IBM Crypto Education Community

 View Only

 CICS, Cobol, Encryption - Who access the Key?

Guillermo COSIMO's profile image
Guillermo COSIMO posted Thu October 23, 2025 08:44 AM

Hi Everyone, 

I'm reaching you all as a recommandation of an IBM Champion (won't reveal their name) after trying to figure out some CICS/CICS/ICSF problem that keeps me scratching my head since a while now.
So, if you have some time to spare, I'll be glad to hear your opinion and ideas on what i'm trying to deal with and the best available options:

We have a CICS Transaction, that runs a Cobol module, that calls ICSF Service to hash & sign a message with a Key and store that in IMS DB. Since the ICSF service (CSNBYE) runs as a Callable Service (CICS context) it's the CICS user that require the access to CSNBSYE module and the Key Label.

If we give access to the CICS UserId, that would mean a blanket authorisation to use all the authorised labels by any program executed in CICS that wants to do so. 

Only by extracting smf (using the CICSAUDIT parm) and correlating CICS and RACF SMFs we would know if the request is "normal", which is too late, because is after the execution.


My idea is that if we give CICS the possibility to Surrogate a batch to the transaction user id would be the best option to do this, what do you think?

Eric Rossman's profile image
Eric Rossman posted Mon October 27, 2025 03:44 PM

As you noted, there are two resources needed for most ICSF CCA callable services: CSFSERV and CSFKEYS.

I mention that because I wanted you to be aware that CSNBSYE is one of a small number of services that don't require access to a CSFSERV resource, only CSFKEYS.

Though not directly related to your question, I also want to clarify what you mean when you asked about "hash & sign a message," but then referred to CSNBSYE, which does neither of those things.

All that said, I am not a CICS expert, but my understanding is that there is a way to accomplish what you are asking. I'll reach out to some CICS folks and see if I can get an answer.

Guillermo COSIMO's profile image
Guillermo COSIMO posted Wed October 29, 2025 12:40 PM

Thanks Eric for picking that up! - I believe that it was inducted by a previous development. I'll see that the analyst review the project and an MDC or one way is used and then use a CCA PKA module to sign the hash.

I hope you're right and we have another way instead of givin CICS access to all the Keys, I'd like to avoid granting too much if it's not required.

Eric Rossman's profile image
Eric Rossman posted Wed October 29, 2025 01:32 PM

I did get a chance to speak to the CICS folks and the answer is more nuanced than I expected.

My understanding is that there is no way to change the ACEE under a given transaction. However, CICS does allow only certain users to run certain programs in a region, so that is one way to scope usage. I'm not sure that solves your initial problem. The identity running a region should never be used anywhere other than running a region, so that provides some comfort.

Related Content