaction as your MQ queue monitor, the user transaction should invoke a user-written MQ monitor or MQ message consumer program.
Controlling the use of CICS API and SPI commands
You can now define a restricted commands parmlib member DFHAPIR, to impose rules on the use of specific CICS API and SPI commands.
The CICS translator has been enhanced to process the restricted commands parmlib member. During translation, the CICS translator checks a source file against the specified restricted commands or keywords, and will generate warning or error messages in the case of violation.
The check is performed only when a program is being translated, and does not affect translated programs.
You can use this capability to prevent the use of specific commands and keywords in application programs.
This capability applies only to CICS API and SPI commands. It does not apply to EXEC CICS GDS, EXEC DLI, EXEC CICS FEPI, and EXEC CPSM commands. It does not apply to programs that are interpreted, such as REXX execs.
CMCI GraphQL API supports queries about CICS resources and inter-resource relationships
The CMCI GraphQL API is an HTTP based API for system management clients. With this API, it is easier to query multiple types of CICS resources across CICSplexes in a single request, with relationship between them explicitly shown.
- BAS resources and resource groups
- BAS resource descriptions
- System definitions and system group definitions
- Workload definitions and groups
- Workload specifications
The CMCI GraphQL API also provides support for the Map view and aggregation functions in CICS Explorer.
Enhancements in CICS Explorer
- Map view
- Shows related resources in a CICSplex, making it easier to understand the relationships between such resources. The view supports BAS resources and definitional workload management (WLM) resources and can be opened from many views or editors that are related to those resources.
- Aggregation in resource views
- Merges resource records together to display a summarized view for one or more attributes, making it easier to identify similarities and differences in a set of CICS resources.
Changes to the CMCI to support security enhancements
Security and data protection regulations, for example Payment Card Industry (PCI) Data Security Standard (DSS) 3.2 and the European Union's General Data Protection Regulation (GDPR), require higher levels of user authentication for some or all users. To enhance security capabilities of the CICS management client interface (CMCI), the CMCI JVM server, a Liberty server, is introduced to handle client authentication when CICS Explorer and other HTTP clients attempt to log in. The user credentials can be a user ID and password, a PassTicket, an MFA token or a certificate.
In addition, the CMCI JVM server also provides support for GraphQL API for system management, which allows execution of expressive queries with inherent relationships and reduced latency.
The CMCI JVM server is an optional but highly recommended component of the CMCI.
Ability to control the levels of CICS Explorer that may connect to CICS
If you opt to use the CMCI JVM server in your CMCI configuration, you can control what levels of CICS Explorer may connect to CICS by defining a client allowlist file to the CMCI JVM server.
New system initialization parameter KERBEROSUSER specifies a user ID to be associated with the Kerberos service principal
You can use the new KERBEROSUSER system initialization parameter to specify a user ID other than the CICS region user ID, to be associated with the Kerberos service principal for the CICS region. This user ID must not be a protected user ID because protected user IDs should not be used for Kerberos authentication and Kerberos authentication failures can result in user revocation.
Typically, the CICS region user ID is a protected user ID, so it is recommended to specify a non-protected user ID on KERBEROSUSER for the Kerberos service principal.
KERBEROSUSER is an optional system initialization parameter in CICS TS 5.5. Specify this parameter if you want the region to support the Kerberos service. If it is not specified, the Kerberos service is disabled.
This capability is also available on CICS TS 5.2, 5.3, and 5.4 by service. Note that in 5.2 through 5.4, the default is the region user ID.
Support for static data capture items and event names for policy events
If you use CICS Explorer Version 5.4.0.6 or later and you use the policy definition editor to work with policy rules, you can now define items of static data to be emitted with policy events and specify a user-defined name for the event.
This capability is also available on CICS TS 5.1, 5.2, 5.3, and 5.4 with APAR PI88500.
CICS assistants support mapping levels 4.2 and 4.3
The CICS web services assistants, XML assistants, and JSON assistants now support mapping levels 4.2 and 4.3.
- Support for mapping level 4.2
- Mapping level 4.2 is primarily for use with DFHJS2LS. This mapping level implements support for
Additional Properties in JSON, and introduces the following three parameters to
DFHJS2LS: ADDITIONAL-PROPERTIES-DEFAULT,
ADDITIONAL-PROPERTIES-MAX, and ADDITIONAL-PROPERTIES-SIZE.
This capability is also available on CICS TS 5.4 with APAR PI86039.
- Support for mapping level 4.3
- Mapping level 4.3 implements support for multidimensional arrays in JSON.
This capability is also available on CICS TS 5.4 with APAR PI88519.
