News
Abstract
Details are provided of the capabilities of the latest (January 2022) IBM® CICS® Transaction Server for z/OS® open beta program.
Content
CICS Transaction Server for z/OS open beta program (January 2022 update) Planned availability: January 17, 2022. The IBM CICS Transaction Server for z/OS (CICS TS) open beta program is available for clients who want to explore potential new CICS capability and assess its value to their business. This offering and education for it can be downloaded, at no charge, from the IBM CICS TS open beta website. Details on each item are available in the What's New? topic. The following capabilities are available as part of the January 2022 update of the CICS TS open beta, denoted by *: CICS applications consist of source code that is compiled and CICS resources, such as TRANSACTIONs, PROGRAMs and FILEs. Today these elements are typically managed by separate teams in separate places, with manual steps and delays to coordinate changes. The CICS TS resource builder is a tool to facilitate configuration as code for application resources. It enables developers to manage resource definitions in a readable source format using a modern source control management (SCM) and modern pipeline. It is designed to run alongside the application build and provides output to be used in later steps in the pipeline to deploy resources alongside the application. Developers are now able to change application code and resources together in a single pull request, giving a consistent and efficient approval and audit process, allowing applications to be deployed with confidence in minutes rather than hours. With the CICS TS resource builder, CICS resource definitions are defined in a YAML file that is easy to read and update. Enterprise standards for resources, such as naming conventions and required or optional attributes can be included in a YAML schema. Editors can use the schema to provide help and content assist whilst developers edit the file. Within the build pipeline, the CICS TS resource builder reads and validates the YAML file then generates output that can be used with CICS system definition utility program (DFHCSDUP). The output is then used by a deployment pipeline to update the CICS system definitions (CSD) dataset ready for use in CICS. To help Java developers to get started with applications in CICS, a new set of pages in IBM Documentation provides a simple overview of what's involved. The new pages cover key CICS concepts and access to resources, such as samples, videos, and tutorials. This new content is available at Get started with Java in CICS. Java applications deployed into an OSGi JVM server can now exploit the @CICSProgram Java annotation to identify the methods that can be called as targets of LINK, START or RUN commands. CICS automatically creates PROGRAM resources for the annotated methods when the Java application is enabled, making this approach easier to deploy and more flexible than the existing CICS-MainClass approach. This Java annotation is already available for Java applications running in a Liberty JVM server. Support is introduced for a CICS Management Client Interface (CMCI) JVM server to be installed and configured in a single CICS region. This makes it possible to use the following capabilities in a single CICS region that were previously only available in a CICSPlex System Manager (CPSM) environment: A new monitoring field, SOFLAG, is introduced and added to the performance record. It indicates whether a network connection is configured using application transparent transport layer security (AT-TLS) or CICS configured transport layer security (TLS). Information about the TLS protocol and the cipher users is now also available for AT-TLS connections. DFHSTUP is enhanced to report on inbound AT-TLS connections. Information on the TLS levels used and the ciphers used is reported alongside the information for CICS configured TLS sessions. The new option GMEXITOPT is provided on the ASSIGN command, where it will return the EXIT or DISCONNECT value specified on the GMTRAN SIT parameter. These values on the GMTRAN SIT option describe the behaviour of a user's terminal after a failed signon or a successful signoff. EXIT means that the user is returned to a blank terminal screen running under the default user ID. DISCONNECT means that the user's terminal is disconnected from CICS. Currently, the SIT value only affects the CICS-supplied transactions CESN, CESL, and CESF. The new GMEXITOPT option will allow user written applications to obtain the SIT value and perform the same behavior as the CICS supplied transactions. Documentation relating to CICS security has been rewritten to make it easier to understand and implement, and to better reflect current security topologies such as Liberty, IP interconnectivity (IPIC) and web services. This includes new information about the basic concepts of CICS security with a section on auditing. For each topology there is a new security reference section based on common scenarios. The scenarios show examples of how to design security with accompanying task based configuration information. The new sections include best practice advice. This advice is accompanied by checks in the IBM Health Checker for z/OS. Support for the CMCI JVM server in a single, non-CICSplex, CICS region makes it possible to use MFA to sign-on from CICS Explorer to a single CICS region. CICS issues new