Changes to security
This section summarizes the changes that relate to security across supported CICS® releases. Use this information to plan the impact of upgrading from one release to another.
If you are upgrading from an end-of-service release, you can find information about the changes that are relevant to those releases in Summary of changes from end-of-service releases.
For information about changes to RACF® classes, see Changes to RACF classes.
Identification
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| KERBEROSUSER system initialization parameter | NEW |
Authentication
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| SIGNON | CHANGED: New options CHANGETIME, DAYSLEFT, EXPIRYTIME, INVALIDCOUNT, and LASTUSETIME reveal more information about the sign-on user ID and password. |
|||
| CHANGED: New option GROUPID on VERIFY PASSWORD and VERIFY PHRASE supports password or passphrase verification against the supplied group ID. |
CHANGED: VERIFY TOKEN is enhanced to support JSON Web Tokens (JWTs) provided by RACF. |
|||
| CICS Explorer® support for MFA | NEW | CHANGED:
ON by default |
||
| Terminal sign-on security control | CHANGED: New options EXIT and DISCONNECT on GMTRAN system initialization parameter allow you to control what happens if the user fails to complete the sign-on using CESN or CESL. |
CHANGED: Option DISCONNECT on GMTRAN system initialization parameter also applies to CESF. |
||
| ASSIGN | CHANGED: New option GMEXITOPT shows the GMTRAN terminal session behavior option on a PF3 or PF15. |
|||
| Certificate expiry warning |
|
|||
| Liberty oauth-2.0 | NEW | |||
| Liberty JWT and OpenID Connect | NEW | |||
| Liberty Wait for angel at JVM server startup | NEW | |||
| Liberty Multiple Liberty servers per CICS region using an angel | NEW | |||
| Liberty Java™ EE 8 Security-1.0 API with JSR 375 | NEW with APAR: PH15017 | NEW |
Authorization
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| Security for CICS-supplied transactions | CHANGED: CICS checks the region user ID's authority to access Category 1 transactions at startup. Message DFHXS1113 is issued for unauthorized transactions. |
REMOVED: Authorization check for Category 1 transactions is removed. There's no need to define Category 1 transactions to RACF anymore. |
CHANGED: To conform with a zero trust strategy, all CICS transactions, excluding
CJXA and CICSPlex® SM transactions (CO**), are
defined with For a list of affected CICS transactions, see CICS transactions subject to security checking. |
|
| Security for user-defined transactions | CHANGED: To conform with a zero trust strategy, the default values of
|
|||
| CICS security discovery | NEW | |||
| Security definition capture (SDC) and security definition validation (SDV) | NEW | |||
| Security for job submission from SPOOL or TDQ commands | NEW: Security for job submission from SPOOL or TDQ commands | CHANGED: CICS surrogate user checking is made if system initialization parameter XUSER=YES is in effect. The default job user ID for a JOB card that is submitted, without a USER parameter, by using SPOOL commands to the internal reader, is subject to the INTRDRJOBUSER system initialization parameter instead of a feature toggle that is now made obsolete. By the default of INTRDRJOBUSER, the task user ID is assumed while in 5.5 through 6.1 the CICS region user ID is assumed. |
||
| INTRDRJOBUSER system initialization parameter | NEW | |||
| New USERID option on QUERY SECURITY | NEW | |||
| INQUIRE TERMINAL, INQUIRE NETNAME, and SET TERMINAL behavior | CHANGED: Command security checking is not performed if the task or program that issues the command was started or attached to the same terminal that is being inquired or modified by the command, with a few exceptions. |
|||
| Security request recording | NEW | |||
| Controlling the API and SPI used by developers | NEW | |||
| Control of HPO SIT override | NEW |
Integrity
