Configuring distributed identity propagation
Follow these steps to configure the propagation of distributed identities over IPIC connections to CICS® for user authorization.
Before you begin
- Configure an IPCONN definition in CICS with
USERAUTH=IDENTIFY. Also set the IPCONN attributes LINKAUTH and SECNAME appropriately. For more information, see Configuring an IPIC connection in CICS.
- Configure a
zosconnect_cicsIpicConnectionelement in the configuration file. For more information, see Configuring an IPIC connection in IBM z/OS Connect.
- If IBM z/OS Connect is not on z/OS or is not in the same sysplex as the target CICS region, you must use an IPIC TLS connection to CICS that is configured with client authentication. For more information, Configuring TLS on an IPIC connection.
About this task
z/OS is configured to authenticate the LDAP distributed
identity by updating the configuration file to enable authentication and define an LDAP user
registry. As CICS retrieves the mapped SAF user IDs from
distributed identities for user authorization, there is no need to map the distributed identity to a
SAF user ID in IBM z/OS Connect. No change to the
zosconnect_cicsIpicConnection element is required.
- Enable the
appSecurity-2.0Liberty feature in the configuration file.For example,
<featureManager> <feature>appSecurity-2.0</feature> </featureManager>
Configure an LDAP user registry.
For example, add the following elements to the configuration file:
<featureManager> ... ... <feature>ldapRegistry-3.0</feature> </featureManager> <ldapRegistry id="ldap" realm="SampleLdapIDSRealm" host="ourLDAP.ibm.com" port="389" ignoreCase="true" baseDN="o=mop,c=fr" ldapType="IBM Tivoli Directory Server"> <idsFilters userFilter="(&(uid=%v)(objectclass=ePerson))" groupFilter="(&(CN=%v) (|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs)))" userIdMap="*:uid" groupIdMap="*:CN" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember; groupOfNames:member;groupOfUniqueNames:uniqueMember"> </idsFilters> </ldapRegistry>
Map each distributed identity to a SAF user ID in the security manager that is used by CICS. More than one distributed identity can be mapped to the
same SAF user ID.
For more information, see How to map an LDAP user ID to a RACF user ID.Note: You only need to set
<safCredentials mapDistributedIdentities="true"/>if you are using SAF authorization in IBM z/OS Connect. The distributed identity is always mapped to a SAF identity in CICS.
The distinguished name and realm information can also be recorded to SMF in type 110, subtype 01 records. For more information, see Identity class data. The identity monitoring data values of interest are MNI_ID_USERID, which contains the mapped SAF user ID, and the MNI_ENTRY_FIELD, which contains the distinguished name and realm. These fields are described in Identity class data: Listing of data fields and MNI - Transaction identity monitoring data. CICS Transaction Server provides a sample program to print monitoring data, called DFH$MOLS. For more information, see Sample monitoring data print program (DFH$MOLS).