IMS TM resource adapter security

The Java™ EE Connector Architecture (JCA) specifies that the application server and the Enterprise Information System (EIS) must collaborate to ensure that only authenticated users are able to access the EIS.

The JCA security architecture extends the end-to-end security model for Java EE-based applications to include integration with EISs. The IMS TM resource adapter follows the Java EE Connector Architecture security architecture, and works with the WebSphere® Application Server Java 2 Security Manager.

EIS signon

The JCA security architecture supports the user ID and password authentication mechanism that is specific to an EIS. The user ID and password that are used to sign on to the target EIS are supplied either by the application component (component-managed signon) or by the application server (container-managed signon).

For the IMS TM resource adapter, IMS is the target EIS. The security information provided by the application component or the application server is passed to the IMS TM resource adapter. IMS TM resource adapter then passes it to IMS Connect. IMS Connect uses this information to perform user authentication, and passes that information to IMS OTMA. IMS OTMA can then use this information to verify authorization to access certain IMS resources.

In a typical environment, the IMS TM resource adapter passes on the security information (user ID, password, and optional group name) that it receives to IMS Connect in an IMS OTMA message. Depending on its security configuration, IMS Connect might then call the Security Authorization Facility (SAF) on the host.
  • For WebSphere Application Server on distributed platforms or z/OS® with TCP/IP, using either component-managed signon or container-managed signon:
    • If RACF®=Y is set in the IMS Connect configuration member, or if the IMS Connect command SETRACF ON has been issued, IMS Connect calls the SAF to perform authentication using the user ID and password that are passed by the IMS TM resource adapter in the OTMA message. If authentication succeeds, the user ID, optional group name, and UTOKEN returned from the IMS Connect call to the SAF are passed to IMS OTMA for verifying authorization to access IMS resources.
    • If RACF=N is set in the IMS Connect configuration member, or if the IMS Connect command SETRACF OFF has been issued, IMS Connect does not call the SAF. However, the user ID and group name, if specified, are passed to IMS OTMA for authorization to access IMS resources.
  • You can provide the user identity to the application server in two ways:
    • The user ID and password can be provided in a Java Authentication and Authorization Service (JAAS) alias. The JAAS alias is associated with either the connection factory that is used by the application that accesses IMS or, depending on the version of WebSphere Application Server, with the EJB resource reference that is used by the application. The application server creates and passes the user token that represents the user identity in the alias to the IMS TM resource adapter.
    • WebSphere Application Server for z/OS can be configured to obtain the user identity that is associated with the thread of execution of the application. You have the option to synchronize a Java thread identity or an operating system thread identity (SyncToOSThread), in which user authentication is performed by the application server. The application server creates and passes the user token that represents this user identity to the IMS TM resource adapter. The IMS TM resource adapter then passes the user token to IMS Connect for authentication. To bypass authentication, modify the HWSJAVA0 exit with the trusted users. IMS Connect then passes the user token to IMS OTMA to verify authorization to access IMS resources.

The level of authorization checking that IMS completes is controlled by the IMS command, /SECURE OTMA.

Distributed network security credentials

You can configure WebSphere Application Server or WebSphere Liberty to enable IMS TM resource adapter to pass between Java EE applications and IMS the network security credentials that are entered from an Java EE applications. The network security credentials can include a network session ID and a network user ID. The distributed network security credentials are propagated by the IMS TM resource adapter to IMS Connect, which then passes the credentials to IMS, when a Java EE application accesses IMS transactions.

To enable IMS TM resource adapter to pass network security credentials from a Java EE application to IMS, you must configure and link to your application the Java Authentication and Authorization Service (JAAS) login module that is provided with IMS TM resource adapter. After you link your application to the JAAS login module, users must enter their security credentials when they invoke an IMS transaction for authentication by an external user account registry. The external user account registry can be any user account registry that is supported by WebSphere Application Server or WebSphere Liberty such as an LDAP server. After the credentials are successfully authenticated, IMS TM resource adapter sends the distributed credentials to IMS Connect by using the security-data section of the OTMA message prefix.

You can also enable IMS TM resource adapter to support network security credentials when IMS applications that run in IMS dependent regions make synchronous or asynchronous callout requests to external Java EE applications.

The network session ID that is extracted by the IMS TM resource adapter is, by default, the IP address and port of the authentication server that is used. The maximum length for a network session ID is 254 bytes.

The network user ID that is extracted by the IMS TM resource adapter is one of the distinguished names that are defined in the authentication server. The maximum length for a network user ID is 246 bytes.

Secure Sockets Layer (SSL) Communications

You can configure IMS TM resource adapter and IMS Connect, if properly configured, are able to use the TCP/IP SSL protocol to secure the communications between them.

SSL connections are more secure than non-SSL TCP/IP connections, and provide authentication for the IMS Connect server and, optionally, for the IMS TM resource adapter client. Messages that flow on SSL connections might also be encrypted.

SSL with null encryption provides an intermediate level of security in which the authentication occurs but the messages are not encrypted. Non-encrypted SSL communications offer higher throughput because of the elimination of the overhead that is required to encrypt each message that flows between the IMS TM resource adapter and IMS Connect.