Apply Enhanced Security

Apply Passticket Support

Use passtickets to implement enhanced security. A passticket is a one-time password generated on the primary node and passed to the secondary node within 10 minutes, where it is validated before further processing is performed. Connect:Direct® passticket support is implemented by the user as a user exit called from the Connect:Direct session manager during Process execution. To enable the security exit, specify the name or path name of the security exit DLL in the value of the security.exit parameter.

See Changing Connect:Direct for Microsoft Windows Settings in the IBM® Connect:Direct for Microsoft Windows System Guide orIBM Connect:Direct for Microsoft Windows Help for a description of the security.exit parameter. If the DLL is not in the search path of the server, then you must specify the fully qualified file name of the DLL.

The user's security exit must contain the GeneratePassticket() and ValidatePassticket() functions. The parameters for these functions are defined in the userexit.h header file. The userexit.h header file is in the Connect:Direct samples directory. If the security exit cannot be found or loaded, or if the addresses of the two required functions cannot be resolved successfully, an error message is generated and Process execution terminates.

  • The passticket is only valid for 10 minutes after it is generated. As a result, the system clocks on the two nodes should be synchronized.
  • When generating passtickets, Connect:Direct for Microsoft Windows fills in the GENMSG_T structure fields and passes the structure to the security exit. The security exit should generate the passticket, fill in the GENMSG_REPLY_T structure fields, and return an appropriate return code to Connect:Direct.
  • When validating a passticket, Connect:Direct for Microsoft Windows fills in the VALMSG_T structure fields and passes the structure to the security exit. The security exit validates the passticket, fills in the VALMSG_REPLY_T structure fields, and returns an appropriate return code to Connect:Direct. If the passticket is successfully validated, Connect:Direct for Microsoft Windows continues as if the Process is using a remote user proxy. A proxy must be defined on the remote node for the effective ID being used on the SNODE for the Process.

Security Exit Structure

Following is a list of the security exit structures:

  • GENMSG_T—Sends a message to the local node to allow the security exit to determine the user ID and security token (passticket) to use for remote node authentication. The GENMSG_T contains:
    • Submitter ID
    • Local node ID and password
    • Remote node ID and password
    • Local node name
    • Remote node name
  • GENMSG_REPLY_T—The user exit GeneratePassticket() function fills the GENMSG_REPLY_T structure. The GENMSG_REPLY_T contains:
    • Status value of GOOD_RC (0) for success, or ERROR_RC (8) for failure.
    • Status text message. If the status value is failure, then status text message is included in the error message.
    • ID to be used for security context on the remote node.
    • Passticket to use in conjunction with the ID for security on the remote node.
  • VALMSG_T—The message sent to the remote node to allow the security exit to validate the user ID and passticket. The VALMSG_T contains:
    • Submitter ID
    • Local node ID and password
    • Remote node ID and password
    • Local node name
    • Remote node name
    • ID to be used for security checking from the local node
    • Passticket generated on the local node
  • VALMSG_REPLY_T—The user ValidatePassticket0 function fills the VALMSG_REPLY_T structure. The VALMSG_REPLY_T contains:
    • GOOD_RC (0) if the reply was a success or ERROR_RC (8) for failure.
    • Status text message. If the status value is failure, the status text message is included in the error message.
    • ID to be used for security context the remote node side. This value may or may not be the same ID as in the generate message.
    • Passticket to use in conjunction with ID for security on the remote node.

Security Exit Sample Code

The following header file and sample code files for passticket implementation are copied to X:\installation directory\Server\samples during the installation. You can use them as examples to follow in implementing your real-life security exit.
  • userexit.h—Contains defined constants used for passtickets, the structures that are passed to the passticket functions, and the function prototypes.
  • usersamp_skel.c—Consists of the GeneratePassticket() and ValidatePassticket() functions. The GeneratePassticket() function replies with a hard-coded ticket, fills in the structure, and returns a valid return code. It demonstrates what should be input and output by the exit. The ValidatePassticket() function returns a good return code indicating that the passticket passed in is valid. There is no real checking done in this routine.
  • userexit_samp.c—Demonstrates a sample implementation of passticket support. It works if the same exit is on both sides. The GeneratePassticket() and ValidatePassticket() functions call the Passtk() function which performs the actual generation, or validation of the passticket.

The sample user exit can be compiled and linked into a DLL using Microsoft Visual C++. The userexit_samp.sln and userexit_skel.sln files can be found in the same samples directory where userexit_samp.c and userexit_skel.c is found.The exit was tested using Microsoft Visual Studio 2008.