IPIC connections enforce link security to control user activity
over a connection, and flowed security to allow you to specify a username
and password before communicating with a secured CICS® region.
To
set up user security, you need to define an IPCONN definition in CICS, that relates
to the APPLID defined by theCICS Transaction Gateway or
resource adapter.
The USERAUTH setting in the IPICONN definition is comparable to the ATTACHSEC
setting. USERAUTH=IDENTIFY allows only SSL client authentication and communication
between programs within a sysplex. All other communications require USERAUTH=VERIFY.
IPIC link security
There are two ways that you can specify
the link user for IPIC connections. You can use the SECURITYNAME option, or
an SSL certificate. You can use an SSL certificate if you have a client authenticated
SSL (this is where both the client and server have certificates). The client's
certificate is mapped by RACF® to a specific user ID, which is defined as the
link user. This means that you can specify different link users, depending
on which certificate you are using.
To specify a link user, you must
do the following:
- Define an IPCONN definition in CICS, that relates to the APPLID defined
by theCICS Transaction Gateway or
resource adapter.
- Set LINKAUTH to either:
- SECUSER if you want to use SECURITYNAME
- CERTUSER if you want to use the SSL certificate
- If you specify SECUSER, specify the SECURITYNAME option.
- If you specify CERTUSER, define your mappings in RACF to your chosen user ID. Ensure you
are using a TCPIPSERVICE definition that is set up for SSL (not TCP) and is
also enabled for client authentication.
When you specify CERTUSER, RACF maps the client certificate to a user
ID. CICS defines
this user ID as the link user. This process is called Certificate name filtering.
For more information on Certificate name filtering, see the IBM
® Redpaper
J2C
Security on z/OS® (redp4202.pdf)
at the IBM Redbooks™ Web
site.
IPIC flowed security
You can specify a user ID and password
before setting up a connection to a secured CICS region, either by using the ECIRequest
base class, or by setting variables on the object.
To set custom properties
for the ECI resource adapter:
- Set the flowed username in the UserName property
- Set the password in the Password property
To override ECIConnectionSpec settings:
- Create an ECIConnectionSpec object with the required
username and password.
- Use this object for requests on the selected connection and in the getConnection() method
of your ECI ConnectionFactory.