New parameters TNADDR, TNIPFAMILY, and TNPORT in CICS SPI and API commands for inquiry on IP addresses of TN3270 clients
New parameters TNADDR, TNIPFAMILY, and TNPORT are added to SPI commands INQUIRE TERMINAL and INQUIRE NETNAME and to API command ASSIGN to support inquiry on IP addresses of TN3270 clients.
This enhancement makes it easier to retrieve the IP address of the TN3270 client that initiated a task.
VSAM dynamic buffer addition disabled for CICS LSR pools
From z/OS V2.2, VSAM provides a dynamic buffer addition capability that allows for the addition of extra buffers for an LSR pool if no buffer is available for a given VSAM request. For CICS, it is preferable to retry the request rather than allow uncontrolled expansion of an LSR pool, so dynamic buffer addition is not enabled for CICS LSR pools.
This change also applies to CICS TS 5.1 through 5.4 with APAR PI92486.
Management of Db2 threads used by CICS tasks subject to purge or forcepurge requests
The SET TASK command has been enhanced such that CICS processing of task purge or forcepurge requests will attempt to cancel active Db2 threads used by CICS tasks that are being purged or forcepurged.
If CICS detects that the task being purged or forcepurged has a thread active in Db2, it will issue a Db2 cancel thread command to cancel the request in Db2 before initiating the purging of the CICS task. This enhancement ensures that the purge does not cause problems for Db2 and that the Db2 updates are safely backed out.
To cancel the Db2 thread in Db2 used by the task being purged or forcepurged, CICS uses a Db2 IFI command to issue the cancel thread command. This IFI request uses a command thread defined as part of the DB2CONN. The ID passed to Db2 needs to have the relevant authority to issue cancel thread requests; therefore, you should review the COMAUTHTYPE or COMAUTHID settings of the DB2CONN. Processing of the purge or forcepurge request continues, even if the cancel thread request is unsuccessful.
This change also applies to CICS TS 5.1 through 5.4 with APAR PI98569.
Multiple Liberty JVM servers can run in one region without using JVM server option
WLP_ZOS_PLATFORM
The JVM server option WLP_ZOS_PLATFORM={TRUE|FALSE} is no longer needed to allow
more than one Liberty JVM server to be started in the same region. Multiple Liberty JVM servers can
connect to a single angel process within individual regions.
This change also applies to CICS TS 5.4 with APAR PI98174.
Enhanced use of the regions z/OS WLM health value in CICSPlex SM workload routing decisions
The z/OS WLM health value of a region is now a more effective factor in CICSPlex SM workload routing decisions. When determining the target region to route workload to, CICSPlex SM workload management assigns additional weights in the routing algorithm based on the actual health value of each region. The higher the health value, the lower the weight assigned, which makes a region with a greater health value more favorable as a target. In addition, a region with a health value of zero is now deemed as ineligible to receive work.
With this enhancement to CICSPlex SM workload routing, you can have better control of flow of work into regions that are in warm-up or cool-down.
This capability is also available on CICS TS 5.4 with APAR PI90147.
New policy system rule types
CICS policies now support several new system rule types:
- AID threshold
- Use this rule to monitor the number of Automatic initiate descriptors (AIDs) in a CICS system and define the action to be taken when the current number exceeds a threshold.
- Bundle available status
- Use this rule to monitor the change in available status of bundles that declare application
entry points and define the action to be taken when the status changes from or to a specific
state.
This rule is not applicable to any bundles that do not declare application entry points.
This capability is also available on CICS TS 5.4 with APAR PI92806.
- Bundle enable status
- Use this rule to monitor the change in enable status of bundles and define the action to be
taken when the status changes from or to a specific state, or when the status changes from a
specific state to another specific state.
This capability is also available on CICS TS 5.4 with APAR PI92806.
- IPIC connection status
- Use this rule to monitor the change in status of IPIC connections and define the action to be
taken when the status changes from or to a specific state.
This capability is also available on CICS TS 5.4 with APAR PI92806.
- MRO connection status
- Use this rule to monitor the change in status of MRO connections and define the action to be
taken when the status changes from or to a specific state.
This capability is also available on CICS TS 5.4 with APAR PI92806.
- Program enable status
- Use this rule to monitor the change in enable status of CICS programs and define the action to be taken when the status changes from or to a specific
state.
This capability is also available on CICS TS 5.4 with APAR PI92806.
- DBCTL connection status
- Use this rule to monitor and react to the change in status of a connection between CICS and DBCTL.
- IBM MQ connection status
- Use this rule to monitor and react to the change in status of a connection between CICS and IBM MQ.
- Pipeline enable status
- Use this rule to monitor and react to the change in the enable status of a CICS PIPELINE resource.
