Chapter 14 Quiz
Instructions
Select the best answer for each question. Questions test understanding at the Apply/Analyze level of Bloom's taxonomy — you'll need to apply web service concepts to realistic scenarios and analyze architectural trade-offs, not merely recall definitions.
Question 1
SecureFirst chose service enablement over rewriting COBOL programs in Java primarily because:
A) Java cannot connect to DB2 on z/OS B) The existing COBOL programs contained decades of battle-tested business logic that would be risky and expensive to replicate C) CICS does not support Java programs D) The mobile app requires COBOL specifically
Answer: B Explanation: The core argument for service enablement is preserving existing, proven business logic. The COBOL account inquiry program at SecureFirst has 30 years of accumulated edge-case handling. Rewriting it in Java means reproducing that logic — including undocumented business rules — at enormous cost and risk. Service enablement wraps the existing program without modifying it. Java can access DB2 (Answer A is false), CICS supports Java via Liberty JVM server (Answer C is false), and the mobile app is agnostic to backend language (Answer D is irrelevant).
Question 2
In a CICS web service provider flow, what is the correct order of processing?
A) TCPIPSERVICE → PIPELINE → URIMAP → COBOL Program B) URIMAP → TCPIPSERVICE → PIPELINE → COBOL Program C) TCPIPSERVICE → URIMAP → PIPELINE → COBOL Program D) PIPELINE → TCPIPSERVICE → URIMAP → COBOL Program
Answer: C Explanation: The HTTP request first arrives at the TCPIPSERVICE (TCP/IP listener). CICS then matches the URI path against URIMAP definitions to determine which pipeline and program to use. The pipeline transforms the request data (JSON/XML to COBOL), and then the COBOL program is invoked. The TCPIPSERVICE is the entry point, the URIMAP is the router, the pipeline is the transformer, and the COBOL program is the processor.
Question 3
Why does the chapter recommend using a different CICS transaction for web service requests (AINQ) versus 3270 requests (INQY) to the same COBOL program?
A) CICS requires different transactions for different input sources B) It enables separate WLM classification, RACF security profiles, and monitoring metrics for each channel C) The COBOL program behaves differently depending on the transaction ID D) URIMAP definitions cannot reference existing transaction IDs
Answer: B Explanation: Using separate transactions provides operational control at three levels: (1) WLM can assign different service classes with different response-time goals, (2) RACF can enforce different security profiles for web versus 3270 access, and (3) monitoring tools can separate metrics by channel. The COBOL program itself runs identically regardless of transaction ID (Answer C is incorrect). CICS does not require different transactions (Answer A), and URIMAPs can reference any transaction (Answer D).
Question 4
A COBOL copybook contains REDEFINES to overlay different structures based on a type code. What is the impact on DFHLS2JS?
A) DFHLS2JS handles REDEFINES automatically by generating a JSON union type B) DFHLS2JS generates a JSON schema for only the first REDEFINES alternative C) DFHLS2JS cannot generate a single JSON schema for structures with REDEFINES; a wrapper copybook is needed D) DFHLS2JS ignores REDEFINES and maps all fields independently
Answer: C Explanation: REDEFINES is the most common source of DFHLS2JS failures. Since REDEFINES overlays different data layouts in the same storage, there is no single JSON representation that captures all alternatives. The solution is a wrapper copybook that presents a normalized structure without REDEFINES, with a thin wrapper program that maps between the normalized and legacy structures. At SecureFirst, approximately 30% of legacy copybooks required wrapper copybooks for this reason.
Question 5
What is the WSBIND file?
A) A source code file that defines the web service interface in a human-readable format B) A compiled binary mapping between JSON/XML fields and COBOL data items, generated by the CICS assistants and used by the pipeline at runtime C) A configuration file that specifies which COBOL programs are web-service-enabled D) A log file that records web service request and response data for auditing
Answer: B Explanation: The WSBIND file is the critical runtime artifact. Generated by DFHLS2JS, DFHJS2LS, DFHLS2WS, or DFHWS2LS, it contains precompiled mapping rules that the pipeline handler (DFHJSON or DFHPITP) uses to transform data between wire format and COBOL data structures. It is not human-editable — changes require regenerating from the source copybook or schema.
