CICS Transaction Gateway can perform authentication and
authorization checks at different points during the processing of
requests
Authentication verifies that the user is who they say they are.
Depending on topology, authentication can be based on the user ID
passed with the ECI request, an SSL client certificate, or a distributed
identity (identity propagation).
Authorization verifies that a user is allowed to access a particular
resource for a given intent. For example to execute a method in a
bean or to update a CICS resource.
Security in a remote mode topology
The
following figure shows the locations in a remote mode topology
where the system performs authentication and authorization. In this
topology, WebSphere Application Server is running on Windows and CICS
Transaction Gateway is running on z/OS. The EJB application in WebSphere
uses the ECI resource adapter and the Gateway daemon to access the
CICS COMMAREA application.
Figure 1. Security
in a remote topology
The following authentication options
are available in this topology:
- User authentication by CICS Transaction Gateway. The user ID can
be passed to CICS without a password.
- Identity propagation. This is a unified security solution that
enables additional user auditing and authorization by passing a distributed
identity to CICS instead of a user ID and password.
- SSL client authentication. A trust relationship is established
between WebSphere Application Server and the Gateway daemon so that
the application server can be trusted to pass the user ID on an ECI
request to CICS.
The following authorization options are available
in this topology:
- Component-managed sign-on. With this option, security credentials
are propagated to CICS by application.
- Container-managed sign-on. With this option, security credentials
are propagated to CICS by a Web or EJB container.
- Link user ID authorization checking. This provides an additional
check on whether the link user ID is authorized to access the CICS
resource.
- MRO bind security. This prevents unauthorized attached MRO regions
from starting transactions in a CICS server, and determines whether
or not a particular CICS Transaction Gateway can connect (bind) to
a particular CICS server.
- Link security. This Ensures that the link user ID used for authorization
checks in CICS is the user ID associated with the started task of
the Gateway daemon.
- Surrogate security. This authorizes the user ID associated with
the CICS Transaction Gateway started task to switch the security context
of an EXCI request to the user ID that was passed to CICS.
The following data integrity and confidentiality options
are available in this topology:
- RACF keyring support. With this option SSL key stores are stored
in RACF.
- System z hardware cryptographic support. SSL handshakes can be
offloaded to hardware to reduce the CPU load due to handshakes and
encryption.
- SSL cipher suite selection. This allows only certain algorithms
and strengths of ciphers to be used for SSL connections