Service Ability to specify Transaction ID and User ID conditions for policy task rules
Available with APAR PH26145. When defining a policy task rule, you can now limit this rule to be triggered when status changes are made in relation to a specific transaction or a range of transactions, in relation to a specific user ID or a range of user IDs, or in relation to a combination of both, by setting Transaction ID and User ID filters in the Condition section in the Rules tab of the Policy definition editor.
New options and fields show the date and time of the last CICS system startup
You can now find out the date and time when a CICS region last undertook a cold, emergency, initial, or warm startup by using the INQUIRE SYSTEM SPI command, the CEMT INQUIRE SYSTEM command, or the Regions view in CICS Explorer. The INQUIRE SYSTEM and CEMT INQUIRE SYSTEM commands provide four new options to inquire on the system startup date and time: LASTCOLDTIME, LASTEMERTIME, LASTINITTIME, and LASTWARMTIME. Corresponding new fields are available in the CICSPlex SM CICSRGN resource table and the Regions view in CICS Explorer. This enhancement removes the need to search through the job logs to obtain this information.
For CEMT INQUIRE SYSTEM, the display now shows status fields in a single column split across multiple screens.
Learn more about INQUIRE
SYSTEM...
Access to coupling facility data tables is now threadsafe
Access to coupling facility data tables (CFDTs) is now threadsafe, so CFDTs can be accessed by applications that are running on open TCBs without incurring a TCB switch. Syncpoint processing of CFDTs can also run on an open TCB. However, note that the open and loading of a CFDT still occurs on a QR TCB.
Improved security for JCL job submissions to the JES internal reader
For JCL jobs that are submitted to the JES internal reader by using a SPOOLWRITE or a WRITEQ TD command, CICS now performs surrogate user checking to verify if the user is authorized to submit a job with the user ID specified on the job card.
- Surrogate user checking for spool commands
com.ibm.cics.spool.surrogate.check
When the JOB card written to the JES internal reader by using a SPOOLWRITE
command doesn’t contain a USER parameter, by default the job user ID will be
the CICS region user ID. The default can be changed to the
user ID under which the task is running by setting the feature toggle value
com.ibm.cics.spool.defaultjobuser=task.
When the JOB card written to the JES internal reader by using a WRITEQ TD command doesn’t contain a USER parameter, the job user ID is taken from the JOBUSERID option on the TDQ definition. If this option is not defined, the job user ID will be the CICS region user ID. Because security is provided by TDQ resource security and by the install surrogate check, no surrogate user checking will be performed against the job user ID in this case.
If you want specific applications to always submit JCL under the CICS region user ID, you should code either
USER=region_userid or USER=&SYSUID on the
JOB card written to the JES internal reader.
These enhancements make job submissions from CICS to the JES internal reader more secure.
Enhanced management of automatic initiator descriptors in the AID chain for the local system
CICS TS provides enhanced management capabilities for monitoring and controlling automatic initiator descriptors (AIDs) in the AID chain for the local system. You can now use these capabilities to prevent the occurrence of inordinately high number of AIDs chained from the local system's TCSE, and minimize chances of high CPU usage that might arise under such circumstances and subsequent degradation in task response times.
- Monitoring AIDs
-
- Inquiring the current number of AIDs
- You have two options to find out the current number of AIDs that are in the AID chain for the
local system:
- Option 1: Use SPI command INQUIRE CONNECTION or
INQUIRE SYSTEM.
For both commands, a new option, AIDCOUNT, is introduced, which returns the current number of AIDs chained from the local system. In addition, for INQUIRE CONNECTION, CONNECTION(data-value) now accepts the name of the local system.
- Option 2: Use the ISC/IRC system entry
statistics.
The ISC/IRC system entry statistics have been enhanced such that automatic initiate descriptors statistics now report on the local system. You can view the local system entry through CEMT, the SPI, CICSPlex SM, and CICS Explorer.
- Option 1: Use SPI command INQUIRE CONNECTION or
INQUIRE SYSTEM.
- Inquiring the peak number of AIDs
- New field Peak aids in chain (A14EAHWM) is introduced in the ISC/IRC system entry statistics to report on the peak number of automatic initiate descriptors that were present in the AID chain at any one time.
- Controlling and limiting AIDs
-
- Purging AIDs
- You can now issue SET CONNECTION to purge all AIDs for the local system. SET CONNECTION has been enhanced such that CONNECTION(data-value) now accepts the name of the local system.
- Defining an AID threshold
- You can now define an AID threshold system rule to monitor the number of AIDs in a CICS system and specify the action to be taken when the current number exceeds a threshold. For example, you can define a system rule to reject EXEC CICS START requests that would cause the number of AIDs to exceed the specified threshold, effectively putting a cap on the number of AIDs that can exist in the system.
