You can enable network security credentials to be passed to IMS from an IMS TM resource adapter client application that uses the HWSJAVA0 user message exit routine. After the network security credentials are sent from IMS TM resource adapter to IMS, the credentials are audited in IMS log records and associated with the IMS transaction.
Ensure that the following prerequisites are enabled for your
IMS TM resource adapter client application:
- One of the following application servers:
- WebSphere Application Server Version 8.0 or later
- WebSphere Liberty Version 8.5.5.9 or later
- Container-managed security.
- An external user account registry, such as an LDAP server, that contains authorized users.
You can also enable IMS TM resource adapter to support network security credentials when IMS applications that run in IMS dependent regions make synchronous or asynchronous callout requests to external Java EE applications.
The network session ID that is extracted by the IMS TM resource adapter is, by default, the IP address and port of the authentication server that is used. The maximum length for a network session ID is 254 bytes.
The network user ID that is extracted by the IMS TM resource adapter is one of the distinguished names that are defined in the authentication server. The maximum length for a network user ID is 246 bytes.
Procedure
The following procedure describes the high-level steps that you must perform to enable network security credentials to be passed from your IMS TM resource adapter client application to IMS:
-
Install and configure the Java Authentication and Authorization Service (JAAS) login module that is provided with IMS TM resource adapter. The JAAS login module can be installed on WebSphere Application Server or WebSphere Liberty.
-
Link the JAAS login module to your Java application.
After you link your application to the JAAS login module, users must enter their security credentials when they invoke an IMS transaction for authentication by an external user account registry. The external user account registry can be any user account registry that is supported by WebSphere Application Server or WebSphere Liberty such as an LDAP server. After the credentials are successfully authenticated, IMS TM resource adapter sends the distributed credentials to IMS Connect by using the security-data section of the OTMA message prefix.
-
If you require your IMS TM resource adapter client application to receive network security credentials that are sent from IMS in IMS callout messages, enable the application to support the credentials.
- To enable IMS TM resource adapter client applications to support network security credentials in synchronous callout messages, set the resumeTpipeNsc property of the IMSActivationSpec object to true.
- To enable IMS TM resource adapter client applications to support network security credentials in asynchronous callout messages, you must call the setResumeTpipeNSC(int resumeTpipeNSC) method for the IMSInteractionSpec object and set the value of the setResumeTpipeNSC property to 1. If 1 is set for the setResumeTpipeNSC property, IMS TM resource adapter sets a flag byte in the OTMA message prefix that is sent to IMS to indicate that network security credentials should be included in the callout message.