The CICSRequest node support in IBM® App Connect Enterprise provides direct communication with CICS® Transaction Server for z/OS® (two-tier connection) by sending Distributed Program Link (DPL) requests over TCP/IP-based IP InterCommunications (IPIC) protocol.
The CICSRequest node also supports communication with CICS through CICS Transaction Gateway (three-tier connection). For more information about three-tier connections, see CICS Transaction Server for z/OS three-tier connectivity.
A direct two-tier connection from IBM App Connect Enterprise to CICS can be made by using the CICS Connection policy or by setting the properties directly on the CICSRequest node.
CICS Connection policy connections:
A CICS connection from IBM App Connect Enterprise is made to a listening TCPIPSERVICE resource in CICS. When that connection is established, the active connection between IBM App Connect Enterprise and CICS is represented by an IPCONN resource.
Each CICS Connection policy results in a separate connection to CICS, so for every policy that is being used, there is an IPCONN resource in CICS. The properties of the IPCONN resource determine the properties of the link between IBM App Connect Enterprise and CICS.
The IPCONN resource that represents an IBM App Connect Enterprise to CICS connection can be created in two different ways; autoinstall or pre-defined.
The following diagram shows how IBM App Connect Enterprise can directly connect to CICS by using a CICS Connection policy.
When defining an IPCONN resource in CICS, consider the following properties:
The CICS APPLID and Network ID properties must match the CICS Connection policy clientApplid and clientQualifier properties.
The CICS host name and port properties must be used for connections between CICS regions only, they must not be set for IBM App Connect Enterprise connections.
IPCONNs are owned by a parent TCPIPSERVICE resource in CICS.
The CICS Receivecount property controls the number of simultaneous requests that can be performed over the connection. The number of simultaneous requests defaults to 100 for autoinstalled connections.
The Sendcount property must be set to 0 because the Sendcount property is used for CICS connections only, and must not be used for IBM App Connect Enterprise connections.
The CICS LINKAUTH property controls how the link security is managed. To use a resource in CICS, two security checks are performed; the "flowed" user, which checks the security credentials that are sent from IBM App Connect Enterprise, and the "link" user, which must also have permission for the resource. Both user IDs must have permission to use the resource before the request is granted. The link user ID is given low privileges, which means that even if the flowed user has many permissions, the link user ID can be used to cap the privilege of the connection. If LINKAUTH is set to SECUSER, the SECURITYNAME field is used to specify the link user ID. If set to CERTUSER, the link user is determined from an SSL client certificate that is mapped by RACF®. If USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified, the link user ID is not used. Only the user ID received from the TOR is used to determine security.
The CICS USERAUTH property determines how the flowed user security is configured. If USERAUTH is set to "LOCAL" or "DEFAULTUSER", no user ID or password is to be sent to CICS on a request. This means that all requests use the CICS region ID. If USERAUTH is set to "IDENTIFY", user IDs are flowed without a password. If USERAUTH is set to "VERIFY", user IDs and passwords are required. If USERAUTH(IDENTIFY) or USERAUTH(VERIFY) is specified, the link user ID is not used. Only the user ID received from the TOR is used to determine security.
Each CICSRequest node in a message flow acts as a request on one of the connections to CICS. Which connection is used is determined by the policy that is used.
For more information about configuring the CICSRequest node to get connection details from a CICS Connection policy, see Changing connection information for the CICSRequest node.
You can configure the CICSRequest node or a CICS Connection policy to use SSL protocol. For more information, see Securing the connection to CICS Transaction Server for z/OS by using SSL.
CICSRequest node connections:
If a CICS Connection policy is not specified on the CICSRequest node, and a host name is used directly in the CICS server property, the request shares a connection with other resources that have specified the same CICS server URL. The first CICSRequest node to be used opens the connection to CICS, regardless of whether a URL or a policy is specified in the CICS server property.