This chapter describes the IBM WebSphere Application Server Liberty profile, its ability to host applications within a CICS Transaction Server (TS) environment, and how it interacts with CICS TS applications and resources. It also describes the security technologies that are available to applications hosted within a Liberty profile in CICS TS.

This chapter covers the following topics:

As software development methods develop over time to deliver more functions to customers quickly and reliably, being able to incorporate new technologies into existing environments has never been more important. The ability for an application server like CICS TS to support these continuously changing demands is essential to deliver these new services. The challenges on application servers include:

The WebSphere Application Server Liberty profile (Liberty) is lightweight and easy to install. It is used to develop and deploy applications. Therefore, it provides a convenient and capable platform for developing and testing your web and OSGi applications. Liberty is built by using OSGi technology and concepts. The fit-for-purpose nature of the runtime relies on the dynamic behavior inherent in the OSGi framework and service registry. As applications (bundles) are installed or uninstalled from the framework, their services are automatically added or removed from the service registry. The result is a dynamic, composable run time that can be provisioned with only what your application requires and responds dynamically to configuration changes as your application evolves.

CICS Transaction Server for z/OS (CICS TS) V5.1 added support for Liberty to run within a Java virtual machine (JVM) server in CICS TS. This has been extended in CICS Transaction Server for z/OS V5.2, which added more supported features for web applications running in a Liberty JVM server within CICS TS.

Liberty is a simple, lightweight development and application runtime environment that offers these benefits:

In addition to the technical possibilities that Liberty within CICS makes available, applications that are written and run within CICS Liberty qualify as new Java workloads and are eligible to run within a CICS Transaction Server for z/OS Value Unit Edition region on a zNALC LPAR.

New Java-based features can be developed within Liberty and can be self-contained. For example, they can interact with IBM MQ Value Unit Edition or IBM DB2 Value Unit Edition also running on the zNALC LPAR. Another possibility is to use the Java class library for CICS (JCICS) to link to an existing application running in a standard CICS Transaction Server for z/OS region on a standard LPAR.

Liberty offers great advantages when used as both a development run time and production run time within CICS TS. Liberty is both lightweight and capable, particularly when considering the ability of third-party products to extend and enhance the available features. Liberty offers great advantages when used as both a development and production runtime environment in CICS TS.

The server configuration, from the server administrator’s perspective, is only a single server.xml file that contains all necessary information. The configuration file for
IBM WebSphere Application Server Liberty Profile for z/OS V8.5.5 (the version included in CICS TS V5) has many optional parameters that you can use for specific scenarios. They are listed in “Liberty features” in the CICS Transaction Server section of the IBM Knowledge Center:

The composable nature of Liberty is based on the concept of features. A feature is a function. Features can overlap, and they can include other features.

CICS Liberty JVM server consists of a JVM server that hosts the Liberty kernel and several optional features. The feature code and most of the kernel code run as OSGi bundles within an OSGi framework. Features provide the programming models and services required by applications. You can choose which optional features should be enabled according to your application requirements.

With Liberty, you can do rapid development and deployment to meet with modern development trends. Liberty offers the following advantages for developers:

Liberty profile server is fast and no cost for developer workstation use. It can be downloaded and installed from Eclipse.org or WASdev.net.

You deploy an application in Liberty profile server either by dropping the application into server’s drop-ins directory or by adding an application entry to the server configuration (server.xml) file.

In addition to this, within CICS Liberty JVM server, you can package an application, for example an enterprise bundle archive (EBA) in a CICS TS bundle, and deploy this bundle within CICS TS. This is the suggested deployment method for applications in CICS Liberty JVM server.

Liberty supports direct extension of the runtime environment using product extensions. A product extension allows custom content to be added to a Liberty installation in a way that avoids conflicts with the base content of the product and with other product extensions.

As previously mentioned, CICS Transaction Server (TS) runs Liberty within a CICS TS Java virtual machine (JVM) server. Figure 2-1 shows the basic architecture of how a Liberty profile server is hosted within a CICS TS region.

As Figure 2-1 illustrates, the Liberty profile server is hosted in a CICS TS JVM server that is defined in a JVM profile. This example shows how a CICS TS bundle containing an EBA is placed within CICS TS and then installed in the Liberty environment. This EBA, which contains a web application, is then able to access CICS TS resources, for example to IBM DB2 or VSAM data sets or to other CICS TS COBOL applications.

