Start of change

IPIC security

IPIC connections enforce link security to control user activity over a connection, and flowed security to allow you to specify a username and password before communicating with a secured CICS® region.

To set up user security, you need to define an IPCONN definition in CICS, that relates to the APPLID defined by theCICS Transaction Gateway or resource adapter.

The USERAUTH setting in the IPICONN definition is comparable to the ATTACHSEC setting. USERAUTH=IDENTIFY allows only SSL client authentication and communication between programs within a sysplex. All other communications require USERAUTH=VERIFY.

IPIC link security

There are two ways that you can specify the link user for IPIC connections. You can use the SECURITYNAME option, or an SSL certificate. You can use an SSL certificate if you have a client authenticated SSL (this is where both the client and server have certificates). The client's certificate is mapped by RACF® to a specific user ID, which is defined as the link user. This means that you can specify different link users, depending on which certificate you are using.

To specify a link user, you must do the following:
  1. Define an IPCONN definition in CICS, that relates to the APPLID defined by theCICS Transaction Gateway or resource adapter.
  2. Set LINKAUTH to either:
    1. SECUSER if you want to use SECURITYNAME
    2. CERTUSER if you want to use the SSL certificate
  3. If you specify SECUSER, specify the SECURITYNAME option.
  4. If you specify CERTUSER, define your mappings in RACF to your chosen user ID. Ensure you are using a TCPIPSERVICE definition that is set up for SSL (not TCP) and is also enabled for client authentication.
When you specify CERTUSER, RACF maps the client certificate to a user ID. CICS defines this user ID as the link user. This process is called Certificate name filtering. For more information on Certificate name filtering, see the IBM® Redpaper J2C Security on z/OS® (redp4202.pdf) at the IBM Redbooks™ Web site.

IPIC flowed security

You can specify a user ID and password before setting up a connection to a secured CICS region, either by using the ECIRequest base class, or by setting variables on the object.

To set custom properties for the ECI resource adapter:
  • Set the flowed username in the UserName property
  • Set the password in the Password property
To override ECIConnectionSpec settings:
  • Create an ECIConnectionSpec object with the required username and password.
  • Use this object for requests on the selected connection and in the getConnection() method of your ECI ConnectionFactory.
End of change