Sample network topologies for using identity propagation
Identity propagation is supported on network topologies that use either IPIC connections or web service requests to CICS®. Use these sample topologies to help you plan your configuration.
Sample configuration using an IPIC connection and CICS Transaction Gateway
If
you are using IPIC connections into CICS,
you might be using CICS Transaction Gateway as
an interface between WebSphere® Application Server and
the CICS ECI resource adapters.
If CICS Transaction Gateway and
any communicating CICS systems
are not on the same sysplex, SSL is also required. The following sample
topology shows how the X.500 distinguished name and associated LDAP
realm are passed with the request from WebSphere Application Server through CICS Transaction Gateway over
an IPIC connection to a CICS system
on the same sysplex. The distinguished name and realm, which are known
in CICS as a distributed identity when they are transmitted across
a network, are then passed between CICS systems
using either MRO or IPIC in a sysplex or between CICS systems in different sysplexes using IPIC
over SSL. The multiple CICS systems shown in this scenario show how
you can connect CICS systems in and outside of a sysplex, however
multiple CICS systems are not a required part of the configuration
to allow identity propagation. The distributed identity is propagated
into the z/OS® security context,
also known as the Accessor Environment Element (ACEE), and is associated
with the RACF® user ID using
the mapping rules specified in the RACF RACMAP command.
RACF provides information to CICS about the distinguished name and
realm as well as the RACF user ID, allowing retrieval in CICS of the
identity of the initial user.
For more information about CICS Transaction Gateway and identity propagation, see CICS Transaction Gateway for z/OS or CICS Transaction Gateway for Multiplatforms.
Sample configuration using a web service request and WebSphere DataPower
If you are sending web service requests to CICS, you might be using WebSphere DataPower® as an interface between WebSphere Application Server and CICS. You can use the WebSphere DataPower appliance with CICS web services WS-Security support to process the XML digital signature and perform mappings to a predefined RACF user ID.
The
following sample topology shows how the X.500 distinguished name and
associated LDAP realm are passed with the request from WebSphere Application Server through WebSphere DataPower.
The distinguished name and realm are sent in the Extended Identity
Context Reference WS-Security Header element of a web service request
to a CICS system. For more
information about ICRX identity tokens, see z/OS Security Server RACF Data Areas. The distinguished name and realm,
which are known in CICS as a distributed identity when they are transmitted
across a network, are then passed between CICS systems using either MRO or IPIC in a sysplex
or between CICS systems in
different sysplexes using IPIC over SSL. The multiple CICS systems
shown in this scenario show how you can connect CICS systems in and
outside of a sysplex, however multiple CICS systems are not a required
part of the configuration to allow identity propagation. The distributed
identity is propagated into the z/OS security
context, also known as the Accessor Environment Element (ACEE), and
is associated with the RACF user
ID using the mapping rules specified in the RACF RACMAP command. RACF
provides information to CICS about the distinguished name and realm
as well as the RACF user ID, allowing retrieval in CICS of the identity
of the initial user.