messages associated with authorization errors to identify the end user. Authorization errors are accompanied by an ICH408I or DFHXS1111 message. These messages identify the failing request and user ID. However, in many cases it is difficult to locate the end user from this information. A new message DFHXS1117 is now issued with origin data, including the distributed identity, if available. This will simplify diagnosis of authorization errors. CICS is able to make use the z/OS 2.4 Instruction Execution Protection (IEP) facility to protect storage areas that are intended to only contain data, such as USER and CICS dynamic storage areas, from being able to execute code. This feature requires IBM z14® or IBM z15™ hardware, and z/OS 2.4 or z/OS 2.3 with APAR OA51030 and APAR OA51643. CICS now supports Transport Layer Security (TLS) 1.3. The use of numeric ciphers in the CIPHERS fields of resources is deprecated. Default ciphers for resources are now obtained from the file defaultciphers.xml in the directory specified by USSCONFIG. Also, use of numeric ciphers on the WEB OPEN command is deprecated due to this option not being compatible with TLS 1.3. This support requires IBM z/OS 2.4 or later. CICS supports four new checks in the IBM Health Checker for z/OS. These new checks cover best practice advice for security configuration of regions, resources, and CICS TS use of z/OS File System (zFS). It is no longer necessary to define security profiles for CICS category 1 transactions using the DFH$CAT1 CLIST. In addition to simplifying CICS region setup, this will improve security as CICS will ensure that only the CICS region user ID will be permitted to run these transactions. CICS application events now support capturing the command PUT64 CONTAINER. Users can capture and emit events when their application program issues an PUT64 CONTAINER command or when it invokes one of the methods put() or putString() in the JCICS class com.ibm.cics.server.Container. The command WRITE OPERATOR now supports a new option CONSNAME. This option can be used to define a specific console to receive messages as an alternative to using route codes. CICS regions can be classified using tags to assist in identifying the purpose of the region. A YAML file is used to specify the naming convention of the regions and to define their tag(s). For eample a region can be tagged to identify usage, such as development, test or production, and also to identify the applications it hosts. This can be useful when writing automation, diagnosing problems, and auditing. The region tags can be displayed in CICS Explorer and the new INQUIRE TAG command. The following policy task rules support the ALL option: This enhancement allows clients to apply a threshold to the total cumulative count of requests issued, such as, for example, all file requests issued by the task rather than selecting individual types of file request. The compound condition rule can be used when users want to define a system rule that specifies two or more conditions. CICS takes the defined action when all of the specified conditions are met. For example, a compound condition system rule can be defined that instructs CICS to set the z/OS WLM health status to OPEN only if both the Db2 connection status and the IBM MQ connection status are CONNECTED. Another example is when setting the z/OS WLM health status to OPEN only when a selected set of bundle resources have been enabled. The set of supported conditions that can be used relate to the status of system resources. The conditions are: The processing of expired temporary storage queues has been improved. First, to separate out the processing of main and auxiliary tsqueues from shared tsqueues so that they use separate calculated intervals. Second, for shared tsqueues an internal queue is used to hold when the last scan was performed. The internal queue is used to prevent CICS from scanning the shared TS queues if another CICS has performed such a scan within the previous minute. This means that even if there are multiple CICS regions using a shared TS pool and they each have TS models installed specifying short expiry intervals. The shared queues will never be scanned more frequently than once per minute. Third, the CICS-MQ interface has been improved to only employ a DFHCKBR tsmodel with a non-zero expiry interval when the MQ bridge has been started, otherwise it has a zero expiry interval. This improvement avoids unwanted tsqueue scans. This new rule type is used to set a maximum threshold for the total number of transaction dumps in a CICS region and take an automatic action when the threshold is exceeded. With this system rule, users can monitor transaction dumps and prevent an excessive number of dumps being taken in a CICS region. The amount of 64-bit storage allocated to index information, backout elements, and entry descriptors can now be controlled via CICS system initialization (SIT) parameter SDTMEMLIMIT. This limit can be queried and set via INQUIRE and SET SYSTEM commands. Messages are issued at 5% intervals when the amount of storage consumed exceeds 75% of SDTMEMLIMIT, and when memory consumption drops below 70% of SDTMEMLIMIT. The non-sysplex optimised variant of CPSM workload management (WLM) reacts to short on storage conditions in target CICS regions for z/OS 24-bit and 31-bit storage and factors this into its routing decision. This enables new requests to be directed to