Passing network security credentials through IMS Connect
If security credentials are entered from an application in a distributed network environment and the application uses the HWSSMPL0, HWSSMPL1, or HWSJAVA0 user message exit routine, you can enable the credentials to be passed through IMS Connect to IMS. You can also enable the distributed network security credentials to be passed from IMS through IMS Connect in IMS callout requests.
The network security credentials are sent from IMS Connect to IMS in the security-data section of the OTMA message prefix. The network security credentials, including the network user ID and the network session ID, can then be included in the IMS log records, such as X'01' and X'03', that contain information about the OTMA message prefix. If you enable IMS Connect to pass distributed network security credentials in synchronous callout messages initiated by the ICAL call of the IMS DL/I interface to applications that issue a RESUME TPIPE call, the security credentials are also passed in the security-data section of the OTMA prefix.
Passing distributed network security credentials from user-written IMS Connect client applications that use the HWSSMPL0 or HWSSMPL1 user message exits
To pass distributed network security credentials from user-written IMS Connect client applications that use either the HWSSMPL0 or the HWSSMPL1 user message exits, use IRM extensions in the IMS request message (IRM) header. Specify an ID of *NETSID* for an IRM extension that contains the network session ID and an ID of *NETUID* for an IRM extension that contains the network user ID.
After the message that contains the *NETSID* or the *NETUID* extension, or both, is passed to the HWSSMPL0 or the HWSSMPL1 user message exit, the user message exit builds the OTMA message prefix to contain the network security credentials.
Passing distributed network security credentials to applications that issue a RESUME TPIPE call
- IRM_ARCH
- X'05' (IRM_ARCH5)
- IRM_F6
- X'80' (IRM_F6_NWSE)
Passing distributed network security credentials from client applications of the IMS TM resource adapter
To enable IMS TM resource adapter to pass network security credentials from a Java™ EE application that uses the HWSJAVA0 user message exit routine to IMS, you must configure and link to your application the Java Authentication and Authorization Service (JAAS) login module that is provided with IMS TM resource adapter. After you link your application to the JAAS login module, users must enter their security credentials when they invoke an IMS transaction for authentication by an external user account registry. The external user account registry can be any user account registry that is supported by WebSphere® Application Server or WebSphere Liberty such as an LDAP server. After the credentials are successfully authenticated, IMS TM resource adapter sends the distributed credentials to IMS Connect by using the security-data section of the OTMA message prefix.
You can also enable IMS TM resource adapter to support network security credentials when IMS applications that run in IMS dependent regions make synchronous or asynchronous callout requests to external Java EE applications.
- Network security credentials in synchronous callout messages
- To enable IMS TM resource adapter to support network security credentials in synchronous callout messages, set the resumeTpipeNsc property of the IMSActivationSpec object to true.
- Network security credentials in asynchronous callout messages
- To enable IMS TM resource adapter to support network security credentials in asynchronous callout messages, you must call the setResumeTpipeNSC(int resumeTpipeNSC) method for the IMSInteractionSpec object and set the value of the setResumeTpipeNSC property to 1. If 1 is set for the setResumeTpipeNSC property, IMS TM resource adapter sets a flag byte in the OTMA message prefix that is sent to IMS to indicate that network security credentials should be included in the callout message.