The CICS security model requires some additional actions in the way that you configure
permissions for Services and APIs with z/OS Connect for CICS 1.0 and z/OS Connect Enterprise Edition.
About this task
When z/OS Connect is used to inject work into CICS, the following two identities are
associated with the work at different stages of the processing:
- An initial, temporary identity is allocated during the process of attaching the work.
- An authenticated identity is then used to run the remainder of the work.
You can configure these identities in several ways, depending on your preferences and system
environment.
Procedure
- Optional:
Create an alternative initial user ID for z/OS Connect.
By default, the initial identity is the default CICS user ID, but you might choose to assign a
different user ID to avoid giving the default CICS user ID permission to run transaction
CPIH, or its equivalent.
-
Authorize the alternative initial user ID to run transaction CPIH and any
other transactions that are initiated through z/OS Connect.
The initial user ID requires permission to run the target transaction for the Service or API.
-
Assign a default initial user ID. You can choose either or both of the following methods:
- Set a user ID override value in the JVM profile for the JVMSERVER
resource that hosts z/OS Connect.
The following is an example override, where
ZOSCUSER is the default initial user ID:
-Dcom.ibm.cics.jvmserver.http.userid=ZOSCUSER
Note: If you set a default initial user ID in the JVM profile, you do not need to provide a
USERID value for each URIMAP. However, If you provide
both a USERID for a URIMAP and an override value in
the JVM profile, the USERID specified for a given
URIMAP takes precedence.
- Set the USERID field for a given URIMAP resource that
targets z/OS Connect.
When an HTTP request is received by z/OS Connect, CICS matches it against
the URIMAP resources that are installed. If the URIMAP that is
found specifies the USERID attribute, that user ID is used as the initial user
ID, instead of the default initial user ID for the JVM server.
Here is an example
configuration for a
URIMAP resource named
ZOSCDEFT, where
JVMSERVER is the
USAGE value, a generic value is set for the
PATH attribute,
CPIH is the target transaction, and
ZOSCUSER is the default initial user
ID:
NAME: ZOSCDEFT
USAGE: JVMSERVER
SCHEME: HTTP
PORT: NO
HOST: *
PATH: /zosConnect/*
TRANSACTION: CPIH
USERID: ZOSCUSER
Note: URIMAP resources that are installed by using the PIPELINE
SCAN mechanism are unlikely to be configured with a default user ID. In this scenario, you
might consider specifying a user ID override value on the JVMSERVER.
Note: It is possible to store an initial user ID in a WSBind file: the user of DFHLS2JS or DFHJS2LS
might provide a value for the USERID input parameter. If the
USERID parameter is used, any URIMAPs that are produced during a PIPELINE SCAN
include the requested initial user ID.
Results
You have now configured your environment so that CICS recognizes the URIs for your Services
and APIs, and associates an initial user ID for use when the target transaction is attached.