Security considerations

CICS Transaction Gateway can perform authentication and authorization checks at different points during the processing of requests

Authentication verifies that the user is who they say they are. Depending on topology, authentication can be based on the user ID passed with the ECI request, an SSL client certificate, or a distributed identity (identity propagation).

Authorization verifies that a user is allowed to access a particular resource for a given intent. For example to execute a method in a bean or to update a CICS resource.

Security in a local mode topology

The following figure shows the locations in a local mode topology where the system performs authentication and authorization. In this topology, WebSphere Application Server and CICS Transaction Gateway are both running on Windows. The EJB application in WebSphere uses the ECI resource adapter and the Client daemon to access the CICS COMMAREA application.

Figure 1. Security in a local mode topology
This figure shows security in a local mode topology

The following authorization options are available in this topology:

  • Component-managed sign-on. With this option, security credentials are propagated to CICS by the application.
  • Container-managed sign-on. With this option, security credentials are propagated to CICS by a Web or EJB container.
  • Link user ID authorization checking (not available on TCP/IP connections to CICS). This provides an additional check on whether the link user ID is authorized to access the CICS resource.

The following data integrity and confidentiality option is available in this topology:

  • HTTPS on the link between the Web server and WebSphere Application Server. The level of data encryption, server authentication and client authentication can be specified.

Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//ctgunx/secure_consids.html