Propagating network security credentials

You can enable the network security credentials that are entered by a user in a distributed environment to be associated with the end-to-end processing of an IMS transaction. You can also enable an application in a distributed environment to support network security credentials that are passed in synchronous callout requests initiated by the ICAL call of the IMS DL/I interface.

The distributed network security credentials can include a network user ID and a network session ID.
Network user ID
The distributed identity of the user. The maximum length of a network user ID is 246 bytes. For users of the IMS TM Resource Adapter, the network user ID is a Distinguish Name (DN) in the X.500 series of standards.
Network session ID
The session identity of the distributed user. The maximum length of a network session ID is 254 bytes. For users of the IMS TM Resource Adapter, the network session ID is a domain name, realm, or registry name.
You can enable network security credentials to be passed to IMS from applications that use one of the following user message exits:
  • HWSSMPL0
  • HWSSMPL1
  • HWSJAVA0
Restriction: Distributed network security credentials from DataPower®, IMS Connect API, and SOAP Gateway clients are not supported by IMS Connect.

If an input message to OTMA contains network security credentials, the credentials can be propagated by IMS in synchronous callout requests that are initiated by the ICAL call. You can enable applications in a distributed environment that issue a RESUME TPIPE call to support the network security credentials in the IMS callout requests.

You can use the otma_send_receivey and otma_send_asyncx APIs of the IMS OTMA Callable Interface (OTMA C/I) to pass the network user ID and the network session ID to IMS. For each API, up to 100 bytes for the network user ID and up to 100 bytes for the network session ID can be passed to IMS.

You can also use the Transaction Authorization exit routine (DFSCTRN0) to pass the addresses of the network security credentials in the OTMA message prefix.

You can use the following OTMA user exit routines, which include the address of the security-data section of the OTMA message prefix, to access the network security credentials that are in the OTMA input message if the credentials are passed to IMS:
  • DFSYIOE0
  • DFSYPRX0
  • DFSYDRU0

Because distributed network security credentials are passed to IMS in the security-data section of the OTMA message prefix, all IMS log records that contain information about the message prefix, such as log records X'01' and X'03', include the distributed security credentials.

If a Fast Path message contains network security credentials and is processed by the Fast Path expedited message handler (EMH) on the local IMS system, the credentials are logged in the X'5901' log record.

If a Fast Path message that contains network security credentials is processed by using the EMH queue (EMHQ) in a shared-queues environment, in the front-end IMS system, the credentials are included in the X'5911' log record. In the back-end IMS system, which is the processing IMS system, the credentials are included in the X'5901' log record.