Securing IMS-to-IMS TCP/IP connections

To secure IMS-to-IMS TCP/IP connections, IMS Connect uses RACF® PassTickets to establish one instance of IMS Connect as a trusted user of another instance of IMS Connect.

When a connection is first established, the instance of IMS Connect that sends messages generates a RACF PassTicket and passes it to the instance of IMS Connect that receives the messages. After the receiving IMS Connect instance successfully verifies the PassTicket with RACF, any messages received on the connection are considered to be from a trusted user and are not subject to additional security checking.

The sending IMS Connect instance generates the RACF PassTicket from values provided on the APPL and USERID parameters of the RMTIMSCON statement.

The receiving IMS Connect instance calls RACF to authenticate the user ID and confirm authority to access the application by using the PassTicket, application name, and user ID sent by the sending IMS Connect instance.

Recommendations:
  • If RACF is not enabled in the receiving IMS Connect instance, do not configure the sending IMS Connect instance to generate PassTickets. The receiving IMS Connect instance does not perform security checking and ignores any PassTicket data that is sent when RACF=N. Creating a PassTicket on the sending side wastes processing resources.
  • Do not use RACF PassTickets with non-persistent connections, because doing so incurs significant processing overhead. A new PassTicket is generated and sent each time a new connection is established.

IMS Connect supports RACF PassTicket security for both MSC and OTMA communications.

For MSC communications, each instance of IMS Connect can send and receive transaction messages and responses. To secure IMS-to-IMS TCP/IP connections for MSC, you must enable RACF support and define application names and user IDs in both IMS Connect instances. The application names and user IDs defined in one instance can be different from those defined in the other instance. PassTicket classes, application names, and user IDs must also be created in RACF at both z/OS® installations.

To secure an IMS-to-IMS TCP/IP connection between two instances of IMS Connect:

Procedure

  1. For the sending IMS Connect instance, specify the security settings in the IMS Connect configuration member in the IMS.PROCLIB data set:
    • On the RMTIMSCON statement, specify an application name and a user ID on the following parameters:
      • APPL
      • USERID
    • If the connection is used for MSC, specify RACF=Y on the HWS statement to enable security checking for the required return connection.
  2. The security administrator at the sending IMS installation must create a RACF PassTicket class entry to support the generation of the PassTicket by IMS Connect.
    The PassTicket class defined at the sending installation must have the same key as the PassTicket class entry defined at the remote installation.

    The following example defines a PassTicket class to RACF:

    SETROPTS CLASSACT(PTKTDATA)                                        
    SETROPTS RACLIST(PTKTDATA)                                         
    RDEF PTKTDATA APPLI2I SSIGNON(KEYMASKED(E001193519561977)) UACC(N) 
    SETROPTS REFRESH RACLIST(PTKTDATA) 
  3. For the receiving IMS Connect instance, specify the security settings in the configuration member in the IMS.PROCLIB data set:
    • On the HWS statement, specify RACF=Y.
    • If the connection is used for MSC, specify an application name and a user ID on the following parameters on the RMTIMSCON to provide the necessary security data for the return connection:
      • APPL
      • USERID
  4. The security administrator at the receiving installation must define the user ID, application name, and the PassTicket class to RACF.
    The key of the PassTicket must match the key used by the PassTicket class defined at the sending installation.

    The following example defines two user IDs (USER0001 and USER0002), a PassTicket class (APPLI2I), and application name (APPLI2I) to RACF. Because only USER0002 is given access in RACF to APPLI2I, only USER0002 can establish a trusted user connection.

    DELUSER USER001                                                     
    ADDUSER USER001 PASSWORD(USER0001) TSO(ACCTNUM(D1001) PROC(TPROC02))
    DELUSER USER002                                                     
    ADDUSER USER002 PASSWORD(USER0002) TSO(ACCTNUM(D1001) PROC(TPROC02))
    
    SETROPTS CLASSACT(PTKTDATA)                                        
    SETROPTS RACLIST(PTKTDATA)                                         
    RDEF PTKTDATA APPLI2I SSIGNON(KEYMASKED(...)) UACC(N)
    RDEF PTKTDATA APPLI2I.USER002 SSIGNON(KEYMASKED(...)) +
         UACC(N) APPLDATA('NO REPLAY PROTECTION')
    SETROPTS REFRESH RACLIST(PTKTDATA) 
    
    SETROPTS CLASSACT(APPL)                          
    SETROPTS RACLIST(APPL)                           
    RDEFINE APPL APPLI2I UACC(N)                     
    PE APPLI2I ACCESS(READ) CLASS(APPL) ID(USER0002)  
    SETROPTS RACLIST(APPL) REFRESH                   
    RLIST APPL APPLI2I AU