Enhancement to the local system entry in the terminal control table of the region
The connection for the local system entry in the terminal control table of the region is now visible through the CEMT transaction, the CICS SPI, CICS Explorer, and the CICSPlex SM Web User Interface. This enhancement is introduced in support for CANCEL or FORCECANCEL operations of AIDs that are associated with the local system entry and are waiting to be shipped to a terminal owning region.
Extended support for PATH aliases for VSAM data sets
For the CICS VSAM data sets, a VSAM path can be used as a means of providing an alias dsname for the base dsname. This support is now extended for ESDS data sets DFHINTRA and DFHTEMP, in addition to KSDS data sets DFHCSD, DFHGCD, and DFHLCD.
Changes to support for PLTs (Program List Tables)
As in previous releases of CICS, PLTs should be coded using DFHPLT macro calls. However, with CICS TS 5.5, after PLTs are coded, it is not required to assemble the tables before use. CICS is no longer able to process assembled PLTs. Attempts to assemble a PLT will cause the DFHPLT macro to issue return code 8 with a message stating that the assembly is not required, and the assembly will not be performed.
As a result of this change, you must ensure that the source code of any required PLTs are
available to CICS at run time, and this includes any copy
members referenced by the source. To achieve this, you can either place the source in a parmlib
member that is part of the IPL parmlib concatenation, or add a DD card that specifies the PLT source
location into the CICS JCL. The DD statement should be of the
form: //DFHTABLE DD DSN=pds name,DISP=SHR
Ensure CICS has READ access to data sets in PARMLIB or DFHTABLE concatenations.
The PLTPI and PLTSD system initialization parameters have been enhanced to allow specification of the full name of the PLT held in the IPL parmlib or DFHTABLE concatenation. Likewise, the CEMT and SPI PERFORM SHUTDOWN commands have been enhanced to allow specification of the full name of the PLT in the new PLTNAME option.
Performance improvement to QUERY SECURITY
The QUERY SECURITY command has been enhanced such that the number of TCB switches has been reduced if more than one access level is specified on the command. This enhancement improves the performance of the API command.
Changes to EXEC CICS START
If the transaction to be started is defined as dynamic, the distributed router will be invoked only if a valid distributed routing program name is specified. If omitted, the DSRTPGM system initialization parameter assumes a value of NONE by default, and the distributed router is not invoked; while in previous releases the START command invoked the IBM-supplied routing program DFHDSRP.
If the transaction is defined with DYNAMIC(YES), then it is eligible for dynamic routing. Before CICS TS 5.5, ROUTABLE(YES) also needed to be specified, and this restriction has now been removed.
Distributed routing program no longer invoked for BTS transactions defined as DYNAMIC(NO)
For BTS transactions, if the transaction to be invoked is defined as DYNAMIC(NO), the distributed routing program is no longer invoked.
Ability to specify HPO in PARM parameter on
EXEC PGM=DFHSIP statement and in SYSIN data set
You can now specify the HPO system initialization parameter in the
PARM parameter on an EXEC PGM=DFHSIP statement or in the SYSIN
data set. This enhancement makes HPO overrides possible, giving you more
flexibility in setting HPO.
In support for this enhancement, a new security profile DFHSIT.HPO is introduced to allow HPO overrides. The CICS region user ID that is associated with the HPO override must be defined to an external security manager such as RACF to authorize the use of the HPO facility.
Performance improvement for channels and containers
As a result of a performance improvement for channels and containers in this release, the order in which containers are returned when browsing a channel might change. As in previous releases, the order in which containers are returned is undefined. Therefore, it is important that applications should not rely on the order of returned containers.
If you have existing applications that are written to rely on the order of returned containers, see Upgrading applications for advice.
JVM profile enhancements
A new JVM profile directive INCLUDE is provided to enable additional configuration to be loaded from another file. The file can contain configuration information that is common to several JVM profiles, for example security, logging, timeout settings, or database driver configuration and shared debug controls. Unique configuration is held in the JVM profile, and all common configuration is held in an INCLUDE file.Use %INCLUDE=<file_path> to include a file in your profile. The file can contain common system-wide configuration that can be maintained separate to the profile. This enables configuration that is common to several profiles to be shared, giving more control and providing easier maintenance for profiles.
A new append syntax uses a + character at the start of a variable to append the value that is specified to the existing value of that variable by using a comma separator.
Enhancements to environment variables
A set of CICS provided environment variables are now available for Node.js application developers to optionally reference in application code. A Node.js application can find out information about the CICS bundle and environment by using these environment variables.
Environment variables are accessed in the Node.js application by using the process.env global variable, for example:
console.log("Node.js application " + process.env.CICS_NODEJSAPP +
" is running in CICS region " + process.env.CICS_APPLID);JVM server logging enhancements
Information messages are now reported in the dfhjvmlog file to make it easier to diagnose errors. The type of messages that are held in the log file can be configured by using the LOG_LEVEL parameter in the JVM profile. Valid values are INFO, WARNING, ERROR, or NONE. For example, a value of NONE suppresses all output and the file is empty and a value of WARNING gives log entries of warning level and above. The default value is INFO.
