CICS Transaction Server for z/OS V6.

1
- Upgrading Considerations

Steve Fowlkes
CICS Technical Specialist
[email protected]
Modernizing applications in
CICS Transaction Server

CICS Transaction Server (CICS TS) is flexible

with support for Java™ APIs and frameworks
such as Jakarta®, Spring Boot®, Eclipse
MicroProfile®, and the popular Node.js®,
together with traditional complied languages like
COBOL, C/C++, and PL/I, and Assembler.
CICS applications share core programming
contexts such as transactions, security,
monitoring and management.
CICS applications can be modernized to
provide APIs, event streams, AI at scale,
and more.
Planning for the Upgrade
Planning for the upgrade

• Hardware pre-requisites • Operating System pre-requisites

• The minimum required hardware prerequisite • Requires z/OS V2.3 or above
is IBM zEnterprise EC12 or subsequent 64-bit
z/Architecture processors • APAR PH39134 for z/OS 2.4 and z/OS 2.5 is
required for LE to support instruction
execution protection (IEP)
 Checking system requirements
• For the latest information about the hardware and software requirements and the service required, use
Compatibility reports
 Checking system requirements
• https://www.ibm.com/software/reports/compatibility/clarity-
reports/report/html/softwareReqsForProduct?deliverableId=A59B6800AFDD11EAB9117899910938C8&osPl
atform=z/OS
Check compatibility with your vendor products

• Always ask your vendor the following questions

• Is the product supported without change on your to determine if the vendor product is compatible
target release with CICS
• Does the product require a compatibility fix, • Does the current version of the product
either to CICS TS or to the product itself support the target CICS release
• Must the product be upgraded • Are any PTFs required in the product or in
CICS
• Can a new version of code be installed in
current release
• What actions (Hold actions) need to occur
• For example, recompiling exits or upgrade
steps
Changes for CICS TS V6.1
Changes to security
- TLS
• MINTLSLEVEL system initialization parameter
• Support to update to TLS 1.3
• New Option
• Requires minimum z/OS 2.4
• TLS13
• Removed Options
• MAXTLSLEVEL system initialization parameter
• TLS10
• New
• TLS10ONLY

• ENCRYPTION system initialization parameter

• Stabilized Option
• Removed
• TLS 1.1
• Default cipher file for outbound web requests
• CIPHERS – Numeric ciphers deprecated
• New
Changes to security
- TLS - Default cipher file for outbound web requests
• A new feature is provided to enable CICS to use a default set of ciphers in lieu of the 2-digit ciphers
(3538392F3233)
• togglecom.ibm.cics.web.defaultcipherfile={true|false}
• The cipher file is defaultciphers.xml

• The use of a default cipher file applies to

• Outbound HTTPS requests that are made by using EXEC CICS WEB OPEN or EXEC CICS INVOKE
SERVICE
• When those commands do not specify a set of ciphers to use via the CIPHERS or URIMAP
• A greater set of ciphers can be used for outbound requests without having to create a URIMAP for each
potential endpoint

• To use this feature

• The feature toggle must be set to true and the defaultciphers.xml file must exist in the
USSCONFIG/security/ciphers directory
Changes to security

• Removal of authorization check for Category 1 • ENCRYPTION system initialization parameter

transactions
• Removed
• Use the MINTLSLEVEL parameter instead
• Category 1 transactions are part of CICS and
the CICS region user ID is the only ID configured
to run Category 1 transactions • Removal of XSNEX global user exit
• If any other user attempts to run a Category 1
transaction directly, the transaction abends
with type AXS1
Changes to CICS API…
• ASSIGN - New Option: GMEXITOPT • START CHANNEL - New Options:
• CHANGE PASSWORD/CHANGE PHRASE and
• NOCHECK
• VERIFY PASSWORD/VERIFY PHRASE
• Specifies that, for a remote system, CICS
• Changed improves performance of the START
• New NOTAUTH with RESP2 value of 1 command by providing less error checking
and slightly less function
• The PASSWORD field, the
NEWPASSWORD field, or both are blank
• PROTECT

