This article updates a 2022 piece in Cheryl Watson’s Tuning Letter, “LE Non-Executable HEAPS and CICS User Experiences” by Mario Bezzi. Current Tuning Letter subscribers can read the original article online.
Think your mainframe is immune to modern cyber threats? Think again. Today’s mainframes are the backbone of the global economy, making them prime targets for sophisticated attacks. As hackers become bolder and regulatory demands grow, the stakes for mainframe security have never been higher.
That’s why IBM’s z/OS 2.4 introduced a game-changing security feature: LE non-executable HEAP.
Combined with advances in CICS Transaction Server (TS) 6.1 and 6.2, this innovation helps block a new generation of exploits, protecting your business from costly breaches and downtime. But, as with any tool, the devil is in the details, especially when it comes to configuration, performance, and monitoring.
In this article, we’ll break down what non-executable storage really means for your CICS and LE environments, how to ensure you’re protected, and what’s new in the past several years. Whether you’re a seasoned mainframe architect or new to z/OS security, understanding these updates is essential for defending your organization’s most valuable digital assets.
LE Non-Executable HEAP and Why It Matters
The LE non-executable HEAP is a security feature that allocates certain LE internal buffers and control blocks in memory that cannot be executed as code. This protects your system from code injection attacks and control flow hijacking, common vectors for modern cyber threats.
This capability is controlled by the CEENXSTG runtime option, which is enabled by default in z/OS 2.4 and later. When running on IBM z14 or newer hardware, this feature leverages the Instruction Execution Protection Facility (IEPF) to enforce non-executable memory.
CICS and Non-Executable Storage: What You Need to Know
CICS TS 6.1 and 6.2: Full Support for Non-Executable DSAs
With the release of CICS Transaction Server (TS) 6.1 and 6.2, CICS now fully supports non-executable Dynamic Storage Areas (DSAs). This means that when LE requests non-executable memory, CICS can honor that request, so long as you are on z14 or later and enabled the feature in your CICS configuration.
Developers can now use the EXECUTABLE option in the EXEC CICS GETMAIN command to specify whether allocated memory should be executable. Administrators can also set non-executable storage as the default, further strengthening security.
CICS 5.x: Limitations Remain
If you are still running CICS 5.x (including 5.6), be aware that non-executable DSAs are not supported. LE’s requests for non-executable HEAP are satisfied using regular, executable DSAs, meaning your CICS transactions do not benefit from this additional layer of protection.
Performance and Monitoring: Best Practices for CICS and LE
While some customers reported increased CICS GETMAIN activity after enabling non-executable HEAPs, IBM’s official performance documentation does not identify this as a widespread or systemic issue.
Do not make RPTSTG(ON) the system-wide default, because it will significantly impact performance. Consider CICS TS dynamic storage tuning as an alternative. RPTSTG(ON) should only be used for tuning or diagnostics.
To ensure optimal performance, enable CICS Interval Statistics using the STATRCD initialization parameter. This allows you to monitor storage activity and GETMAIN requests at a granular level, helping you spot trends or anomalies early.
How to Enable and Benefit from Non-Executable Storage
- Upgrade to CICS TS 6.1 or Later
Ensure your environment is running CICS TS 6.1 or above, and that you are on IBM z14 or newer hardware. - Configure Non-Executable DSAs
Explicitly enable non-executable DSAs in your CICS configuration. Set the default to non-executable storage for maximum protection. - Monitor and Analyze
Regularly collect and review CICS interval statistics to track GETMAIN activity and CPU usage. Use this data to optimize performance and validate the impact of security changes. - Plan for the Future
If you are still on CICS 5.x, consider planning an upgrade to take advantage of these security enhancements.
Common Questions
Q: Does enabling LE non-executable HEAP impact CICS performance?
A: Most organizations see little to no impact. Some rare cases reported increased GETMAINs, but IBM benchmarks show minimal performance change. Monitoring is recommended.
Q: Can I use non-executable storage with CICS 5.x?
A: No, only CICS TS 6.1 and later support non-executable DSAs.
Q: How do I know if my system is affected?
A: Enable and review CICS interval statistics (SMF 110 subtype 2 records) to monitor GETMAIN activity and CPU usage.
Secure Your Mainframe with Non-Executable Storage
The move to non-executable storage in LE and CICS is a critical step in modernizing mainframe security. With the proper configuration and monitoring, you can protect your systems from advanced threats without sacrificing performance.
Have questions or CICS experiences to share? Leave a comment below.
Read more CICS news
This article was created with support from AI-powered tools. Our editorial team reviewed and verified all information to ensure accuracy and quality.