A PRINT_PROFILE option is introduced and can be set to TRUE or FALSE. If the value is set to TRUE, or if SJ level 3 trace or higher is switched on, then the canonicalised profile is written to SYSPRINT.
Liberty enhancements
- Support for multiple Liberty servers
- Multiple CICS Liberty JVM servers can run in the same CICS region and connect to a Liberty angel process, for security and other services. Applications can be isolated from each other, as each Liberty process has its own configuration and lifecycle. Applications can be hosted in more than one Liberty server in the same CICS region, for improved redundancy and development scenarios.
- CICS bundle status reflects Liberty application status
- Java™ EE applications that are installed by using CICS bundle parts, remain in the ENABLING state until they are successfully installed in Liberty, or the application fails to install, or the application install is timed-out. In the failure and time-out situations the CICS bundle is placed in the DISABLED state, making it easier diagnose application configuration issues.
- Option to wait for Liberty angel process to be ready
- A JVM server option is provided to ensure that a Liberty JVM server does connect to a Liberty angel process before reaching the ENABLED state.
- LIBERTY_INCLUDE_XML option
- A new JVM profile option
LIBERTY_INCLUDE_XMLis provided to enable Liberty to load shared configuration, making it easier to administer, clone, and control OSGi and Liberty JVM servers. Use the + character before a variable to append the value specified to the existing value of that variable using a comma separator. For example, if
exists, then using a JVM profile option ofLIBERTY_INCLUDE_XML=path/file1
is equivalent to+LIBERTY_INCLUDE_XML=path/file2LIBERTY_INCLUDE_XML=/path/file1,/path/file2 - LIBERTY_PRODUCT_EXTENSIONS option
- A new JVM profile option
LIBERTY_PRODUCT_EXTENSIONSis provided to allow installation of a users own product extension into a Liberty server. - Service Support for administering Liberty using Admin Center
- Available with APAR PH08321. The adminCenter-1.0 feature enables the Liberty Administrative Center, a web-based graphical interface for deploying, monitoring, and managing Liberty servers.
JWT and OpenID Connect (OIDC) support in Liberty JVM server
JSON Web Token (JWT) support and OpenID Connect scenarios are now fully supported in CICS Liberty. You can generate and consume JWT by using all of the built-in Liberty capabilities, as well as using JWT as part of a larger enterprise authorisation mechanism, for example, OpenID Connect.
Link to Liberty DPL subset relaxation
The DPL subset and SyncOnReturn restriction for Link To Liberty applications is removed. FULLAPI capabilities are available when linking to Liberty applications.
Service REXX for CICS internal tracing, online help, and product documentation improvements
Available with APARS OA56111, OA56806 and OA56807. Support for REXX for CICS internal tracing and a new online help utility are now provided. To use the help utility, you must load the relevant data sets, as described in Create the help files. The REXX for CICS Transaction Server product documentation is provided in this Knowledge Centre, and in the online help.
Learn more about Developing REXX applications...
Learn more about REXX/CICS
Reference ...
Service New replication log record
Available with APAR PH09381. Replication logging in support of GDPS® Continuous Availability is enhanced to log a REDO record when an application issues an UNLOCK command following a read-update command, or a series of write-massinsert commands. It allows replication products to cater more efficiently for non-RLS applications, which, in the absence of browse for update support, issue read-update requests against all records in a file, but update very few and unlock most records.
Service Build support for other toolchains
Available through continuous delivery. Build toolchains such as Gradle and Maven are extremely popular for developing, building, and testing applications. To provide an enhanced experience for Java developers who are using such tools, CICS now offers JCICS and related artifacts through Maven Central.
With this enhancement, you can manage Java dependencies more easily, develop the applications in an integrated development environment (IDE) of your choice, and integrate the application build smoothly with popular automation tools such as Jenkins and Travis CI during development.
Service New feature toggle to help you with RLS migration
Available with APAR PH07596. A new feature toggle com.ibm.cics.rls.delete.ridfld
has been introduced to help you with RLS migration. When this feature is enabled, you can issue a
DELETE command with the RIDFLD option for a single record
without causing AFCG abends.
Service Support for Java EE 8 Full Platform
Available with APAR PH15017. By using the embedded version of IBM WebSphere® Liberty (Liberty), CICS TS V5.5 supports applications that are written to the Java Enterprise Edition (EE) 8 Full Platform specification in integrated mode. Java EE 8 includes many new and enhanced APIs, such as JSON processing, RESTful web services, authentication by using custom identity stores, and JavaMail™.