• New NOTAUTH with RESP2 value of 17 • Specifies that the new task is not started
• The USERID is not authorized to use the
until the starting task has taken a sync point
application
• GETMAIN/GETMAIN64
• New Option: EXECUTABLE
• Specifies that the storage should be obtained
from one of the DSAs that are never protected
from instruction execution
Changes to CICS API
• WEB OPEN • WRITE OPERATOR
• Changed: WEB OPEN URIMAP • New Option: CONSNAME
• Uses the cached IP address and HTTP
information obtained with the initial connection, • Enables messages to be sent a specific
for subsequent outbound web requests using console identified by CONSNAME
the same URIMAP
• Changed
• Deprecated: CIPHERS
• New INVREQs with RESP2 values of 7 and 8
• Option no longer allowed on new compiles. The
CIPHERS option is deprecated for existing • The CONSNAME length is not valid. The
programs when MAXTLSLEVEL is TLS12 and CONSNAME value must be 2 to 8
ignored for existing programs when
MAXTLSLEVEL is TLS13
characters in length

• DFHEIENT macro • The CONSNAME value is not valid

• New Option: DATA_EXECUTABLE • New ERROR with RESP2 value of 1

• To request that dynamic storage is not • Command (with CONSNAME) has returned
protected from instruction execution an error
Changes to JCICS API
• Container • CICSSecurityManager
• Removed Method: put(String stringData) • Removed Methods:
• checkMultiCast(InetAddress, byte)
• Program
• checkAwtEventQueueAccess()
• Removed Methods from the class com.ibm.cics.server.Program
• checkMemberAccess(Class<?> theClass, int)
• link(com.ibm.record.IByteBuffer)
• checkSystemClipboardAccess()
• link(com.ibm.record.IByteBuffer, com.ibm.record.IByteBuffer)
• checkTopLevelWindow(Object window)

• Task
• Removed Methods • TerminalPrincipalFacility
• disableTaskTrace() • Removed Method: waitTerminal()
• enableTaskTrace()

• HttpHeader
• IsCICS
• Removed Method: getHeader
• New Method: getApiStatus (boolean lateBind)
Changes to SIT parameters
• New: • Changed
• EPCDSASZE • CPSMCONN New Option: SMSSJ

• CPSMCONN=SMSSJ
• EUPDSASZE
• Initializes a single CICS region as a CICS SMSS
• PCDSASZE
• Automatically creates a Liberty JVM server named EYUCMCIJ
• PUDSASZE as the CMCI JVM server

• MAXTLSLEVEL
• DTRPGM Changed
• Specifies the maximum TLS protocol for secure
TCP/IP connections • When DTRPGM=NONE is specified, no routing program is invoked

• RESOVERRIDES
• MINTLSLEVEL
• Specifies the name of the resource overrides
file • New Option: TLS13

• SDTMEMLIMIT • Stabilized Option: TLS11

• Specifies a limit to the amount of storage above • Removed Options

the bar that is available for shared data tables • TLS10
to use for control information
• TLS10ONLY
Changes to resource definitions

• DB2ENTRY • URIMAP
• New Attribute • Changed
• SHARELOCKS • Added support for enabling multiple client
URIMAPs that point to the same endpoint in a
• APAR PH47996 required CICS region

• TCPIPSERVICE
• Changed
• When PROTOCOL(HTTP) and SSL(YES)
are specified
• CIPHERS defaults to defaultciphers.xml
Changes to resource definitions
- CICS-supplied resource definition Groups

• DFH$DB2 - Changed • DFHBMS – Changed

• DB2ENTRY definition has a new attribute • Several transactions have been removed from this
group
SHARELOCKS
• These transactions are now automatically installed
• SHARELOCKS(NO) is the default

