Security considerations

CICS Transaction Gateway can perform authentication and authorization checks at different points during the processing of requests

Authentication verifies that the user is who they say they are. Depending on topology, authentication can be based on the user ID passed with the ECI request, an SSL client certificate, or a distributed identity (identity propagation).

Authorization verifies that a user is allowed to access a particular resource for a given intent. For example to execute a method in a bean or to update a CICS resource.

Security in a remote mode topology

The following figure shows the locations in a remote mode topology where the system performs authentication and authorization. In this topology, WebSphere Application Server is running on Windows and CICS Transaction Gateway is running on z/OS. The EJB application in WebSphere uses the ECI resource adapter and the Gateway daemon to access the CICS COMMAREA application.

Figure 1. Security in a remote topology
This figure shows security in a remote mode topology

The following authentication options are available in this topology:

  • User authentication by CICS Transaction Gateway. The user ID can be passed to CICS without a password.
  • Identity propagation. This is a unified security solution that enables additional user auditing and authorization by passing a distributed identity to CICS instead of a user ID and password.
  • SSL client authentication. A trust relationship is established between WebSphere Application Server and the Gateway daemon so that the application server can be trusted to pass the user ID on an ECI request to CICS.

The following authorization options are available in this topology:

  • Component-managed sign-on. With this option, security credentials are propagated to CICS by application.
  • Container-managed sign-on. With this option, security credentials are propagated to CICS by a Web or EJB container.
  • Link user ID authorization checking. This provides an additional check on whether the link user ID is authorized to access the CICS resource.
  • MRO bind security. This prevents unauthorized attached MRO regions from starting transactions in a CICS server, and determines whether or not a particular CICS Transaction Gateway can connect (bind) to a particular CICS server.
  • Link security. This Ensures that the link user ID used for authorization checks in CICS is the user ID associated with the started task of the Gateway daemon.
  • Surrogate security. This authorizes the user ID associated with the CICS Transaction Gateway started task to switch the security context of an EXCI request to the user ID that was passed to CICS.

The following data integrity and confidentiality options are available in this topology:

  • RACF keyring support. With this option SSL key stores are stored in RACF.
  • System z hardware cryptographic support. SSL handshakes can be offloaded to hardware to reduce the CPU load due to handshakes and encryption.
  • SSL cipher suite selection. This allows only certain algorithms and strengths of ciphers to be used for SSL connections

Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tgzos_latest/help/topic/com.ibm.cics.tg.zos.doc//ctgzos/secure_consids.html