CICS regions that have capacity. Support for the CMCI JVM server in a single, non-CICSplex, CICS region makes it possible to use advanced functions of CICS Explorer, such as aggregation and grouping of result data, in a single CICS region. Event processing is changed to generate a monitoring record every 2000 events processed by long running CEPD tasks in a CICS region. Origin data in the CICS performance record now reports the EXCI jobname if the transaction was initiated by an EXCI request from outside the CICS region. Improved messages report errors following a z/OS IPL that are caused by CICS initializing ahead of the TCP/IP stack being fully available. The INQUIRE FEATUREKEY command now reports the filepath of the zFS file from where the feature toggle was read. The new INQUIRE STORAGE64 command and new DFHSMMCX XPI call, INQUIRE_TASK_STORAGE64, can be used to retrieve information about 64-bit task storage. User-written routing programs can now indicate daisy-chaining support when routing non-terminal-related START requests. The routing program has to opt in by setting new field DYRDCYN field to 'Y' in the communications area or container for the distributed routing program (mapped by the DFHDYPDS copybook). Previously daisy-chaining was only supported implicitly for APPC links, whereas now user-written routing programs have to opt in explicitly. This feature is supported for MRO, IPIC and APPC links between CICS regions. Users can now optionally install CICS using z/OSMF Software Management. This provides a guided deployment and configuration experience. Users are encouraged to become familiar with the z/OSMF packaging type which is delivered only as part of this CICS TS open beta. Further information and installation details are available at the ServerPac Installation using z/OSMF content solution. CICS application resources often need to be installed in many CICS regions, sometimes with different resource attributes. For example, a CICS region used by a developer may require the execution diagnostics facility (EDF) to be set on for programs, and the data set name for files to point to test data. A system programmer is now able to use the same resource definitions in these environments and apply a new resource definition overrides file that contains rules that tailor resources as required. This feature provides the following advantages: Saves time and effort by using the same CICS definitions in development, test, and production environments without change. Easily describe and document the resource attributes to override in a separate file for that environment, using generic rules and system-specific symbols, such as the LPAR name, APPLID, CICS job name, USS locations for the CICS home and configuration locations, and sysplex name. Apply enterprise standards by ensuring certain attribute values are always on or off, set to a specific value, or follow a naming convention. Current limitations on index information have been removed in CICS, allowing increased capacity in the number of individual records that can be supported. The index information that was previously held in 31-bit storage in a data space is now stored in 64-bit storage, above the bar and therefore removing the limits imposed by the data space. Client data held in the data table continues to be stored in 31-bit data spaces. The CICS Db2 attachment facility is enhanced to pass CICS adapter data to Db2. If a CICS task that is accessing Db2 has adapter data in the CICS origin data, then the adapter ID is passed as appl-longname and the adapter data is passed as an accounting-string. Db2 writes the data in its SMF accounting records and the data is also available online through the Db2 special registers CURRENT CLIENT_APPLNAME and CURRENT CLIENT_ACCTNG. This capability requires Db2 12 with APAR PH31447. The CICS TS installation includes IBM WebSphere® Liberty, which is used by default when running Liberty in CICS. You are now able to configure the CICS JVM profile option WLP_INSTALL_DIR to specify the installation directory of the IBM z/OS Liberty Embedded base element. This feature enables the use of a consistent Liberty fix pack and Liberty angel process across an LPAR. CICS now limits the number of concurrent TLS handshakes to 90% of the MAXSSLTCBS value specified at startup. If the maximum limit is reached, a task that is requesting a TLS handshake is suspended with a resource name of S8TLSHS of resource type DSWC. To help the monitoring of concurrent TLS handshakes in a CICS region, new statistics are introduced in TCP/IP Global statistics. These statistics provide information about the maximum, current, and peak numbers of TLS handshakes that are running in parallel or that are waiting. This enhancement helps avoid issues such as high CPU, MAXTASK, or lack of S8 TCBs when many TLS handshakes are performed concurrently. It also allows in-flight web alias or pipeline tasks to obtain an available S8 TCB in order to send a reply back to the client in the same situation. The START CHANNEL command now supports NOCHECK and PROTECT options to migrate from passing data by interval control (START FROM) to passing data by using a channel (START CHANNEL). When a channel is used to pass data for a START request, users can now use the NOCHECK option to indicate that the request must be shipped to a remote system and no response is expected by the starting task, therefore improving CICS performance. With