Question 6
A CICS web service program contains EXEC CICS WEB RECEIVE to parse the incoming HTTP request body. What design principle does this violate?
A) The principle of least privilege B) The separation of concerns — business logic programs should not contain web-specific commands C) The CICS pseudo-conversational design pattern D) No principle is violated; this is the recommended approach
Answer: B Explanation: The chapter's most important design principle: the COBOL business logic program must not contain web-specific commands. The pipeline handles protocol transformation; the COBOL program handles business logic. Mixing them creates coupling — the program becomes unusable for non-web channels and harder to maintain. If a program has EXEC CICS WEB RECEIVE, it's doing the pipeline's job.
Question 7
When should you use DFHJS2LS versus DFHLS2JS?
A) DFHJS2LS for new programs, DFHLS2JS for maintenance B) DFHJS2LS when the JSON schema is the source of truth; DFHLS2JS when the COBOL copybook is the source of truth C) DFHJS2LS for REST services, DFHLS2JS for SOAP services D) They are interchangeable; use whichever you prefer
Answer: B Explanation: The direction of generation depends on which artifact is the source of truth. If the distributed team designs the API contract first (JSON schema → COBOL), use DFHJS2LS. If you're exposing an existing COBOL program (COBOL copybook → JSON), use DFHLS2JS. SecureFirst used DFHLS2JS because their COBOL programs already existed.
Question 8
Your CICS TCPIPSERVICE has MAXPERSIST(100) but your API gateway maintains a pool of 150 persistent connections. What happens to the additional 50 connections?
A) They are silently dropped without notification B) They queue in the TCP backlog and connect when a slot becomes available, or are rejected if the backlog is full C) CICS automatically increases MAXPERSIST to accommodate them D) The CICS region abends with a storage violation
Answer: B Explanation: When all MAXPERSIST slots are in use, new connections queue in the TCP listen backlog (sized by the BACKLOG parameter). If the backlog is also full, z/OS TCP/IP rejects the connection with a TCP RST. The API gateway sees a connection failure and retries. This is why the chapter recommends sizing MAXPERSIST to 1.5x observed peak — it provides headroom for traffic spikes without wasting resources.
Question 9
An external credit score API that your COBOL program calls has a 3-second timeout. Under normal conditions, it responds in 15ms. The CICS AOR has MAXTASK=200. If the external API becomes completely unresponsive, how many CICS tasks will it consume before the timeout triggers?
A) 1 — only one task calls the external API at a time B) The number depends on the transaction arrival rate multiplied by the timeout duration C) 200 — all MAXTASK slots will be consumed immediately D) 0 — CICS detects the unresponsive service and stops sending requests
Answer: B Explanation: Each call to the external service holds a CICS task for the duration of the call. If the service is unresponsive, each task waits for the full 3-second timeout. If new requests arrive at 2,000 TPS and each holds a task for 3 seconds, you need 6,000 concurrent tasks — far exceeding MAXTASK=200. The AOR will hit MAXTASK and start queuing or rejecting new transactions. This is why aggressive timeouts and circuit breakers are essential for external service calls.
Question 10
What is the primary purpose of the PIPELINE resource in CICS web services?
A) To route HTTP requests to the correct CICS region B) To define the data transformation steps applied to requests and responses C) To manage TCP/IP connection pooling D) To enforce security policies on web service traffic
Answer: B Explanation: The pipeline defines the chain of handler programs that process requests and responses. For JSON services, the pipeline invokes DFHJSON for data transformation. For SOAP services, it invokes DFHPITP with the SOAP handler. The pipeline is the transformation engine — it takes wire format data and converts it to COBOL structures (and back). Routing is handled by URIMAP (A), connection pooling by TCPIPSERVICE (C), and security by RACF/TLS (D).
