Chapter 14 Exercises
Section 14.1 — Why COBOL Needs Web Services
Exercise 1: Integration Option Analysis
SecureFirst evaluated three options for exposing mainframe functions to mobile apps: rewrite in Java, screen-scraping, and service enablement. For each option, list two risks the chapter identifies and two additional risks you can identify from your own experience. Then rank all three options for a scenario where the COBOL programs are well-documented versus a scenario where they are poorly documented. Explain how documentation quality changes the risk calculus.
Exercise 2: Service Identification
You manage a CICS environment with the following transactions: - INQY — Account balance inquiry (3270, COMMAREA-based) - XFER — Fund transfer (3270, COMMAREA-based, calls two DB2 tables) - HIST — Transaction history (3270, uses BMS paging, reads VSAM) - BILL — Bill payment (3270, calls external service via MQ) - STMT — Statement generation (batch, writes PDF to spool)
Evaluate each transaction for web service enablement. For each, state whether it is a good candidate for REST service exposure, and explain why or why not. Consider: interface complexity, data size, statelessness, and external dependencies.
Exercise 3: Provider vs. Requester Mapping
For each scenario, identify whether CICS operates in provider mode, requester mode, or both:
a) A mobile app checks an account balance through the API gateway b) A COBOL program calls an external credit bureau API during loan origination c) A partner bank sends an ISO 20022 payment message to your CICS system, which then calls a compliance-checking microservice before processing d) A CICS batch job pulls exchange rates from a cloud API every 15 minutes e) An internal Java microservice calls your CICS COBOL program to validate an address
Section 14.2 — CICS as a Service Provider
Exercise 4: TCPIPSERVICE Configuration
Design TCPIPSERVICE definitions for the following scenario:
Your bank has three API consumers: - Mobile banking app (via API gateway, 200 concurrent connections, TLS required) - Partner integration (via VPN, 50 concurrent connections, mutual TLS required) - Internal monitoring (health check endpoint, 5 concurrent connections, no TLS)
Write the CEDA DEFINE TCPIPSERVICE for each. Justify your choices for PORTNUMBER, MAXPERSIST, SOCKETCLOSE, SSL, and AUTHENTICATE.
Exercise 5: URIMAP Design
Design a RESTful URI scheme and corresponding URIMAP definitions for a loan origination system with these operations:
- Get loan application by ID
- Create new loan application
- Update loan application status
- List all applications for a customer
- Delete draft application
- Get payment schedule for an approved loan
Write the CEDA DEFINE URIMAP for each operation, specifying PATH, PIPELINE, PROGRAM, and TRANSACTION. Follow REST conventions for HTTP methods and URI structure.
Exercise 6: Transaction Separation Analysis
The chapter recommends using different CICS transactions for web service requests versus 3270 requests to the same COBOL program (e.g., AINQ for web, INQY for 3270). List four specific benefits of this separation. For each benefit, describe how you would verify it is working correctly in production.
Exercise 7: Error Mapping Design
Design an error mapping strategy for a COBOL program that can return the following error conditions:
| COBOL Condition | Description |
|---|---|
| RC = 0 | Success |
| RC = 4 | Record not found |
| RC = 8 | Input validation failed |
| RC = 12 | Authorization denied |
| RC = 16 | Database unavailable |
| RC = 20 | Duplicate record |
| RC = 99 | Unexpected error |
For each condition, specify: (a) the appropriate HTTP status code, (b) the JSON error response body, and (c) whether the error should trigger a CICS abend or use a status container. Justify your choices.
Section 14.3 — REST Services with CICS
Exercise 8: DFHLS2JS Copybook Analysis
Given the following COBOL copybook, identify three problems that will cause issues with DFHLS2JS and propose solutions for each:
01 CUST-RECORD.
05 CUST-ID PIC X(10).
05 CUST-NAME.
10 CUST-FIRST-NAME PIC X(25).
10 CUST-LAST-NAME PIC X(25).
05 CUST-ADDRESS.
10 CUST-ADDR-TYPE PIC X(01).
10 CUST-ADDR-DATA REDEFINES
CUST-ADDR-TYPE.
15 CUST-DOMESTIC PIC X(100).
10 CUST-ADDR-INTL REDEFINES
CUST-ADDR-DATA.
