Configuring distributed identity propagation to IMS

When the IMS service provider detects that the IMS Connect it is connecting to is IMS Connect V15 or later, by default, it sends the user ID and its associated network session ID (or realm) that are registered in the basic registry or SAF registry to IMS Connect.

About this task

The distributed identity, also known as the network security credential, includes a network user ID and a network session ID (or realm). This distributed identity is passed to IMS to be added to the IMS log records for auditing and logging purposes. It is not used by IMS for authentication or authorization.

The network user ID and network session ID are extracted from the z/OS® Connect server user registry as defined in the server.xml file. In the following example, the network user ID is the user name that is registered in the basic registry, and the network session ID is the realm value.

<!-- Basic user registry definition -->
<basicRegistry id="basic1" realm="zosConnect">
   <user name="Fred" password="{xor}PjMzbiw7KjE=" />
   <user name="Rosa" passwod="{xor}LDo8Ki02KyY=" />
</basicRegistry>

If the IMS Connect it is connecting to is V14 or earlier, the IMS service provider does not pass the distributed identity to IMS Connect.

To turn off sending the distributed identity to IMS Connect V15 or later, set the propagateNetworkSecurityCred property in the IMS interaction profile to false (the default is true).

Results

You can retrieve the distinguished name and realm for a distributed identity in the association data of the IMS task by using the IMS INQY call with the MSGINFO subfunction. For more information, see INQY call in the IMS 15.2 Documentation.