IMS TM resource adapter security
The Java™ EE Connector Architecture (JCA) specifies that the application server and the Information in an enterprise information system (EIS) must collaborate to ensure that only authenticated users are able to access an EIS.
The JCA security architecture extends the end-to-end security model for Java EE-based applications to include integration with EISs. The IMS™ TM resource adapter follows the Java EE Connector Architecture security architecture, and works with the WebSphere® Application Server Java 2 Security Manager.
EIS signon
The JCA security architecture supports the user ID and password authentication mechanism that is specific to an EIS. The user ID and password that are used to sign on to the target EIS are supplied either by the application component (component-managed signon) or by the application server (container-managed signon).
For the IMS TM resource adapter, IMS is the target EIS. The security information provided by the application component or the application server is passed to the IMS TM resource adapter. IMS TM resource adapter then passes it to IMS Connect. IMS Connect uses this information to perform user authentication, and passes that information to IMS OTMA. IMS OTMA can then use this information to verify authorization to access certain IMS resources.
- For WebSphere Application
Server on distributed platforms or z/OS® with TCP/IP, using either component-managed signon or
container-managed signon:
- If RACF®=Y is set in the IMS Connect configuration member, or if the IMS Connect command SETRACF ON has been issued, IMS Connect calls the SAF to perform authentication using the user ID and password that are passed by the IMS TM resource adapter in the OTMA message. If authentication succeeds, the user ID, optional group name, and UTOKEN returned from the IMS Connect call to the SAF are passed to IMS OTMA for verifying authorization to access IMS resources.
- If RACF=N is set in the IMS Connect configuration member, or if the IMS Connect command SETRACF OFF has been issued, IMS Connect does not call the SAF. However, the user ID and group name, if specified, are passed to IMS OTMA for authorization to access IMS resources.
- For WebSphere Application Server for z/OS that uses Local Option and container-managed EIS signon, user authentication is performed only by the application server. User authentication is not performed in IMS Connect, regardless of the RACF setting in the IMS Connect configuration member or the result of a SETRACF command. WebSphere Application Server for z/OS calls RACF, then passes the user token that represents the user identity to the IMS TM resource adapter. The IMS TM resource adapter then passes the user token to IMS Connect. When IMS Connect sees the user token, it does not call the SAF, because authentication has already been performed by WebSphere Application Server for z/OS. IMS Connect passes the user token to IMS OTMA to verify authorization to access IMS resources.
- You can provide the user identity to the application server in two ways:
- The user ID and password can be provided in a Java Authentication and Authorization Service (JAAS) alias. The JAAS alias is associated with either the connection factory that is used by the application that accesses IMS or, depending on the version of WebSphere Application Server, with the EJB resource reference that is used by the application. The application server creates and passes the user token that represents the user identity in the alias to the IMS TM resource adapter.
- WebSphere Application Server for z/OS can be configured to obtain the user identity that is associated with the thread of execution of the application. The application server creates and passes the user token that represents this user identity to the IMS TM resource adapter.
The level of authorization checking that IMS completes is controlled by the IMS command, /SECURE OTMA.
Secure Sockets Layer (SSL) Communications
You can configure IMS TM resource adapter and IMS Connect, if properly configured, are able to use the TCP/IP SSL protocol to secure the communications between them.
SSL connections are more secure than non-SSL TCP/IP connections, and provide authentication for the IMS Connect server and, optionally, for the IMS TM resource adapter client. Messages that flow on SSL connections might also be encrypted.
SSL with null encryption provides an intermediate level of security in which the authentication occurs but the messages are not encrypted. Non-encrypted SSL communications offer higher throughput because of the elimination of the overhead that is required to encrypt each message that flows between the IMS TM resource adapter and IMS Connect.