Question 11
Which MAPPING-LEVEL should you use for DFHLS2JS when generating JSON for consumption by modern JavaScript applications?
A) MAPPING-LEVEL=1.0 for maximum compatibility B) MAPPING-LEVEL=2.0 for balanced type support C) MAPPING-LEVEL=3.0 for proper decimal handling and trimmed strings D) MAPPING-LEVEL does not affect JSON output
Answer: C Explanation: MAPPING-LEVEL=3.0 provides the best JSON type fidelity for modern consumers. It maps COMP-3 decimals to JSON numbers (not strings), trims trailing spaces from PIC X fields, and handles signed numerics correctly. Level 1.0 and 2.0 produce less precise mappings that may require client-side conversion (e.g., parsing a string "000123.45" instead of receiving the number 123.45).
Question 12
SecureFirst's architecture places an API gateway between the mobile app and CICS. Which of the following is NOT a function the chapter attributes to the API gateway?
A) OAuth2 token validation B) JSON-to-COBOL data transformation C) Rate limiting D) DDoS protection
Answer: B Explanation: JSON-to-COBOL data transformation is performed by the CICS pipeline (DFHJSON handler), not the API gateway. The API gateway handles token validation (A), rate limiting (C), DDoS protection (D), request validation, and TLS termination — all before traffic reaches CICS. The transformation between JSON and COBOL data structures happens inside the CICS region using the WSBIND mapping.
Question 13
When should SOAP be preferred over REST for a new CICS web service?
A) When the service has complex business logic B) When the service needs high performance C) When external standards mandate WSDL contracts (e.g., ISO 20022, HL7, inter-bank clearing) D) When the COBOL program uses COMMAREA
Answer: C Explanation: SOAP is preferred when the integration is governed by an external standard that mandates WSDL contracts. Financial messaging (ISO 20022, SWIFT), healthcare (HL7), and many government interfaces require SOAP with specific WS-Security profiles. For all other cases — especially mobile/web APIs — REST with JSON is preferred due to simpler tooling, better performance, and wider ecosystem support. Business logic complexity (A), performance (B), and COMMAREA usage (D) are not factors in the SOAP vs. REST decision.
Question 14
A COBOL web service program validates input fields. The chapter recommends checking for SQL injection characters in string fields even though DB2 queries use parameterized SQL. Why?
A) Parameterized SQL does not protect against SQL injection B) It is a defense-in-depth measure — multiple layers of protection in case one fails C) CICS web services bypass DB2's parameterization D) It is required by PCI-DSS compliance
Answer: B Explanation: Defense in depth. Parameterized queries are the primary protection against SQL injection (and they work). The COBOL-level input validation is a secondary layer that catches malicious input before it reaches the query. If someone accidentally uses dynamic SQL (which they shouldn't, per Chapter 7), the input validation provides a safety net. It's the same principle as wearing a seatbelt AND having airbags.
Question 15
What is the architectural difference between CICS Liberty and z/OS Connect EE for exposing COBOL as REST services?
A) CICS Liberty runs inside a CICS region; z/OS Connect EE runs as a separate z/OS server B) CICS Liberty supports only SOAP; z/OS Connect EE supports REST C) They are different names for the same product D) CICS Liberty requires COBOL changes; z/OS Connect EE does not
Answer: A Explanation: CICS Liberty is an embedded JVM server within a CICS region — Java code runs alongside COBOL in the same region and calls COBOL via JCICS. z/OS Connect EE is a separate z/OS server that connects to CICS (and IMS, DB2, MQ) over the network. Both support REST/JSON (Answer B is wrong), they are distinct products (Answer C is wrong), and neither requires COBOL changes (Answer D is wrong). The choice depends on team skills (Liberty needs Java) and scale (z/OS Connect EE provides centralized API management).
Question 16
Your CICS web service returns a 50KB JSON response (500 transaction records). The JSON transformation takes 8.5ms. What is the recommended solution to reduce transformation overhead?