the PROTECT option, users can make the START request recoverable by instructing the starting task to take a syncpoint before committing the START request. A new DB2ENTRY attribute SHARELOCKS is provided to enable CICS to pass an XID to IBM Db2® and then instruct Db2 to share locks between threads that pass the same XID. Using the same XID, other threads that originate from other CICS regions or from other transaction managers, such as IBM IMS Transaction Manager (TM), can access Db2 in the same global unit of work (UOW). The XID token is not used for recovery between CICS and Db2. The passing of an XID involves a partial sign-on to Db2 for each UOW. This action closes cursors, so held cursors across syncpoints are not supported when the passing of an XID is enabled. Applications will have to reposition cursors after a syncpoint. Passing an XID avoids having to deal with UOW affinities. The sample statistics program DFH0STAT can now produce reports for CICS policies. The Policy report shows information and statistics about installed policy rules in the region. In support for this enhancement, the EXTRACT STATISTICS command supports a new RESTYPE option POLICY and a new SUBRESTYPE option POLICYRULE, which can be used to obtain statistics about a policy rule that is contained in a POLICY resource. In addition, two new commands INQUIRE POLICY and INQUIRE POLICYRULE are introduced to support inquiries on information about installed POLICY resources and the policy rules contained within. CICS is now able to automatically recover following an MVS logstream failure and subsequent MVS logger recovery. A new system transaction CLGR is attached to reset the state of CICS user journals that use the affected MVS logstream. Availability of the z/OS ServerPac as a portable software instance and the removal of CustomPac Installation Dialog support In March 2021, IBM announced that CICS TS, IBM IMS, IBM Db2, and related licensed programs can be ordered as a ServerPac in a portable software instance format, installable with z/OSMF Software Management. In July 2021, IBM announced z/OS V2.5 and its intention to make all IBM z/OS software on Shopz orderable as a ServerPac, and installable as a portable software instance or by using the CustomPac Installation Dialog. In November 2021, IBM announced further enhancements to z/OS 2.5 and made statements of general direction regarding the revised planned date for the following: IBM early programs CICS TS open beta is part of IBM early programs that enable clients to acquire early releases of a product for the purposes of testing before it is made commercially available. Participants in early programs typically gain insight into IBM strategy and direction. Participants can also accrue earlier benefits and payback from new features, and can gain a competitive edge and the opportunity for public recognition as a technology leader. Early programs participants are encouraged to provide feedback and articulate their own requirements to IBM, with the potential to help influence and shape future IBM products. Typically, product offerings that are provided by early programs: To register an interest in future, managed CICS TS early programs, contact the CICS Early Programs coordinator at cicsep@uk.ibm.com. Planned availability Key prerequisites Publications Online documentation for CICS TS open beta is available from IBM Documentation.
A new capability called security request recording will allow sysplex wide logging of CICS security requests to simplify the diagnosis of complex security problems. The log is activated for a specific origin request, such as a request to a TCPIPSERVICE, and then will record all CICS security requests associated with origin data of this request, including those which do not result in a call to the ESM. The information can then be output to a CSV file on zFS for diagnosis using the DFHSRR utility. DFHSRR replaces the REXX prototype tooling delivered in a previous CICS TS open beta.
A series of new messages will be issued for common errors with TLS connections when CICS is client (DFHSO03xx messages) or a server (DFHSO04xx messages). The messages are mainly configuration errors, and will be accompanied with additional information to the DFHSO0123. They will also include specific advise on diagnosing and fixing the error.
New monitoring and statistics will be available to reported on the TLS protocol levels and ciphers uses by CICS on inbound and outbound connections. This will simplify the upgrading of MINTLSLEVEL or removing ciphers. The new statistics will help to identify if unwanted protocols or ciphers are being used by the region, and if they are, the new monitoring will help identify the client or server that is using them.
The region tagging mechanism can be used to exclude regions, such as development regions, from reporting configuration errors to the IBM Heath Checker for z/OS. In addition, specific health checks, which are not applicable for a client, can be excluded for all regions.
In addition, the TLS protocol information for the session is added to the performance class data for inbound requests and to the transaction class data for outbound requests. This information can be used to identify external clients and servers which are using old protocols.
This is also available for CICS TS 5.6 with APAR PH34348.
Related Information
Document Information
Modified date:
17 January 2022
UID
ibm16360807