• DFHCLNT – Changed
• DFH$SOT - Changed
• Transaction CCIN has been removed from this group
• The CIPHERS value for TCPIPSERVICE • It is now automatically installed
HTTPSSL is changed to defaultciphers.xml

• DFHHARDC – Changed
• DFHDBCTL - Changed
• Transaction CSPP has been removed from this group
• Transaction CDBT is changed from • It is now automatically installed
SPURGE(NO) to SPURGE(YES)
Changes to resource definitions
- CICS-supplied resource definition Groups
• DFHJAVA – Changed
• DFHIPECI – Changed
• Transactions CJSA and CJSU are changed

• From SHUTDOWN(DISABLED) to SHUTDOWN(ENABLED)

• Transaction CIEP has been removed from this group
• It is now automatically installed
• DFHOPER – Changed

• New program DFHLDMHT

• DFHISC – Changed
• Several transactions have been removed from this
• DFHPIPE - Changed
group
• Program definitions are moved to this group
• These transactions are now automatically installed
• DFHWSATH, DFHWSATR, DFHWSATX and DFHPIRS

• No longer need to install your own versions of these

program definitions because DFHPIPE is part of
DFHLIST • DFHPSSGN – Changed
• New transaction CPIW, a direct clone of CPIH, which is used • Transaction CPSS has been removed from this group
to handle WS-AT protocol messages
• It is now automatically installed
Changes to resource definitions
- CICS-supplied resource definition Groups
• DFHRSEND – Changed
• DFHWSAT – Changed
• Transaction CSRS has been removed from this group
• Some program definitions are moved to group
DFHPIPE • It is now automatically installed

• DFHWSATH, DFHWSATR, DFHWSATX and

DFHPIRS • DFHSPI – Changed
• URIMAP DFHRSURI now specifies • Transaction CATR has been removed from this group
TRANSACTION(CPIW) instead of CPIH
• It is now automatically installed
• This is the URIMAP used to match inbound WS-AT
protocol messages
• DFHSTAND – Changed

• DFHSECR - New • Several transactions have been removed from this group
• They are now automatically installed
• New journal DFHSECR for security request recording

• DFHWU – Changed
• DFHCOMPJ - New
• New transaction CWDP
Changes to CEMT
• CEMT INQUIRE DB2ENTRY • CEMT PERFORM STATISTICS
• New Option: SHARELOCKS • New Option: CIPHER

• CEMT INQUIRE DSAS • CEMT SET DB2ENTRY

• New Options: PCDSASIZE, PUDSASIZE, EPCDSASIZE, • New Option: SHARELOCKS
EPUDSASIZE
• Support for Instruction Execution Protection
• Removed Option: ETDSASIZE • CEMT SET DSAS – Changed
• The DSAs that are covered by DSALIMIT and EDSALIMIT
include the new DSAs that are never protected from
• CEMT INQUIRE SYSTEM instruction execution
• New Options:
• SDTMEMLIMIT • CEMT SET SYSTEM
• SRRTASKS • New Option: SDTMEMLIMIT

• CEMT INQUIRE TASK • CEMT SET TASK

• New Option: SRRSTATUS • New Option: SRRSTATUS
Changes to CICS SPI
• CHANGED:
• NEW • CREATE DB2ENTRY

• INQUIRE POLICY • ENABLE PROGRAM

• EXTRACT STATISTICS
• INQUIRE POLICYRULE
• INQUIRE ASSOCIATION
• INQUIRE SECRECORDING • INQUIRE DB2ENTRY

• INQUIRE STORAGE64 • INQUIRE FEATUREKEY

• INQUIRE STORAGE

• INQUIRE SUBPOOL
• THREADSAFE • INQUIRE SYSTEM

• INQUIRE TAG • INQUIRE TASK

• PERFORM STATISTICS
• SET ASSOCIATION USERCORRDATA
• SET DB2ENTRY
• SET SECRECORDING • SET SYSTEM

• SET TAGS REFRESH • SET TASK

• SET TRANSACTION
Changes to CICS monitoring

• DFHCICS
• Enhanced to provide association data of DPL requests by EXCI clients
• For Liberty the userID now reflects the final userID value, instead of the initial userID

