The API gateway presents a client certificate to CICS. CICS validates it against the RACF keyring. This ensures only the authorized API gateway can connect to CICS.