Security for CICS system components

As with any other CICS® resource, you must protect CICS system components used in CICS web support from modification by unauthorized users. You must also ensure that authorized users, particularly the CICS region, have the required authority to use these components.

A number of components, such as application programs and resource definitions, are used to control CICS web support. Refer to Components of CICS web support. If you do not secure these components against unauthorized access, the security of your CICS web support architecture might be compromised. For example, a user with access to the TCPIPSERVICE definition for a port might remove the requirement for a web client to use SSL or to provide identification. Implementing RACF protection in a single CICS region explains how to secure CICS transactions, resources, and commands against unauthorized use.

For some CICS system components, you might have to set up additional authorities to allow access to authorized users:
  • For URIMAP resources, additional authority might be required to set a user ID for the web client. If surrogate user checking is enabled in the CICS region (with XUSER=YES specified as a system initialization parameter), CICS checks that the user ID used to install the URIMAP definition is authorized as a surrogate of the user ID specified for the USERID attribute.
  • You can use document templates to produce the body of a response from CICS as an HTTP server, or the body of a request from CICS as an HTTP client. You define them by DOCTEMPLATE resource definitions. If the document templates are stored in partitioned data sets, the CICS region user ID must have READ authority for the data set.
  • You can use z/OS® UNIX Systems Services files to produce the body of a static response from CICS as an HTTP server. You can specify them under their own names or define them by DOCTEMPLATE resource definitions. When a z/OS UNIX file is used, the CICS region must have permissions to access z/OS UNIX, and it must have permission to access the z/OS UNIX directory containing the file, and the file itself. Refer to Giving CICS regions access to z/OS UNIX directories and files.