• DFHSOCK
• SOCNPSCT indicates the total number of requests made by the user task to create
an outbound socket
• SONPSHWM indicates the peak number of outbound sockets owned by the user
task
Changes to storage
• These locations changed
• CDSA becomes the PCDSA
• ETDSA – Removed • ECDSA becomes the EPCDSA

• Storage that was allocated from this DSA is now • SDSA becomes the PUDSA
allocated from the ECDSA • ESDSA becomes the EPUDSA

• PCDSA, PUDSA, EPCDSA, and EPUDSA – New • CDSA, SDSA, ECDSA, ESDSA locations
• Changed
• To enable the allocation of storage that is not
protected from instruction execution • Loader Domain functions return the location of the
program to the caller
• ACQUIRE_PROGRAM
• Subpools LDPGM, LDEPGM, LDRES, LDERES, • RELEASE_PROGRAM
LDNRS, LDENRS, LDNUC, and LDENUC
• INQUIRE_PROGRAM
• Changed • GET_NEXT_PROGRAM
• These subpools are now allocated in PCSDA, • GET_NEXT_INSTANCE
PUDSA, and their equivalent extended DSAs
• IDENTIFY_PROGRAM
Changes to installing

• DFHEITAB and DFHEITBS modules are not LPA eligible

• Removed the DFHIFTG1 and DFHIFTGS installation jobs

The Upgrade Process
Check downward compatibility

• When planning to run multiple versions of CICS • CICS TS 6.1 modules in SDFHLINK are
in the same LPAR compatible with earlier releases of CICS

• Ensure that the eight CICS LPA-required • The modules for trace and dump formatting
modules in the LPA are CICS TS 6.1 are release dependent
(SDFHLPA) • DFHPDnnn, DFHTGnnn, DFHTRnnn,
DFHTTnnn
• The last three numbers in a release-
• LPA-eligible modules are not guaranteed to be dependent module name indicate the
downward compatible release
• Use the LPA system initialization parameter • 740 - CICS TS 6.1
LPA=YES/NO as needed
• 730 - CICS TS 5.6
• 720 - CICS TS 5.5
• 710 - CICS TS 5.4
Upgrading CICS regions - High-level Overview
• Redefine and initialize the local and global catalogs
• Upgrade the CSD
• Upgrade user-modified CICS-supplied resource definitions
• Upgrade your copies of CICS-supplied resource definitions
• Reassemble all your macro tables
• Reassemble all Global User Exit programs
• That use XPI calls without the RELSENSCALL parameter
• Modify any Global User Exit programs
• That use XPI INQUIRE_PROGRAM or GET_NEXT_PROGRAM calls with certain equates
• Review DSA size limits
• Review MEMLIMIT
Upgrading CICS regions
• Redefine and initialize the local and global • Upgrade the CSD
catalogs
• If sharing the upgraded CSD with different
• For each CICS region, delete, redefine, and CICS releases
initialize the DFHLCD and DFHGCD • The CSD must be at the highest release
• Delete your existing data sets • Compatibility groups must be specified in
the correct order
• Define and initialize new local and global
catalogs • To upgrade the CSD, you have two options

• Make sure that you use the DFHRMUTL • Upgrade the CICS-supplied definitions in
and DFHCCUTL utility programs your CSD