15 CUST-INTL-LINE1 PIC X(40).
15 CUST-INTL-LINE2 PIC X(40).
15 CUST-INTL-COUNTRY PIC X(20).
05 CUST-ACCOUNTS OCCURS 20 TIMES.
10 CUST-ACCT-NUM PIC X(10).
10 CUST-ACCT-BAL PIC S9(13)V99 COMP-3.
05 CUST-PHONE-RAW PIC 9(10).
Exercise 9: JSON Field Naming
Your distributed API team has published the following JSON contract for a payment API:
{
"paymentId": "string",
"sender": {
"accountNumber": "string",
"routingNumber": "string"
},
"recipient": {
"accountNumber": "string",
"routingNumber": "string"
},
"amount": 0.00,
"currency": "USD",
"executionDate": "2025-03-15",
"status": "PENDING"
}
Design a COBOL copybook that maps cleanly to this JSON structure using DFHJS2LS. Then write the DFHJS2LS JCL to generate the WSBIND file. Consider: nested structures, date handling, enumerated status values, and decimal precision.
Exercise 10: Pagination Design
The transaction history endpoint returns up to 500 records per account. Design a pagination strategy that:
a) Limits each response to 25 records b) Provides a "next page" mechanism c) Handles the case where new transactions arrive while the client is paging d) Works within CICS's stateless (pseudo-conversational) model
Write the request and response copybooks, and explain how the COBOL program implements cursor-based pagination using DB2.
Section 14.4 — SOAP Services
Exercise 11: WSDL Analysis
Given the following WSDL fragment for an inter-bank transfer service, identify: (a) the operations defined, (b) the binding style, (c) the message format, and (d) any elements that will be problematic for DFHWS2LS and why.
<portType name="InterBankTransferPortType">
<operation name="initiateTransfer">
<input message="tns:TransferRequest"/>
<output message="tns:TransferResponse"/>
<fault name="TransferFault" message="tns:TransferError"/>
</operation>
<operation name="queryTransferStatus">
<input message="tns:StatusRequest"/>
<output message="tns:StatusResponse"/>
</operation>
</portType>
<binding name="InterBankTransferBinding"
type="tns:InterBankTransferPortType">
<soap:binding style="rpc"
transport="http://schemas.xmlsoap.org/soap/http"/>
Exercise 12: SOAP vs. REST Decision Matrix
Create a decision matrix for choosing SOAP vs. REST for each of the following integration scenarios. Score each option on: development effort, performance, interoperability, security features, and tooling support. Recommend an approach for each.
a) Mobile banking app for retail customers b) Inter-bank SWIFT payment messaging c) Partner API for a fintech startup integrating with your core banking d) Government regulatory reporting (quarterly submission) e) Internal microservice-to-mainframe communication
Section 14.5 — CICS as a Service Requester
Exercise 13: External Service Call Design
Design the COBOL error handling for a fund transfer program that calls three external services:
- Credit score check (3-second timeout, fallback to cached score)
- Fraud detection scoring (2-second timeout, default to "review" if unavailable)
- AML (Anti-Money Laundering) compliance check (5-second timeout, MANDATORY — fail the transaction if unavailable)
Write the COBOL EVALUATE logic for each service call, including: success handling, timeout handling, connection failure handling, and the overall transaction decision logic when one or more services fail.
Exercise 14: Connection Pool Sizing
Your CICS AOR calls an external credit score API 2,000 times per second. The average call takes 15ms. Calculate:
a) How many concurrent connections are in use at any moment (Little's Law) b) The MAXPERSIST you should set on the client URIMAP c) The impact on CICS MAXTASK (each external call holds a CICS task) d) The total number of MAXTASK slots consumed by external calls if the API degrades to 500ms response time
What operational response should be triggered when external call response time exceeds your baseline?
Exercise 15: Circuit Breaker Implementation
Design a circuit breaker for external service calls in COBOL. The circuit breaker should:
- Track failure count in a CICS shared temporary storage queue
- Open the circuit (stop making calls) after 5 consecutive failures
- Allow a single "probe" request every 30 seconds to check if the service has recovered
- Close the circuit (resume normal calls) after 3 successful probe requests
Write the COBOL pseudo-code for the circuit breaker logic, including the TS queue structure and the state transitions.
Section 14.6 — JSON/XML Data Transformation
Exercise 16: Mapping-Level Comparison
Run DFHLS2JS (conceptually) against the following copybook at MAPPING-LEVEL 2.0 and 3.0. For each field, describe the JSON type and format produced at each level, and explain which level is more appropriate for a REST API consumed by a JavaScript frontend.