Java EE 8 also provides new versions of features for JavaBean validation, servlet, JavaServer Faces and Contexts and Dependency Injection (CDI).
Java applications that are hosted in CICS TS are integrated with a CICS task by default and can use the JCICS API to call other CICS programs and services. This provides a powerful mechanism to modernize CICS applications by using the latest Java EE 8 features and capabilities.
Service Support for Jakarta EE 8 Platform
Available with APAR PH19704.The CICS Liberty JVM server supports now supports the Jakarta Enterprise Edition (EE) 8. The Jakarta EE 8 full platform technologies and specifications are an evolution of Java EE 8, allowing developers and applications to easily transition from Java EE to Jakarta EE. The promise of Jakarta EE is a community-driven open source model, enjoying more frequent releases than Java EE, and evolving more quickly to address the needs of modern applications.
Support for Spring Boot
The CICS Liberty JVM server supports Spring Boot applications using the Spring application programming model. Spring was originally designed to simplify Java Enterprise Edition (EE), using plain old Java objects (POJOs) and dependency injection. It has since grown to extend and encompass many aspects of Java EE development.
Spring Boot builds on Spring by adding components to avoid complex configuration, reduce development time, and offer a simpler startup experience. Support is added for the Liberty features springBoot-1.5 and springBoot-2.0, allowing Spring Boot JARs to be deployed directly to a Liberty JVM server. Spring Boot applications can run on CICS without modification. It also is possible to configure Spring Boot applications for integration with CICS transactions and security, and to call the CICS API using JCICS when built as a web application archive (WAR). A Spring Boot application can be deployed and managed using CICS bundles in the same way as can other CICS Liberty applications.
A Spring Boot application can use the annotation @CICSProgram to define a method as the target of a CICS program. This can be linked from COBOL or other non-Java CICS programs using the channel and container interface.
The LINK capability is available in CICS TS 5.5 for Spring Boot applications packaged as WAR or JAR files. It is not available in CICS TS 5.4 or 5.3
Service Support for EXEC CICS LINK to a Spring Boot application running in a Liberty JVM server
Available with APAR PH14856. You can add the @CICSProgram annotation to a method
on a Spring bean. When the application is started in Liberty, a CICS program definition is
dynamically created. Then, the Spring Boot application can be invoked by any CICS program through an
EXEC CICS LINK call.
Service Improvement to CICS exception handling when a JVM server encounters a TCB failure
Available with APAR PH12280. CICS exception handling when a JVM server encounters a TCB failure has been changed to the following process to ensure that the JVM server is recycled.
- CICS disables the JVMSERVER resource with the PHASEOUT option to allow existing work in the JVM to complete where possible and prevent new work from using the JVM.
- If the PHASEOUT operation fails to disable the JVMSERVER within the interval specified by the PURGE_ESCALATION_TIMEOUT JVM server option, CICS escalates to the next disable action PURGE until the JVMSERVER is disabled.
- If the PURGE operation fails to disable the JVMSERVER within the interval, CICS escalates to the next disable action FORCEPURGE.
- If the FORCEPURGE operation fails to disable the JVMSERVER within the interval, CICS escalates to KILL.
- After the JVMSERVER is successfully disabled, message DFHSJ1008 is issued.
- CICS attempts to re-enable the resource to create a new JVM.
You can control the interval between the disable actions that CICS performs by setting the PURGE_ESCALATION_TIMEOUT JVM server option.
Service SNI now supported in CICS TS communications with an HTTP server over TLS connections
Available with APAR PH20063. CICS TS now supports the use of the Server Name Indication (SNI) extension as defined in Internet Engineering Task Force RFC 6066. With this enhancement, CICS TS, when acting as an HTTP client, can use a TLS connection to a virtual host where the server supports multiple virtual hosts using a single IP address.
No configuration change is required in CICS TS. CICS TS supports SNI if it is supported by the HTTP server.
Service CICS capability of exploiting IBM z/OS Workload Interaction Correlator
Available with APAR PH16392.
IBM z/OS Workload Interaction Correlator (Correlator) is a priced feature that provides infrastructure for z/OS software to generate synchronized, standardized, concise, content-rich data with common context for automated analysis by an analytics engine such as the IBM z/OS Workload Interaction Navigator. You can use Correlator to generate standardized SMF records for CICS, making it easier to identify and correlate workload across your mainframe environment.
CICS uses the WIC IFAWIC service to register CICS regions for collecting data about transaction activities, and provides a WIC exit routine that SMF calls for WIC processing. The WIC exit routine aggregates and summarizes transaction activities from all registered CICS regions and records exceptional CICS regions into SMF type 98 subtype 1024 records.