• See DFHDEFDS for sample JCL • Run the DFHCSDUP utility program
with the UPGRADE command
• Start the CICS regions with an initial start
• Define a new CSD by using DFHCSDUP
INITIALIZE command
Upgrading CICS regions
• Upgrade user-modified CICS-supplied resource • Copy the upgraded CICS-supplied definitions
definitions and reapply your modifications
• If any of the CICS-supplied resource • The DFHCSDUP UPGRADE command
definitions were modified in your current does not operate on your own groups or on
release of CICS TS, upgrade them at the start CICS groups that you copied
of upgrading your regions
• If the CICS region uses CPSM
• Confirm whether your CSD contains any user-
modified, CICS-supplied resource definitions • Manually upgrade any of the dynamically
created CPSM resource definitions that
• Use the DFHCSDUP SCAN command to were modified
compare the CICS-supplied resource
definitions with any user-modified versions • The dynamically created resource
definitions are in SEYUSAMP
• DFHCSDUP reports any differences
between the CICS-supplied definition and a
user-modified version
Upgrading CICS regions
• Upgrade your copies of CICS-supplied resource • Reassemble all your macro tables
definitions
• Macro tables must be reassembled
• If you copied any CICS-supplied resource • CICS detects if a macro table is not
definitions, you might need to change your reassembled
copies to match the changes that are made to
the supplied definitions • Issues a message DFHLD0110 or
DFHFC0110 and terminates
• Member DFH$CSDU in SDFHSAMP
contains ALTER commands that you can • Reassemble all Global User Exit programs that
are using XPI calls without the RELSENSCALL
apply using DFHCSDUP
parameter
• ALTER PROGRAM(DFHD2EDF) GROUP(*)
• The RELSENSCALL parameter on XPI calls
CONCURRENCY(THREADSAFE)
means that the XPI call executes successfully
on all supported CICS releases
• Support for the Release sensitive XPI call is
stabilized
Upgrading CICS regions
• Modify any Global User Exit programs that use • Review DSA size limits
XPI INQUIRE_PROGRAM or
GET_NEXT_PROGRAM calls with certain • It is not advisable to set the size of individual
equates dynamic storage areas (DSAs)

• To support Instruction Execution Protection, • Usually it is not necessary

the DFHPGISY LOCATION equates changed • Review MEMLIMIT
• If your GLUE makes XPI • The MEMLIMIT parameter limits the amount of
INQUIRE_PROGRAM or 64-bit storage that the CICS region can use
GET_NEXT_PROGRAM call and uses
• CICS requires a MEMLIMIT value of 10 GB
• equates PGIS_CDSA, PGIS_SDSA,
PGIS_ECDSA and PGIS_ESDSA • https://www.ibm.com/docs/en/cics-
ts/6.1?topic=storage-estimating-checking-
• you must modify it to use equates memlimit
PGIS_PCDSA, PGIS_PUDSA,
PGIS_EPCDSA, and PGIS_EPUDSA
Upgrading CICS regions (5.4)
• Review program and transaction definitions • Review the use of MQCONN
• Defaults of the following resource attributes changed • The introduction of the MQMONITOR
in CICS TS 5.4
resource in CICS TS 5.4 enhanced the control
• Program definition and security associated with IBM MQ
• DATALOCATION(ANY) connections

• Transaction definition • MQINI(DFHMQINI) replaced with

MQMONITOR(DFHQMINI)
• SPURGE(YES)

• TASKDATALOC(ANY) • CICS now differentiates between the user ID

under which the transaction monitoring the
• TPURGE(YES) MQ queue runs and the user ID under which
• Resources that are already defined are unaffected the initiated transactions run
• New definitions will default to the new value

