Configuring identity propagation on IBM WebSphere Application Server

Edit online

Configuration is required on IBM® WebSphere® Application Server to enable identity propagation.

Setting up the identity propagation login module

IBM WebSphere Application Server must be configured to specify a user registry to enable user ID and password verification for applications. Any registry supported by IBM WebSphere Application Server is supported by CICS® Transaction Gateway. Examples of the registries supported by IBM WebSphere Application Server are:
  • IBM Tivoli® Directory Server (ITDS)
  • Microsoft Active Directory
  • SunOS Directory
  • Novel Directory Service

For more information about supported registries, see the IBM WebSphere Application Server documentation.

All JEE applications that call the CICS Transaction Gateway ECI resource adapter must be configured for container-managed security.

CICS Transaction Gateway includes a JAAS (Java™ Authentication and Authorization Service) login module in the ECI resource adapter RAR (cicseci.rar). You must install the login module into IBM WebSphere Application Server to enable identity propagation. Install the login module by creating a new JAAS Application Login alias that refers to the fully qualified name of the login module: com.ibm.ctg.security.idprop.LoginModule

One of the following must be configured to use the CICS Transaction Gateway identity propagation login module:
  • The JEE application must be configured to use a custom login configuration that refers to the CICS Transaction Gateway identity propagation login module. This is accessed via the connection factory resource references on the application's configuration panel.
  • The connection factory that is used by the application must have a mapping configuration alias that refers to the CICS Transaction Gateway identity propagation login module. This is accessed by the connection factory's configuration panel.

For more information about configuring IBM WebSphere Application Server, see the IBM WebSphere Application Server documentation.

Specifying the authentication information to propagate

If identity propagation has been configured and activated, the identity information that can be propagated with a request can be either the identity of the user who invoked the application, or the identity under which the application programmer has configured the application to run.
  • The identity of the user who invoked the application is known as the caller or received identity.
  • The identity under which the application programmer has configured the application to run is known as the run as or invocation identity.
To specify the identity to propagate to CICS, you set the propIdentity custom property on the CICS Transaction Gateway identity propagation login module. You do this from the IBM WebSphere Application Server admin console by setting one of the following name-value pairs:
propIdentity=Caller
or
propIdentity=RunAs
For example, if you want the run as identity to be propagated to CICS, do this:
  1. From the IBM WebSphere administrative console; click Security > Global security, expand Java Authentication and Authorization Service and select Application logins. In the new window, click New.
  2. Enter CTG_idprop as the Alias.
  3. Click New under JAAS login modules.
  4. Enter com.ibm.ctg.security.idprop.LoginModule as the Module class name.
  5. Clear the Use login module proxy check box.
  6. Select REQUIRED from the Authentication strategy drop-down list.
  7. Under Custom properties create an entry with Name as propIdentity and Value as RunAs.
  8. Click OK.

If you do not specify a setting or if you specify an invalid key or value, the system propagates the run as identity by default for application users. The propIdentity key, and the values RunAs and Caller are not case sensitive.