01 LOAN-RECORD.
05 LOAN-ID PIC X(12).
05 LOAN-AMOUNT PIC S9(09)V99 COMP-3.
05 LOAN-RATE PIC S9(02)V9(04) COMP-3.
05 LOAN-TERM-MONTHS PIC S9(04) COMP.
05 LOAN-STATUS PIC X(01).
05 LOAN-ORIG-DATE PIC X(10).
05 LOAN-PAYMENTS PIC S9(04) COMP.
Exercise 17: Wrapper Copybook Design
An existing COBOL program uses this legacy copybook for its COMMAREA:
01 LEGACY-COMMAREA.
05 LC-FUNCTION-CODE PIC X(02).
05 LC-RETURN-CODE PIC S9(04) COMP.
05 LC-DATA REDEFINES LC-RETURN-CODE.
10 LC-DATA-BYTES PIC X(02).
05 LC-ACCT-NUM PIC X(10).
05 LC-FILLER PIC X(200).
05 LC-MSG-AREA PIC X(80).
Design a wrapper copybook suitable for web service exposure and write the COBOL paragraph that maps between the wrapper and the legacy structure. Explain each design decision.
Section 14.7 — Performance and Security
Exercise 18: Performance Budget
You are designing a REST service for real-time balance inquiry with a 200ms end-to-end SLA (measured from API gateway to API gateway). Allocate a performance budget across these components:
| Component | Budget (ms) | Rationale |
|---|---|---|
| API gateway processing | ||
| Network (gateway → CICS) | ||
| CICS task attach | ||
| JSON request transformation | ||
| COBOL program execution | ||
| DB2 query (single row) | ||
| JSON response transformation | ||
| Network (CICS → gateway) | ||
| Total | 200ms |
Identify which component has the most variance and describe how you would monitor it.
Exercise 19: Security Architecture Review
Review the following CICS web service security configuration and identify five security weaknesses:
CEDA DEFINE TCPIPSERVICE(HTTPWEB)
PORTNUMBER(8080)
PROTOCOL(HTTP)
SSL(NO)
AUTHENTICATE(NO)
MAXPERSIST(9999)
CEDA DEFINE URIMAP(XFER)
PATH(/api/transfer)
PROGRAM(XFERP)
TRANSACTION(CSMI)
For each weakness, describe the risk and the corrective action.
Exercise 20: Monitoring Dashboard Design
Design a monitoring dashboard for CICS web services. Specify:
a) Five key metrics to display in real-time b) Three threshold-based alerts with specific trigger conditions c) The data source for each metric (SMF record type, CICS statistics, application log) d) How you would correlate a slow web service response with the underlying cause (DB2 query, external service call, JSON transformation)
Integration Exercises
Exercise 21: End-to-End Service Design
Design the complete web service infrastructure for a "Create Scheduled Payment" function. Deliver:
a) The RESTful API contract (URI, method, request/response JSON) b) The COBOL request and response copybooks c) The DFHLS2JS JCL to generate the WSBIND d) The CEDA DEFINE statements for TCPIPSERVICE, URIMAP, PIPELINE, and WEBSERVICE e) The COBOL program outline (PROCEDURE DIVISION sections, not full code) showing: input validation, business logic call, external service call (fraud check), DB2 insert, and response construction f) The error handling matrix (COBOL return code → HTTP status → JSON error body)
Exercise 22: Migration Planning
You manage a CICS environment with 15 SOAP services that were deployed 8 years ago. The business wants to offer REST APIs for the same functions. Design a migration plan that:
a) Prioritizes which services to migrate first (what criteria?) b) Supports both SOAP and REST during the transition (how?) c) Maintains backward compatibility for existing SOAP consumers d) Reuses existing COBOL programs without modification e) Includes a timeline with milestones and risk mitigation
Exercise 23: Capacity Planning
SecureFirst's mobile app currently drives 2,000 API calls per second to CICS. Growth projections show 40% annual increase for 3 years. Calculate:
a) Projected API volume at years 1, 2, and 3 b) The number of CICS tasks consumed at each volume (assuming 50ms average response time) c) The number of AORs needed at each volume (assuming MAXTASK=200 per AOR with 70% target utilization) d) The network bandwidth required (assuming 2KB average request and 5KB average response) e) The point at which you should consider z/OS Connect EE or CICS Liberty (what triggers the decision?)
Exercise 24: Security Penetration Test Plan
Design a security test plan for your CICS web services. For each test, specify: the attack vector, the expected CICS behavior, and how you verify the defense works.
a) SQL injection via JSON string field b) Oversized JSON payload (10MB body) c) Malformed JSON d) Expired OAuth2 token e) Valid token but unauthorized account access f) Replay attack (duplicate transaction ID) g) Slowloris attack (slow HTTP body delivery) h) Path traversal in URI (e.g., /api/v1/accounts/../../admin)
Exercise 25: Troubleshooting Scenario
A production web service that has been running for 6 months suddenly starts returning HTTP 500 errors for 10% of requests. The other 90% succeed normally. The COBOL program has not been changed. The CICS region was recycled last weekend for maintenance.
Describe your diagnostic approach. What do you check first, second, third? What CICS commands, SMF records, and logs would you examine? List at least five possible root causes and the evidence that would confirm each one.