This example demonstrates using a URIMAP as an entry point into CICS Liberty JVM server from a web client, which allows context switching of transaction ID or user ID. Liberty listens on a port and handles HTTP traffic, with the ability to define transport security (see 2.5.2, “Security overview” on page 21). If context switching is not required, a web client can simply connect directly to Liberty.

Figure 2-1 on page 18 also shows that the server.xml file that defines the configuration of the CICS Liberty JVM server is also available, although this can be automatically generated by CICS TS. Security aspects of this architecture are described later in this chapter.

CICS TS TS V5.2 supports a subset of the total features of the full Liberty profile. These supported features include, but are not limited to the following:

You can find a complete list of supported Liberty features in the CICS section of the IBM Knowledge Center:

CICS Liberty JVM server includes all features of the full Liberty profile (in CICS TS V5.2, this is the WebSphere Application Server Liberty profile for z/OS V8.5.5.1). However, the features that appear in the IBM Knowledge Center are a subset that are currently supported. You may choose to include other features in your applications, but this is not supported.

In addition to the Liberty features supported in CICS TS, the following are also provided:

Provides core CICS TS features and Java Transaction API (JTA) 1.0

Provides support for applications to access a local CICS TS DB2 database using JDBC.

Provides integration of Liberty security with CICS TS security, including propagation of thread identity. This feature includes the zosSecurity-1.0 feature.

The two subsequent chapters in this part will outline the advantages of web applications running in a Liberty JVM server in a CICS TS environment. The focus is to allow new applications, whether they be new presentation layers to interact with current CICS TS applications, or applications that will use resources managed by CICS TS, to benefit from collocation with the CICS TS environment. Both use cases focus on the ease of creating new applications that can integrate with CICS TS.

The two main ways to interact with CICS TS are to call an existing application, for example a CICS COBOL application running on an existing non-zNALC LPAR, or new applications, to take advantage of the JCICS API to call CICS TS functions. There are advantages to each approach and the choice depends mainly on what you are trying to achieve. If the main objective is to modernize your application presentation layer, for example implementing a Java API for RESTful Web Services (JAX-RS) interface allowing interaction with mobile applications, the appropriate choice maybe to link to existing applications. Similarly, if a new application is being developed from scratch, you can implement all functions from Java within Liberty. This new application, as well as calling the JCICS API directly to access resources could also call existing applications hosted on another LPAR.

Before these options are explored further in the rest of this part, the rest of this chapter will outline what security options are available within CICS Liberty JVM server and some security considerations that are important to highlight.

This section will provide an introduction to the security features that are available for CICS Liberty JVM server applications.

The security features mentioned below may, and probably will, form part of a wider security infrastructure. It is likely that further levels of security will be required for external users to access applications hosted in CICS Liberty JVM server, for example integrating with IBM MobileFirst Platform Foundation. This chapter covers only the security features specific to CICS Liberty JVM server applications. Also see 5.5, “IBM MobileFirst Platform Foundation and CICS TS” on page 54.

CICS Liberty JVM server includes appSecurity-2.0, which enables security for web applications when the servlet-3.0 feature is present. This complements SSL support (through the ssl-1.0 feature), which enables SSL (including TLS) connections using HTTPS (see 2.5.2, “Security overview” on page 21).

For CICS TS specific security options, CICS TS has an additional feature, cicsts:security-1.0, which has integrated zosSecurity-1.0 features with CICS TS security options, for example propagation of user identity. To use the cicsts:security-1.0 feature, the angel process that is available in CICS TS TS V5.2 must be running. This is used for accessing z/OS authorized services and can use SAF security frameworks. The angel process is the suggested authentication and authorization method for CICS Liberty JVM server applications. See 2.5.3, “The Liberty server angel process” on page 22 for more details on the angel process.

Furthermore, CICS Transaction Server for z/OS V5.2 includes improved performance through using the Liberty authentication cache. When a user is authenticated a new Subject object is created storing all authorization information, including roles. This Subject object is stored in the Liberty authentication cache, with a configurable cache expiry time, preventing multiple authentication and authorization requests for the same user.

Before proceeding to read about the security options that are available in Liberty in CICS TS, be sure to review the following key terms that are essential for understanding security:

Transport, or communication, refers to the mechanism that is used for data to travel between two places, for example from a client (for example a web browser on a computer) to a server (for example an application in Liberty running within CICS TS). When referred to in this chapter we are concerned with how to secure the data that is sent between two sources.

