Security for z/OS Connect
z/OS® Connect is a WebSphere® Liberty application, and has the same configuration and considerations as other WebSphere Liberty applications. z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition have some additional security requirements.
z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition have a RESTful management interface to allow dynamic service discovery. This interface is hosted at the same host name and port number as the individual JSON Services. The use of Transport Layer Security (TLS) to protect this interface, and the individual JSON Services, is encouraged.
By default, all client connections toz/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition must use the HTTPS protocol. The default behavior is to require a client-certified TLS connection to CICS®. If this default is retained, client certificates must be associated with a SAF user ID. The application runs by using this certificate-derived identity.
Both z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition can be configured to support
the HTTP basic authentication protocol. This protocol allows a client to connect by using TLS in
combination with a SAF user ID and password. To enable support for HTTP basic authentication, add
the following line to the Liberty server configuration file (server.xml) :
<webAppSecurity allowFailOverToBasicAuth="true"/>
For more information, see Configuring security for z/OS Connect in WebSphere Application Server for z/OS product documentation.
To configure security for z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition, you must be a member of the zos.connect.access.roles.zosConnectAccess role. This role is mapped to an EJBROLE resource profile in RACF® and contains users and groups. You must have SAF enabled to use EJBROLES. Add the <safAuthorization id="saf"/> element to your server.xml configuration file. For more information on EJBROLES, look at the topic on JEE application role security.
The WebSphere Liberty profile IBM® Knowledge Center has information on Configuring authorization for applications on the Liberty profile in WebSphere Application Server for z/OS product documentation. If transaction security is enabled in CICS, for more information, see Transaction security.
Authentication for services and APIs
The CICS security model requires some special actions in the way that you configure permissions for services and APIs with z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition.
When z/OS Connect is used to inject work into CICS, two different identities are associated with the work at different parts of the processing. An initial, temporary identity is allocated during the process of attaching the work, and an authenticated identity is used to run the remainder of the work. The initial identity requires permission to run the target transaction in CICS (typically, CPIH). This transaction can be configured using a URIMAP resource.
The initial identity could be the default CICS user (typically, CICSUSER), but you are recommended to assign a different default userid using a URIMAP resource. This avoids the need for the default CICS user to have permission to run CPIH (or its equivalent), which could have wider security implications. This userid must be set on every URIMAP that is used with z/OS Connect. As a consequence, the PIPELINE SCAN mechanism, which dynamically installs URIMAP resources, is unsuitable for use with z/OS Connect.
- Create a userid called ZOSCUSER as the alternative default userid for z/OS Connect.
- Grant ZOSCUSER permission to run CPIH and any other transactions that are initiated through z/OS Connect.
- Use this userid in the USERID field of the URIMAP resources for z/OS Connect.