Configuring IPIC connections for identity propagation
You define an IPCONN resource in a receiving CICS® region to enable processing of incoming distributed identity information and you define an IPCONN resource in a sending region to specify whether a distributed identity is transmitted outside a sysplex.
Before you begin
About this task
If CICS receives an ICRX in a message that is sent over an IPIC connection, USERAUTH(IDENTIFY) must be defined for the IPCONN resource in the receiving CICS region to allow processing of the ICRX. If USERAUTH(IDENTIFY) is defined, CICS attempts to map the ICRX to an external security manager (ESM) user ID, for example, a RACF user ID. If the mapping is successful, the ESM user ID is used as the security context for the task that is attached to process the incoming message. If the ICRX cannot be mapped to an ESM user ID, because it is not defined to the external security manager, the message is processed as if it did not contain an ICRX. Local and remote START commands over an IPIC connection do not support identity propagation.
Procedure
- Specify USERAUTH(IDENTIFY) in the IPCONN resource definition
of the receiving CICS system. The IDENTIFY attribute specifies that incoming requests must include a user identifier, which can be provided in the form of an ICRX, but that client authentication is being managed by the security manager that is sending the request. If you are using CICS Transaction Gateway, you must specify USERAUTH(IDENTIFY) to allow CICS Transaction Gateway to pass the distributed identity to CICS. For more information about identity propagation with CICS Transaction Gateway, see the CICS Transaction Gateway information center.
- Specify IDPROP(REQUIRED) in the IPCONN resource definition
of the sending CICS system. The REQUIRED attribute specifies that a distributed identity is required for requests that use this connection, instead of a user ID. The attribute has no meaning if the connection is contained in a single sysplex or if either or both regions cannot support identity propagation. If the connection is between systems in the same sysplex, the connection operates as if IDPROP(OPTIONAL) is specified and ignores any other setting. The receiving CICS system must have USERAUTH(IDENTIFY) specified in the IPCONN resource to be able to process the distributed identity information.