IPIC link security

Link security restricts the resources a user can access, depending on the remote system from which they are accessed. The practical effect of link security is to prevent a remote user from attaching a transaction or accessing a resource for which the link user ID has no authority.

When link security is in use, all requests are given an authority defined by the link user ID. For IPCONNs, all requests for a connection have the same link user ID.

Specifying IPIC link security

To specify the link user ID of an IPCONN, use the LINKAUTH option to specify how the user ID for link security is established in a CICS® system with security initialized (SEC=YES). You can specify the following:
CERTUSER
TCP/IP communication with the partner system must be configured for SSL and a certificate must be received from the partner system during SSL handshake.

The IPCONN resource must refer to a TCPIPSERVICE resource that is defined with SSL(CLIENTAUTH).

The received certificate must be defined to the external security manager so that it is associated with a user ID, which is used to establish link security.

SECUSER
Specifies that the user ID specified in the SECURITYNAME attribute is used to establish link security.

The default value is LINKAUTH(SECUSER)

In a CICS system with security initialized (SEC=YES), the link user ID is used to establish the authority of the remote system. The link user ID must be a valid RACF® user ID on this region. Access to protected resources on this region is based on the RACF user profile and its group membership.

At least one security check is always performed when a transaction is attached by a remote user, but the security checks are minimized if the specified link user ID matches the local region user ID:
  • If the user IDs match, only one security check is made. This is either against the default user (for USERAUTH=LOCAL or DEFAULTUSER) or against the user ID that is in the received inbound attach request (USERAUTH=IDENTIFY or VERIFY).
  • If the user IDs do not match, then for USERAUTH=LOCAL, resource checks are done only against the link user ID. For USERAUTH=IDENTIFY or VERIFY there are always two resource checks. The first against the link user ID, and the second is against the user ID received from the remote user in the attach request. For USERAUTH=DEFAULTUSER there are always two resource checks. The first against the link userid, and the second is against the default user.
See also IPIC user security.

If a failure occurs in establishing link security, the link is given the security of the local region's default user. This can happen, for example, when the link user ID has been revoked.