Configuring distributed identity propagation

Follow these steps to configure the propagation of distributed identities over IPIC connections to CICS® for user authorization.

Before you begin

  1. Configure an IPCONN definition in CICS with USERAUTH=IDENTIFY. Also set the IPCONN attributes LINKAUTH and SECNAME appropriately. For more information, see Configuring an IPIC connection in CICS.
  2. Configure a zosconnect_cicsIpicConnection element in the configuration file. For more information, see Configuring an IPIC connection in IBM z/OS Connect.
  3. If IBM z/OS Connect is not on z/OS or is not in the same sysplex as the target CICS region, you must use an IPIC TLS connection to CICS that is configured with client authentication. For more information, Configuring TLS on an IPIC connection.

About this task

z/OS is configured to authenticate the LDAP distributed identity by updating the configuration file to enable authentication and define an LDAP user registry. As CICS retrieves the mapped SAF user IDs from distributed identities for user authorization, there is no need to map the distributed identity to a SAF user ID in IBM z/OS Connect. No change to the zosconnect_cicsIpicConnection element is required.

Note: Authentication in IBM z/OS Connect is not enforced unless authorization roles are defined for the API operations. During authorization the LDAP groups that the authenticated LDAP user is a member of are compared against the required API operation roles. For more information, see API provider authorization.

Procedure

  1. Enable the appSecurity-2.0 Liberty feature in the configuration file.
    For example,
    <featureManager> <feature>appSecurity-2.0</feature> </featureManager>
  2. Configure an LDAP user registry.
    For example, add the following elements to the configuration file:
    
    <featureManager>
        ...
        ...
        <feature>ldapRegistry-3.0</feature>
    </featureManager> 
    <ldapRegistry id="ldap" realm="SampleLdapIDSRealm"
        host="ourLDAP.ibm.com" port="389" ignoreCase="true"  
        baseDN="o=mop,c=fr"  
        ldapType="IBM Tivoli Directory Server"> 
        <idsFilters 
            userFilter="(&amp;(uid=%v)(objectclass=ePerson))"  
            groupFilter="(&amp;(CN=%v)
                (|(objectclass=groupOfNames) 
                (objectclass=groupOfUniqueNames) 
                (objectclass=groupOfURLs)))" 
            userIdMap="*:uid"  
            groupIdMap="*:CN"  
            groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; 
                groupOfNames:member;groupOfUniqueNames:uniqueMember"> 
        </idsFilters>     
    </ldapRegistry>
  3. Map each distributed identity to a SAF user ID in the security manager that is used by CICS. More than one distributed identity can be mapped to the same SAF user ID.
    For more information, see How to map an LDAP user ID to a RACF user ID.
    Note: You only need to set <safCredentials mapDistributedIdentities="true"/> if you are using SAF authorization in IBM z/OS Connect. The distributed identity is always mapped to a SAF identity in CICS.

Results

You can view the distinguished name and realm for a distributed identity in the association data of the CICS task, by using the command CEMT INQUIRE ASSOCIATION(taskid), or in the Task Associations view in CICS Explorer.

The distinguished name and realm information can also be recorded to SMF in type 110, subtype 01 records. For more information, see Identity class data. The identity monitoring data values of interest are MNI_ID_USERID, which contains the mapped SAF user ID, and the MNI_ENTRY_FIELD, which contains the distinguished name and realm. These fields are described in Identity class data: Listing of data fields and MNI - Transaction identity monitoring data. CICS Transaction Server provides a sample program to print monitoring data, called DFH$MOLS. For more information, see Sample monitoring data print program (DFH$MOLS).