A) Increase CICS region DSA to give the transformer more memory B) Paginate the response — return 25 records per page instead of 500 C) Switch from JSON to XML, which is faster for large payloads D) Cache the WSBIND file in a VSAM dataset for faster access
Answer: B Explanation: Pagination is the standard solution for large response payloads. Returning 25 records per page reduces the per-response payload to approximately 2.5KB, bringing transformation time down to under 1ms. The client makes multiple requests but each is fast. XML is actually 20-40% slower than JSON (Answer C is wrong). DSA sizing doesn't affect transformation speed (Answer A). WSBIND files are already cached in memory by CICS when the WEBSERVICE resource is installed (Answer D is unnecessary).
Question 17
In the CICS web service security architecture, identity propagation means:
A) The COBOL program sends the user's credentials to DB2 in a special header B) The authenticated identity from the API gateway is mapped to a RACF user ID, and the COBOL program executes under that user ID with corresponding RACF permissions C) CICS generates a temporary user ID for each web service request D) The mobile app's IP address is used as the user identity
Answer: B Explanation: Identity propagation maps the external identity (authenticated by the API gateway via OAuth2/JWT) to a RACF user ID. The CICS web service infrastructure performs this mapping, and the COBOL program runs under the mapped RACF ID. This means DB2 access, VSAM access, and transaction authorization are all governed by the mapped user's RACF permissions — the same security model used for 3270 users, but with a different authentication mechanism at the front door.
Question 18
You are choosing between three approaches for exposing CICS COBOL programs as REST APIs. Which correctly describes the evolution path recommended in the chapter?
A) z/OS Connect EE → CICS Liberty → CICS native pipelines (complex to simple) B) CICS native pipelines → z/OS Connect EE → CICS Liberty (alphabetical) C) CICS native pipelines → CICS Liberty → z/OS Connect EE (simple to enterprise-scale) D) All three should be deployed simultaneously for redundancy
Answer: C Explanation: The chapter recommends starting simple and graduating when the simpler approach becomes a bottleneck. CICS native pipelines (TCPIPSERVICE + URIMAP + pipeline) for the first few services. CICS Liberty when you have Java skills and need more sophisticated HTTP handling. z/OS Connect EE when you have dozens or hundreds of services and need centralized API management, versioning, analytics, and rate limiting.
Question 19
An EXEC CICS WEB OPEN using a client URIMAP with SOCKETCLOSE(00,05,00) takes 85ms for a new connection but only 15ms for a reused connection. This 70ms difference is primarily due to:
A) DNS resolution for the external hostname B) TCP handshake and TLS negotiation overhead eliminated by connection reuse (HTTP keep-alive) C) CICS region initialization overhead for new outbound connections D) RACF authentication of the outbound connection
Answer: B Explanation: Connection reuse (HTTP keep-alive) eliminates the TCP three-way handshake and TLS negotiation that occur on every new connection. A TCP handshake takes one round-trip to the server. TLS 1.2 negotiation takes two additional round-trips, plus the CPU cost of key exchange and certificate validation. For an external API with 30ms network latency, that's 90ms+ of overhead — consistent with the 70ms difference observed. The SOCKETCLOSE parameter keeps idle connections open for 5 minutes, allowing subsequent requests to skip this overhead.
Question 20
Your bank is required to demonstrate to auditors that all web service requests are logged with: timestamp, user ID, operation, account accessed, response code, and response time. Which combination of data sources provides this information?
A) CICS SMF 110 records alone B) CICS SMF 110 records for response time and response code, plus application-level audit logging (CICS journal or DB2 audit table) for user ID, operation, and account accessed C) z/OS syslog records D) API gateway logs alone
Answer: B Explanation: No single data source captures everything. SMF 110 subtype 2 records provide: URI, HTTP method, HTTP status code, response time, bytes transferred, and client IP. However, they don't capture business-level information like the specific account accessed or the mapped user ID at the application level. Application-level audit logging in the COBOL program captures the business context: which user, which account, what operation, and the business-level result. Together, they provide a complete audit trail. API gateway logs (D) miss the internal CICS processing detail. Syslog (C) doesn't capture web service specifics.