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| Support for HTTP strict transport security (HSTS) | NEW with APAR: PH55369 | NEW with APAR: PH55369 | NEW with APAR: PH55370 | NEW |
| Instruction execution protection | NEW |
Confidentiality
| Changes | 5.5 | 5.6 | 6.1 | 6.2 | |
|---|---|---|---|---|---|
| Enabling TLS 1.3 in CICS | NEW
|
||||
| MAXTLSLEVEL system initialization parameter | NEW | ||||
| MINTLSLEVEL system initialization parameter | CHANGED:
The default is changed from TLS10 to TLS12. |
NEW OPTION:
REMOVED OPTIONS:
STABILIZED OPTION:
|
|||
| KEYRING system initialization parameter | CHANGED with APAR PH49253: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
CHANGED with APAR PH49253: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
CHANGED with APAR PH49261: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
CHANGED: Accepts more formats of key ring names to allow use of key rings that are not owned by the region user ID. |
|
| CONFDATA system initialization parameter | CHANGED: The default is changed from SHOW to HIDE. The HIDE option replaces HIDETC. |
||||
| SNI support in CICS TS communications with an HTTP server over TLS connections | NEW with APAR: PH20063 | NEW | |||
| Default cipher suite specification file | NEW with APAR PH45703: Feature toggle
|
NEW with APAR PH38091:
Feature toggle |
NEW:
Feature toggle
|
CHANGED:
|
|
| TLS diagnostics | CHANGED:
|
||||
| Key sizes for TLS handshakes | NEW with APAR PH50175: Feature toggle
|
NEW with APAR PH50175: Feature toggle
|
NEW with APAR PH51719: Feature toggle
|
NEW:
|
|
| SSL cache | CHANGED: Sysplex caching for TLS 1.3 is supported. See SSLCACHE system initialization parameter. |
||||
| Message DFHIS2041 indicates an attempt to acquire the named IPCONN failed because of unsecured TCPIP connections with a partner system that is located outside the sysplex | NEW | ||||
| Initialization parameters for WUI or SMSS |
|
||||
| WS-Security requirements | CHANGED: WS-Security now requires IBM® XML Toolkit for z/OS v1.11. |
Auditing
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| IBM Health Checker for z/OS support | CHANGED: New health checks that define best practices for CICS security:
|
CHANGED: New health check: CICS_STABILIZED_FUNCTIONS | ||
| Classifying CICS regions with region tagging | NEW: Allows you to suppress IBM Health Checker for z/OS messages by excluding certain CICS health checks. | |||
| Compliance data collection with SMF 1154 subtype 80 records | NEW: CICS regions can generate an SMF 1154 subtype 80 record in response to ENF86 triggered by the z/OSMF Compliance REST API. | |||
| Security domain statistics | NEW: Monitoring capability introduced for the security domain | CHANGED: When logging is disabled for QUERY SECURITY, CICS security domain statistics are still written to XSG_AUTHOR_FAIL_NL_NA and XSG_AUTHOR_FAIL_NL_NF fields, with DFHSTUP names Failed authorizations NOLOG NOTAUTH and Failed authorizations NOLOG NOTFND respectively. |
||
| CICS monitoring | CHANGED: When logging is disabled for QUERY SECURITY, CICS monitoring data is still written to XSNLNACT and XSNLNFCT fields. |
Performance
| Changes | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
New DPLONLY option on XPPT allows you to secure remote program at a lower cost |
NEW | |||
| Performance improvement to QUERY SECURITY | NEW | |||
| CICSPlex SM capability of processing type 71 ENF events for a CICSplex | NEW |
Deprecated and removed
| Change | 5.5 | 5.6 | 6.1 | 6.2 |
|---|---|---|---|---|
| ENCRYPTION system initialization parameter | REMOVED | |||
| Numeric CIPHERS | DEPRECATED | |||
| EXCI SURROGCHK option | REMOVED with APAR: PH09898 Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility. |
REMOVED:
Surrogate checking is always done. Specifying SURROGCHK=YES in the EXCI options table, DFHXCOPT, is accepted for compatibility. |
||
| Removal of XSNEX global user exit | REMOVED |