Security configuration for the IMS service provider

You must configure the z/OS® Connect server and the back-end IMS to ensure secure communications.

Examine the IMS service security process flow topic to gain an understanding of how user authentication and authorization are handled, and how the user ID and password for each service request are determined.

Table 1. Required security configurations
Area Configuration task
z/OS Connect server See Overview of IBM z/OS Connect security and related security configuration topics for details.

To configure for secure connections between IBM z/OS Connect and IMS, see Configuring secure connections between IBM z/OS Connect and IMS Connect.
IMS services For service-level security, you can set the authority level of a user in the <ims_service_registry_home>/services/ims-services.xml file. The following example sets, for the phonebook service, the administrator authority for users in ADMINGRP1 and the Invoke authority for users in USERGRP1.
<zosconnect_zosConnectService id="phonebook" 
 invokeURI="/imsmobile/services/phonebook"
 runGlobalInterceptors="true"
 adminGroup="ADMINGRP1"
 invokeGroup="USERGRP1"
 serviceDescription="" serviceName="phonebook" 
 serviceRef="phonebook"/>
See Overview of IBM z/OS Connect security for more information.
IMS service provider See IMS service security process flow for general security process flow and user ID propagation.

The IMS service provider also provides an optional attribute imsTechnicalID. If IBM z/OS Connect authentication is turned off, or the request subject from which the user ID is extracted is more than 8 bytes, the IMS service provider retrieves the user from the technical ID that you specify in server.xml. Specify also the technical group and technical password in an <imsmobile_imsServiceManager> element in the server.xml file:

<imsmobile_imsServiceManager 
   imsServiceRegistryHome="/usr/lpp/imsmobile/resources"
   imsTechnicalGroup="IMSGROUP" 
   imsTechnicalID="IMSUSER"
   imsTechnicalPassword="encoded_password"/>

The IMS technical ID and IMS technical group name must be properly configured in SAF (for example, RACF) on the IMS host system.

Use WebSphere® Application Server Liberty Profile Developer Tools to configure the password and then transfer the file to the server by using FTP. Alternatively you can use the Liberty server securityUtility command (securityUtility encode userID) to generate the encoded password. Copy the encoded password into the server.xml file for the imsTechnicalPassword attribute. The following is a sample of an updated <imsmobile_imsServiceManager> element in the server.xml file:
<imsmobile_imsServiceManager imsServiceRegistryHome="./resources"
   imsTechnicalGroup="SYS1" imsTechnicalID="IMSGUEST" 
   imsTechnicalPassword="{xor}PjMzbiw7KjE=" >
IMS Connect IMS Connect handles authentication for IMS. The IMS Connect HWSJAVA0 exit routine manages the messages for the IMS service provider.

For more information, see User authentication in IMS Connect.

To configure for secure connections between IBM z/OS Connect and IMS, see Configuring secure connections between IBM z/OS Connect and IMS Connect.
Client applications All client requests must provide basic authentication credentials in the header. The user ID and password in the credential must be registered in the basic registry or SAF registry on the server.
Important:
  • Use of z/OS Communications Server Application Transparent Transport Layer Security (AT-TLS) SSL protection to secure the communication between the z/OS Connect server and IMS Connect is recommended.
  • Optionally, you can turn on IMS security (/SECURE OTMA) for authorization that is based on RACF user ID in the request subject and the associated group name.
Enhancing security through these options are recommended. However, if you turn on IMS security, and you are using the basic user registry for user authentication in z/OS Connect server, you must use RACF ID as the user ID in your basic user registry in order for IMS OTMA to authorize the user.