• Resources that are installed through the EXEC CICS

CREATE command will use the new default

• For program autoinstall, the default model program

DFHPGAPG now specifies DATALOCATION(ANY)
Upgrading CICS regions

• Check DSA storage requirements • CSD compatibility between different CICS

releases
• To allow some programs to run in storage that
is not protected from instruction execution • The CSD can be shared between different
CICS releases by using the appropriate
• New DSAs are used even if instruction compatibility groups
execution protection is not used
• After upgrading a CSD, if you plan to share
• The distribution of storage is changed the CSD with earlier releases of CICS
• Some subpools have moved • Include the appropriate DFHCOMPx
compatibility groups in the GRPLIST
• Depending on the attributes of the program
CICS loads the program into one of the four • Do not share a CSD with a CICS region that
new DSAs or into the RDSA or ERDSA is running at a higher release than the CSD
• https://www.ibm.com/docs/en/cics- • You must install the compatibility groups in
ts/6.1?topic=releases-changes-storage the correct order
Upgrading CICS regions
• Required compatibility groups for earlier releases of CICS
Upgrading CICSPlex SM (CPSM) – High-level Overview
• Check compatibility requirements for different levels of CICSPlex SM
• Upgrade maintenance point CMAS
• Upgrade a WUI and the contents of the WUI server repository (EYUWREP)
• Upgrade the CMCI to use the CMCI JVM server
• If enabled
• Upgrade a non-maintenance point CMAS
• Upgrade a CICSPlex SM managed CICS system (MAS)
• Upgrade CICSPlex SM API programs
• Rerun EYUJHIST to upgrade your CICSPlex SM history data sets
Upgrading CICSPlex SM (CPSM)
• Check compatibility requirements for different • You can run a CMAS at V6.1 that connects to a
levels of CPSM CMAS running at a supported level of CICS TS
• A CICS TS V6.1 CMAS runs only in a CICS
• This release of CPSM and earlier releases can system at V6.1
run concurrently
• In a CICSplex that consists of CMASs at the
• When service is applied to CPSM latest level and at one or more earlier levels

• PTFs that are applied to the ESSS are not • The maintenance point CMAS (MP CMAS)
intended to be downward-compatible with must be at the latest level
earlier maintenance levels at the same • You cannot view all resources of a CICS TS V6.1
release region by using a CMAS that runs at an earlier
release
• All CMASs, MASs, WUIs, and API
programs must run at the same • To connect a CMAS at a lower level to a CMAS
at a higher level
maintenance level as the ESSS for their
release • PTFs must be applied to each downlevel
environment
Upgrading CICSPlex SM (CPSM)
Upgrading CICSPlex SM (CPSM)
• For a CMAS and a MAS to communicate • CICS systems (MASs) running at a supported
level of CICS TS can be connected to CPSM
• They must be running at the same release of V6.1.
CPSM
• To be connected to CPSM V6.1
• For a MP CMAS at the latest release to
communicate with a CICS region that runs an • CICS systems must use the CPSM V6.1 MAS
earlier release agent
• The MP CMAS must be at the latest release • The CPSM V6.1 libraries must be in the CICS
JCL
• Connect the MP CMAS to the back-level MAS
through a CMAS that runs the same level as • It is advisable to run WUI servers at the latest
the MAS. release
Upgrading the CICS Explorer
• Check compatibility of CICS Explorer • Upgrade or install a new copy of CICS Explorer
• CICS Explorer is backwards compatible • For instructions
• To connect to CICS TS 6.1 regions • Downloading and starting CICS Explorer in
the CICS Explorer product documentation
• Need CICS Explorer Fix Pack 5.5.22 or later
• Some features in CICS TS 6.1 are only
available in Fix Pack 5.5.23 and later • https://www.ibm.com/docs/en/cics-
explorer/5.5.0?topic=downloading-starting-
cics-explorer
• Back up your CICS Explorer workspace
• The workspace data format might change
and backwards compatibility might not be
possible
Start your journey today
- with CICS TS 6.1

Learn Try Collaborate Related products

• What is CICS? • Samples • Community • IBM Z and Cloud
Modernization Stack
• Intro videos • IBM Z Trial • Ideas • IBM z/OS Connect

• Editions • Developer trial • Design Partnership • IBM CICS Performance

Analyzer for z/OS
• What’s new in 6.1? • Upgrade • Open beta
• IBM Z Security and
Compliance Center