Configuring permissions for z/OS Connect Services and APIs

The CICS® security model requires some additional actions in the way that you configure permissions for Services and APIs with z/OS® Connect for CICS 1.0 and z/OS Connect Enterprise Edition.

About this task

When z/OS Connect is used to inject work into CICS, the following two identities are associated with the work at different stages of the processing:
  • An initial, temporary identity is allocated during the process of attaching the work.
  • An authenticated identity is then used to run the remainder of the work.

You can configure these identities in several ways, depending on your preferences and system environment.

Procedure

  1. Optional: Create an alternative initial user ID for z/OS Connect.

    By default, the initial identity is the default CICS user ID, but you might choose to assign a different user ID to avoid giving the default CICS user ID permission to run transaction CPIH, or its equivalent.

    1. Authorize the alternative initial user ID to run transaction CPIH and any other transactions that are initiated through z/OS Connect.

      The initial user ID requires permission to run the target transaction for the Service or API.

  2. Assign a default initial user ID. You can choose either or both of the following methods:
    • Set a user ID override value in the JVM profile for the JVMSERVER resource that hosts z/OS Connect.

      The following is an example override, where ZOSCUSER is the default initial user ID: -Dcom.ibm.cics.jvmserver.http.userid=ZOSCUSER

      Note: If you set a default initial user ID in the JVM profile, you do not need to provide a USERID value for each URIMAP. However, If you provide both a USERID for a URIMAP and an override value in the JVM profile, the USERID specified for a given URIMAP takes precedence.
    • Set the USERID field for a given URIMAP resource that targets z/OS Connect.

      When an HTTP request is received by z/OS Connect, CICS matches it against the URIMAP resources that are installed. If the URIMAP that is found specifies the USERID attribute, that user ID is used as the initial user ID, instead of the default initial user ID for the JVM server.

      Here is an example configuration for a URIMAP resource named ZOSCDEFT, where JVMSERVER is the USAGE value, a generic value is set for the PATH attribute, CPIH is the target transaction, and ZOSCUSER is the default initial user ID:
      NAME: ZOSCDEFT
USAGE: JVMSERVER
SCHEME: HTTP
PORT: NO
HOST: *
PATH: /zosConnect/*
TRANSACTION: CPIH
USERID: ZOSCUSER
    Note: URIMAP resources that are installed by using the PIPELINE SCAN mechanism are unlikely to be configured with a default user ID. In this scenario, you might consider specifying a user ID override value on the JVMSERVER.
    Note: It is possible to store an initial user ID in a WSBind file: the user of DFHLS2JS or DFHJS2LS might provide a value for the USERID input parameter. If the USERID parameter is used, any URIMAPs that are produced during a PIPELINE SCAN include the requested initial user ID.

Results

You have now configured your environment so that CICS recognizes the URIs for your Services and APIs, and associates an initial user ID for use when the target transaction is attached.