Distributed network security credential support and OTMA

OTMA supports security credentials that are entered by a user in a distributed environment. After distributed network security credentials are passed to OTMA, the credentials are included in IMS log records that contain information about the message prefix.

The distributed network security credentials can include a network user ID and a network session ID.
Network user ID
The distributed identity of the user. The maximum length of a network user ID is 246 bytes. For users of the IMS TM Resource Adapter, the network user ID is a Distinguish Name (DN) in the X.500 series of standards.
Network session ID
The session identity of the distributed user. The maximum length of a network session ID is 254 bytes. For users of the IMS TM Resource Adapter, the network session ID is a domain name, realm, or registry name.
Network security credentials can be passed to IMS from applications in a distributed environment that use one of the following user message exits:
  • HWSSMPL0
  • HWSSMPL1
  • HWSJAVA0
Restriction: Distributed network security credentials from DataPower®, IMS Connect API, and SOAP Gateway clients are not supported by IMS Connect.

To enable network security credentials to be passed from user-written applications that use the HWSSMPL0 or the HWSSMPL1 user message exit, you must define IRM extensions, which are used to pass the network security credentials that are entered by a user to IMS Connect. An IRM extension with an ID of *NETUID* is used to pass a network user ID and an IRM extension with an ID of *NETSID* is used to pass a network session ID. After the network security credentials are passed to IMS Connect, the HWSSMPL0 and HWSSMPL1 user message exit routines use the network security credentials that are in the IRM extensions to build the OTMA message prefix. The security credentials are included in the security-data section of the OTMA message prefix.

When a user enters network security credentials to an application that uses the HWSJAVA0 user message exit, the credentials are passed from the application to IMS TM resource adapter, which then includes the credentials in the security-data section of the OTMA message prefix.

Because distributed network security credentials are passed to IMS in the security-data section of the OTMA message prefix, all IMS log records that contain information about the message prefix, such as log records X'01' and X'03', include the distributed security credentials.

If a Fast Path message contains network security credentials and is processed by the Fast Path expedited message handler (EMH) on the local IMS system, the credentials are logged in the X'5901' log record.

If a Fast Path message that contains network security credentials is processed by using the EMH queue (EMHQ) in a shared-queues environment, in the front-end IMS system, the credentials are included in the X'5911' log record. In the back-end IMS system, which is the processing IMS system, the credentials are included in the X'5901' log record.

You can enable IMS to log distributed network security credentials in RACF SMF records after the credentials are passed to OTMA. To enable distributed network security credentials to be logged in RACF SMF records, specify LOGSTR=YES in the OTMA client descriptor of the DFSYDTx member of the IMS PROCLIB data set. After LOGSTR=YES is specified, the first 255 bytes of the distributed network security credentials that are sent to OTMA are logged in RACF SMF records.

You can use the otma_send_receivey and otma_send_asyncx APIs of the IMS OTMA Callable Interface (OTMA C/I) to pass the network user ID and the network session ID to IMS. For each API, up to 100 bytes for the network user ID and up to 100 bytes for the network session ID can be passed to IMS.

You can also use the Transaction Authorization exit routine (DFSCTRN0) to pass the addresses of the network security credentials in the OTMA message prefix.

You can use the following OTMA user exit routines, which include the address of the security-data section of the OTMA message prefix, to access the network security credentials that are in the OTMA input message if the credentials are passed to IMS:
  • DFSYIOE0
  • DFSYPRX0
  • DFSYDRU0