CICS Transaction Server for z/OS 5.6 CICS Security Guide IBM Note Before using this information and the product it supports, read the information in Product Legal Notices. This edition applies to the IBM® CICS® Transaction Server for z/OS®, open beta (product number 5655-YV15655-BTA ) and to all subsequent releases and modifications until otherwise indicated in new editions. The IBM CICS Transaction Server for z/OS, open beta may be referred to in the product and documentation as CICS Transaction Server for z/OS, 6.1 . © Copyright International Business Machines Corporation 1974, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this PDF.......................................................................................................v Chapter 1. What does security mean for CICS?....................................................... 1 Chapter 2. CICS security is a team sport.................................................................7 Chapter 3. How it works: identification in CICS.......................................................9 Identity propagation.................................................................................................................................. 15 Chapter 4. How it works: authentication in CICS...................................................19 Which authentication method can I use with CICS access methods?..................................................... 25 Passwords and passphrases..................................................................................................................... 26 PassTickets.................................................................................................................................................27 Multi-Factor Authentication (MFA)............................................................................................................28 ICRX (Extended Identity Context Reference)........................................................................................... 30 Certificates................................................................................................................................................. 30 JSON Web Token (JWT) ............................................................................................................................ 33 OAuth 2.0................................................................................................................................................... 39 OpenID Connect.........................................................................................................................................39 Kerberos.....................................................................................................................................................40 Lightweight Third-Party Authentication (LTPA).........................................................................................42 SAML...........................................................................................................................................................44 Chapter 5. How it works: authorization................................................................ 47 Transaction security...................................................................................................................................47 Resource security...................................................................................................................................... 49 Command security.....................................................................................................................................51 Intercommunication security.................................................................................................................... 53 Role authorization......................................................................................................................................56 Application-specific security (QUERY SECURITY)....................................................................................57 Surrogate security......................................................................................................................................60 Chapter 6. How it works: auditing........................................................................ 63 Chapter 7. Security for SOAP web services........................................................... 67 How it works: SOAP message security .....................................................................................................71 How it works: authentication for CICS with SOAP message security.................................................74 How it works: signing SOAP messages ............................................................................................... 75 How it works: SOAP message encryption ...........................................................................................77 Designing security for CICS web service providers.................................................................................. 79 Example: Designing a secure direct request with TLS client authentication..................................... 85 Example: Designing to assert an identity to the CICS web service provider......................................86 Example: Designing to propagate a distributed identity to the CICS web service provider.............. 87 Designing security for CICS web service requesters................................................................................ 88 Example: Designing a secure web service request with TLS client authentication........................... 90 Example: Designing to assert an identity to the CICS web service provider......................................91 Configuring SOAP message security for CICS web services.....................................................................91 Installing the prerequisites for WS-Security support..........................................................................92 Configuring the pipeline for WS-Security............................................................................................ 93 iii Configuring provider mode web services for identity propagation.....................................................95 Configuring RACF for WS-Security....................................................................................................... 98 Invoking the Trust client from a message handler..............................................................................99 Writing a custom security handler.....................................................................................................100 Chapter 8. Security for IPIC (IP interconnectivity).............................................. 103 How it works: CICS IPIC Security............................................................................................................103 How it works: IPIC connection security ........................................................................................... 103 How it works: IPIC transport security .............................................................................................. 105 How it works: IPIC link security ........................................................................................................106 How it works: IPIC user security....................................................................................................... 106 Designing security for IPIC......................................................................................................................107 Example: Designing CICS-to-CICS with an IPIC connection within a sysplex.................................109 Example: Designing CICS-to-CICS with an IPIC connection that uses TLS.....................................110 Example: Designing client-to-CICS with a trusted IPIC connection................................................ 111 Example: Designing client-to-CICS with an IPIC connection that uses TLS....................................112 Configuring security for IPIC................................................................................................................... 113 Chapter 9. Security for CICS Liberty................................................................... 115 How it works: CICS Liberty security........................................................................................................115 How it works: Securing Liberty web applications............................................................................. 119 How it works: Securing Link to Liberty applications......................................................................... 125 How it works: Securing Liberty message driven beans (MDBs)........................................................126 Designing security for CICS Liberty.........................................................................................................128 Example: Designing to secure an application with basic authentication......................................... 133 Example: Designing to secure an application with TLS client authentication..................................134 Example: Designing to secure an application with a JWT................................................................ 135 Chapter 10. Auditing CICS................................................................................