Service Available with APAR PH30291, CICS-supplied Assembler copybook DFHWICCD is updated to enable IBM z/OS Workload Interaction Navigator with PTF UJ04388 to analyze multiple SMF files collected from multiple systems respectively and display the correlated anomalies across multiple systems for a single interval in one screen.
Service CICS-MQ trigger monitor and CICS-MQ bridge improvements
Available with APAR PH22136.
The CICS-MQ trigger monitor transaction CKTI now handles abends produced when starting user transactions. If an abend occurs when the CKTI transaction attempts to start the user transaction, rather than terminating, CKTI will now send the trigger message to the dead-letter queue, and trigger monitor processing continues.
Additionally, both the CICS-MQ trigger monitor transaction CKTI and the CICS-MQ bridge monitor transaction CKBR now handle temporary errors that occur when issuing MQOPEN and MQGET requests. Rather than terminating, CKTI and CKBR will retry every minute for up to an hour. If the error is not resolved after an hour, the monitor transactions will then terminate. This caters for errors caused by the loss of a coupling facility when the monitor transactions are processing shared queues. The IBM MQ queue manager can recover from a coupling facility failure, and when the connection is restored, bridge and trigger monitor processing will resume.
Service Support for passing XID to Db2
Available with APAR PH39766, a new feature toggle,
com.ibm.cics.db2.sharelocks={true|false}, is provided to enable CICS to pass an XID to Db2 and instruct Db2 to share locks between threads
that pass the same XID. Using the same XID, other threads that originate from other CICS regions or from other transaction managers such as IMS TM
can access Db2 in the same global
unit of work (UOW). The XID token is not used for recovery between CICS and Db2. Passing an XID
avoids having to deal with UOW affinities.
For CICS to pass an XID to Db2, CICS first queries MVS RRS to determine if there is a global UOW with a matching LU6.2 UOWID. The query for a global UOW involves issuing an ATRQUERY request with a sysplex scope for systems within the same RRS logging group. This will have a performance impact in terms of CPU consumption. You should ensure READ access for the CICS user ID to the MVSADMIN.RRS.COMMANDS.gname.sysname resource or the MVSADMIN.RRS.COMMANDS resource in the FACILITY class. You should also ensure that auditing of successful access to RRS system management functions is not enabled; otherwise, an excessive number of SMF 80 records will be produced. For more information, see ATRQUERY — Obtain RRS Information in z/OS MVS Programming: Resource Recovery.
If the global UOW was initiated from outside CICS and is coordinated by MVS RRS, CICS will obtain the XID associated with the RRS Unit of Recovery and pass it to Db2.
If RRS is not involved in the UOW, CICS will generate an XID based on the data from the LU6.2 UOWID that is associated with the UOW. All CICS regions participating in the same UOW will generate the same XID from the same LU6.2 UOWID.
The passing of an XID involves a partial signon to Db2 for each UOW. The number of partial signons will increase if partial signons for each UOW were not previously necessary. If a partial signon for each UOW is already required as in the case of using ACCOUNTREC(UOW), the number of partial signons does not increase. A signon at the start of each UOW closes any cursors, so held cursors across syncpoints are not supported when the passing of an XID is enabled. Applications will have to reposition cursors after a syncpoint.
Service Improved usage of BAS data space storage for large CICSplex environments
Available with APAR PH19761. The CICSPlex SM BAS component is now able to use all available BAS data space storage by spreading
large resource deployment lists for BAS across multiple data spaces instead of being constrained to
a single data space. This feature is controlled by the feature toggle
com.ibm.cics.cpsm.bas.largecicsplex.
This feature is disabled by default, but you can opt into this feature by setting the feature
toggle com.ibm.cics.cpsm.bas.largecicsplex=true.
Service Enhanced adapter tracking for CICS Db2 applications
Available with APAR PH30252. The CICS Db2 attachment facility is enhanced to pass adapter data to Db2. If a CICS task that is accessing Db2 has adapter data in the CICS origin data, the adapter ID is passed as appl-longname and the adapter data is passed as an accounting-string. Db2 writes the data in its SMF accounting records and the data is also available online through the Db2 special registers CURRENT CLIENT_APPLNAME and CURRENT CLIENT_ACCTNG. This capability also requires Db2 12 with APAR PH31447 or higher.
com.ibm.cics.db2.origindata=falseService Changes to CICSPlex SM sysplex optimized workload routing behavior
With APAR PH30768, the default behavior of CICSPlex SM workload management routing algorithms has been updated to increase the likelihood that work is routed to healthy, local target regions. This change applies only to the QUEUE and GOAL algorithms, not to the link neutral variants (LNQUEUE and LNGOAL).
