Security

This topic describes the recommended security configurations for securing the connection between the Job scheduler and CICS using SSL.

Security configurations for the batch container

Security in the CICS region is provided by SSL certificates defined to RACF.

To enable secure communications between the Job scheduler and CICS, SSL must be configured in both CICS and WebSphere Application Server. CICS receives inbound communications from the Job scheduler to submit and manage jobs. CICS sends outbound communications to the job scheduler to update the scheduler about the progress of jobs and the set of jobs the batch container can run.

For further information on configuring CICS Web support for SSL, see SSL with CICS web support.

For further information on securing WebSphere Application Server see Securing applications and their environment.

The following table describes the recommended security configurations for the batch container:

Communication Direction Configuration Behaviour

Inbound

Communication Direction	Configuration	Behaviour
Inbound	`TCPIPSERVICE(DFHBATTC)` `AUTHENTICATE(CERTIFICATE)` `CERTIFICATE(x)` (optional) `SSL(CLIENTAUTH)`	Inbound communications are secured using SSL. CICS requests an SSL client certificate from the Job Scheduler and runs requests under the userid associated with the certificate. The default certificate in the key ring associated with the CICS region will be used, unless otherwise specified by the optional `certificate` property.
Inbound	`TCPIPSERVICE(DFHBATTC)` `AUTHENTICATE(NO)` `SSL(YES)` `URIMAP(DFHBATUR)` `USERID(x)`	Inbound communications are secured using SSL. The userid x is used to run requests. If no userid is specified on the URIMAP then the CICS default userid is used.
Outbound	`batchcontainer-config.xml` `<security-enabled>true</security-enabled>` `<certificate>MYCERT</certificate>`	CICS establishes outbound communications to the Job scheduler using SSL. If the Job Scheduler requires SSL client authentication CICS uses the certificate MYCERT to identify itself. If no `<certificate>` parameter is specified, the default certificate from the SSL keyring is used.

TCPIPSERVICE(DFHBATTC)

AUTHENTICATE(CERTIFICATE)

CERTIFICATE(x) (optional)

SSL(CLIENTAUTH)

Inbound communications are secured using SSL. CICS requests an SSL client certificate from the Job Scheduler and runs requests under the userid associated with the certificate.

The default certificate in the key ring associated with the CICS region will be used, unless otherwise specified by the optional certificate property.

Inbound

TCPIPSERVICE(DFHBATTC)

AUTHENTICATE(NO)

SSL(YES)

URIMAP(DFHBATUR)

USERID(x)

Inbound communications are secured using SSL. The userid x is used to run requests. If no userid is specified on the URIMAP then the CICS default userid is used.

Outbound

batchcontainer-config.xml

<security-enabled>true</security-enabled>

<certificate>MYCERT</certificate>

CICS establishes outbound communications to the Job scheduler using SSL. If the Job Scheduler requires SSL client authentication CICS uses the certificate MYCERT to identify itself. If no <certificate> parameter is specified, the default certificate from the SSL keyring is used.

Security and DB2

The user ID being used to run inbound requests from the job scheduler will require use of the tablespaces and all privileges on the tables required by the batch container. Any tables that are read from or written to in a job will also require this user id to have the relevant privileges.