Security considerations for the CICS bridge
When you run the CICS bridge, we can specify the level of authentication you want to take place. If requested, the bridge checks the user ID and password extracted from the WebSphere MQ request message before running the CICS program named in the request message.
Notes:
- If you have not specified a user ID in the message descriptor (MQMD) or password in the CICS bridge header (MQCIH) of a message, the bridge task runs with the LOCAL level of authentication, even if you started the bridge monitor with a different authentication option.
- The options that include password (or passticket) validation require an MQCIH to be provided. See the WebSphere MQ Application Programming Reference manual for more information about the MQCIH header.
- Passticket validation is performed using WebSphere MQ services, not EXEC CICS VERIFY, as the CICS service does not allow you to specify an APPLID.
The level of authentication we can use is described below:
- LOCAL
- This is the default. CICS programs run by the bridge task are started with the CICS DFLTUSER user ID, therefore run with the authority associated with this user ID. There is no checking of user IDs or passwords. If a CICS program is run that tries to access protected resources, it will probably fail.
- IDENTIFY
- When you start the monitor task with the IDENTIFY authentication option, the bridge task is started with the user ID specified in the message (MQMD). CICS programs run by the bridge run with the user ID from the MQMD. There is no password checking, the user ID is treated as trusted.
- VERIFY_UOW
- When you start the monitor task with the VERIFY_UOW authentication option, the bridge monitor checks the user ID (in the MQMD) and password (in the CIH) before starting the bridge task. CICS programs run by the bridge run with the user ID extracted from the MQMD. If the user ID or password is invalid, the request fails with return code MQCRC_SECURITY_ERROR. Subsequent messages processed by this transaction are not checked.
- VERIFY_ALL
- This is the same as VERIFY_UOW except that the bridge task checks the user ID and password in every message. This is not applicable for 3270 transactions when using CICS earlier than CICS Transaction Server V2 Release 2.
A passticket can be used in place of a password to avoid the need to flow passwords in messages (see Security Server RACF System Programmer's Guide). When generating a passticket an APPLID must be specified. If you are using a single bridge monitor, the APPLID is the CICS APPLID unless a different value was specified when the bridge was started. If you are using multiple bridge monitors for a queue, specify the APPLID to be used via the PASSTKTA=applid parameter at bridge startup.
If you have not specified a user ID in a message, or you have not provided a password, the CICS program started by the CICS bridge runs with the user ID set to the user ID used to start the bridge monitor, regardless of the option requested. If you want more than one level of authentication checking performed, run a monitor task for each level we need.
When a CICS DPL request is read by the bridge monitor it starts the transaction specified in the CICS bridge header (MQCIH) or, if this is blank, transaction CKBP. The user IDs under which the bridge monitor runs must have authority to start the various transactions that might be requested. The default transaction ID for the CICS bridge monitor is CKBR but we can change this or define additional transaction IDs if you want more granular access to queues and transactions. We can use CICS surrogate security to restrict which user ID and transaction combinations a bridge monitor transaction and user ID can start.
Table 65 and Table 66 summarize the level of authority of the bridge monitor and the bridge tasks, and the use of the MQMD user ID.
Table 65. CICS bridge monitor security Monitor started by At a signed on terminal Monitor authority From a terminal or EXEC CICS LINK within a program Yes Signed on user ID From a terminal or EXEC CICS LINK within a program No CICS default user ID EXEC CICS START with user ID - User ID from START EXEC CICS START without user ID - CICS default user ID The WebSphere MQ trigger monitor CKTI - CICS default user ID
Table 66. CICS bridge task security AUTH Bridge task authority LOCAL CICS default user ID IDENTIFY MQMD UserIdentifier VERIFY_UOW MQMD UserIdentifier VERIFY_ALL MQMD UserIdentifier The options IDENTIFY, VERIFY_UOW, and VERIFY_ALL need the user ID of the bridge monitor defined to RACF as a surrogate of all the user IDs used in request messages. This is in addition to the user ID in the message being defined to RACF. (A surrogate user is one who has the authority to start work on behalf of another user, without knowing the other user's password.)
For more information on surrogate user security, see the CICS RACF Security Guide.
Note:When IDENTIFY security is being used, you might see abend AICO for CKBP if you try to run with a user ID that has been revoked. The error reply will have return code MQCRC_BRIDGE_ERROR with reason MQFB_CICS_BRIDGE_FAILURE.