Where a routing region might be subject to surges of extremely high frequency, short duration
transactions, workload batching might occur. A new feature toggle,
com.ibm.cics.cpsm.wlm.surgeresist={true|false}, has been introduced to
mitigate these surges by reducing the likelihood that recently selected target regions are
reselected. Enabling this feature toggle increases the average routing cost per transaction, but
restores the routing behavior of CICSPlex SM before APAR PH30768 is applied.
Service Messages reporting changes to APPC and IRC log names
Available with APAR PH03691.
- DFHRM0240 reports the local log name that is set during CICS initialization and sent to a remote system when CICS establishes an APPC or IRC connection.
- DFHRM0241 reports a log name that has been set for an APPC or IRC connection.
- DFHRM0242 reports a log name that has been deleted for an APPC or IRC connection.
Service Enabling multiple client URIMAPs that point to the same endpoint
Available with APAR PH44683, multiple client URIMAPs that point to the same host, port and path can be installed and enabled in a CICS region. This enhancement removes the limitation that only one client URIMAP for an endpoint could be enabled in a CICS region. As best practice, always use a URIMAP by name.
Service Prepare for a future release of CICS TS
Available with APAR PH54814 (supercedes APAR PH39798).
The DFHCSVC and DFHIRP modules for future CICS TS releases have been shipped as modules DFHNCSVC and DFHNIRP on current releases ahead of the general availability of the newest CICS TS release. If you wish to install the future release modules DFHCSVC and DFHIRP to fit in with your scheduled z/OS IPLs, follow the instruction here.
Service Default cipher file for outbound web requests
With APAR PH45703, a new feature toggle,
com.ibm.cics.web.defaultcipherfile={true|false}, is provided to enable CICS to use a default set of ciphers from a cipher file called
defaultciphers.xml, instead of the current default list of 2-digit ciphers
(3538392F3233). This allows a greater set of ciphers to be used for outbound requests without having
to create a URIMAP for each potential endpoint.
The use of a default cipher file applies to outbound HTTPS requests that are made using EXEC CICS WEB OPEN or EXEC CICS INVOKE SERVICE commands, where those commands do not already specify a set of ciphers to use through the CIPHERS or URIMAP parameter.
To use this capability, the feature toggle must be set to true and the defaultciphers.xml file must exist in the USSCONFIG/security/ciphers directory. A sample defaultciphers.xml file is supplied in the USSHOME/security/ciphers directory. Copy this file to the USSCONFIG/security/ciphers directory and customize it for your security requirements.
If the feature toggle is enabled but there is a problem with the defaultciphers.xml file, message DFHWB0112 is issued and CICS reverts to using the default list of 2-digit ciphers.
Service Support for Java 11
APAR PH47221 adds support for Java 11 using IBM Semeru Runtime Certified Edition for z/OS. A minimum version of 11.0.17.0 is required. The CICS documentation will be updated to describe considerations for using Java 11.
Java 11 is not supported for use with:
- Axis2 JVM servers at CICS Transaction Server for z/OS, Version 5 Release 5 .
- SAML JVM servers at all CICS releases.
Java 8 continues to be supported.
Service Support for Java 17
APAR PH55278 adds support for Java 17 IBM Semeru Runtime Certified Edition for z/OS. A minimum version of 17.0.7.0 is required.
Java 17 is not supported for use with:
- Axis2 JVM servers at CICS Transaction Server for z/OS, Version 5 Release 5 .
- SAML JVM servers at all CICS releases.
To enable Db2 type 2
connectivity when you are running Java 17, add
LIBPATH_SUFFIX=/usr/lpp/db2v12/jdbc/lib to the JVM profile.
Java 8 and Java 11 continue to be supported.
Service Key rings can be shared between regions in an easier way
Available with APAR PH49253, with the support of more acceptable formats of key ring names on the KEYRING system initialization parameter, you can now use key rings that are not owned by the current region user ID. To share a key ring owned by one region user ID with another region, you need to grant that other region authority to use the key ring.
Service Minimum key size can be set during TLS handshakes for increased key strength
APAR PH50175 required.
With the new feature toggle com.ibm.cics.tls.minimumkeystrength you can set a
minimum key size for ECC, RSA, DSA, and Diffie-Hellman keys during TLS handshakes to increase your
key strength.
This feature is also available in CICS TS 5.4 with APAR PH50175.
Service HTTP strict transport security (HSTS) is supported
Available with APAR PH55369, HTTP strict transport security (HSTS) helps servers prevent man-in-the-middle attacks by instructing compliant user agents to only interact with the server through secure connections (HTTPS).
You can now configure a CICS server to use HSTS with a set of
com.ibm.cics.web.hsts feature toggles.
CICS documentation and other information
- CICS online documentation and IBM Documentation Offline are now automatically translated in various languages other than English: Brazilian Portuguese, French, German, Italian, Japanese, Korean, Simplified Chinese, and Spanish. PDF documentation is not currently translated.