Communications in CICS Liberty JVM server are secured with the Secure Sockets Layer (SSL) protocol. The SSL protocol provides transport layer security including authenticity, data signing, and data encryption to ensure a secure connection between a client and server. SSL in CICS Liberty JVM server includes TLS v1.2 support required for some security standards and the protocol used can be configured in server.xml, within the <ssl> element using the sslProtocol attribute.

You can configure a CICS Liberty JVM server JVM server to use SSL for data encryption, and optionally authenticate with the server using a client certificate. Client certificates can be stored in a Java keystore or in a SAF key ring.

Authentication confirms that an entity (for example a user) that is attempting to access a resource (for example an application hosted in Liberty) is a valid entity. Typically, this entity will provide a username and password when attempting to gain access. This username and password, or possibly a client certificate, is used to authenticate the entity.

CICS Liberty JVM server includes many different options to aid in authentication. For an introduction on Liberty authentication visit this website:

CICS Liberty JVM server supports several of the authentication options described on that web page, with some additions. The basic Liberty authentication features supported in CICS Liberty JVM server are:

In addition, the angel process described in 2.5.3, “The Liberty server angel process” on page 22 allows authentication using z/OS security services (SAF) is required for applications that interact with other CICS TS processes and are contained within CICS TS bundles.

Authorization determines whether a given entity has been granted the correct privileges in order to access a resource. This can be used, for example, in protecting certain areas of a website that may only be available to certain authorized users.

For an introduction on Liberty authorization, visit this website:

In addition to the <application-bnd> configuration options available in Liberty, CICS Liberty JVM server includes the following addition authorization options:

Typically, authorization is aided by the use of roles. An entity can be assigned one or more roles and then a resource can be authorized to be used by a role. If the entity is a member of a role, and a role is authorized to access a resource, access is granted to the entity.

A subject is a representation of a given entity, for example, as mentioned before, a user. When a user is authenticated, their authorization information (for example Role membership) is retrieved and stored in a Subject object within Liberty authentication cache. Any subsequent authentications will result in this Subject object being retrieved from the cache, improving performance. The Liberty authentication cache has a configurable expiry time for the Subject object, with a default of ten minutes.

As described in 2.5.1, “Introduction to security with Liberty in CICS TS” on page 20, CICS Transaction Server for z/OS V5.2 added support for the angel authentication and authorization process to CICS Liberty JVM server. It is now the default for authentication and authorization in CICS Liberty JVM server.

The angel process is lightweight and does very little CPU-consuming work after establishing control blocks. Only one angel process is required per z/OS operating system image (logical partition, LPAR). This process has no configuration files and uses no TCP/IP ports.

By deafult, the angel process uses the System Authorization Facility (SAF) user registry for all authentication requests if the CICS Liberty JVM server security feature is included. This allows a Liberty-based application hosted in CICS TS and other CICS TS processes that are linked to from CICS Liberty to use the same user identity.

Figure 2-2 shows how authentication and authorization requests are routed through the angel process if the CICS TS security feature is present.

Figure 2-2 shows a web client connecting to a Liberty profile server running within CICS and requesting access to a resource. The CICS TS security feature (cicsts:secuity-1.0) has been configured in the Liberty profile server. When the web client requests access to the resource, the request is routed through the angel process onto SAF, where the user credentials are authenticated and checked against the requested resource. The resource access could be controlled by using roles. The user must be part of the role to be granted access. After the user is authenticated and authorized, the response to the authorization request is passed back to Liberty. If that is successful, the resource is returned to the web client.

For more information about how to configure CICS Liberty JVM server with the angel process, see “The Liberty server angel process” in the IBM Knowledge Center:

When you are using the CICS Liberty JVM server security feature, you can include a configuration element, <safAuthorization>, in the server.xml file to enable the use of SAF roles (EJBROLE). If this is present any roles defined in server.xml are ignored and role membership is defined and granted using SAF roles. An EJBROLE can be defined using SAF and then membership of that role is granted to users defined in the SAF registry, allowing access and permissions to SAF authorized resources for example CICS TS bundles containing CICS Liberty JVM server applications.

For more information about how to configure roles within CICS Liberty JVM server, see “JEE application role security” in the IBM Knowledge Center: