Securing IMS-to-IMS TCP/IP connections
To secure IMS-to-IMS TCP/IP connections, IMS Connect uses RACF® PassTickets to establish one instance of IMS Connect as a trusted user of another instance of IMS Connect.
When a connection is first established, the instance of IMS Connect that sends messages generates a RACF PassTicket and passes it to the instance of IMS Connect that receives the messages. After the receiving IMS Connect instance successfully verifies the PassTicket with RACF, any messages received on the connection are considered to be from a trusted user and are not subject to additional security checking.
The sending IMS Connect instance generates the RACF PassTicket from values provided on the APPL and USERID parameters of the RMTIMSCON statement.
The receiving IMS Connect instance calls RACF to authenticate the user ID and confirm authority to access the application by using the PassTicket, application name, and user ID sent by the sending IMS Connect instance.
- If RACF is not enabled in the receiving IMS Connect instance, do not configure the sending IMS Connect instance to generate PassTickets. The receiving IMS Connect instance does not perform security checking and ignores any PassTicket data that is sent when RACF=N. Creating a PassTicket on the sending side wastes processing resources.
- Do not use RACF PassTickets with non-persistent connections, because doing so incurs significant processing overhead. A new PassTicket is generated and sent each time a new connection is established.
IMS Connect supports RACF PassTicket security for both MSC and OTMA communications.
For MSC communications, each instance of IMS Connect can send and receive transaction messages and responses. To secure IMS-to-IMS TCP/IP connections for MSC, you must enable RACF support and define application names and user IDs in both IMS Connect instances. The application names and user IDs defined in one instance can be different from those defined in the other instance. PassTicket classes, application names, and user IDs must also be created in RACF at both z/OS® installations.
To secure an IMS-to-IMS TCP/IP connection between two instances of IMS Connect: