Configuring security for a Liberty JVM server
You can use the CICS® Liberty security feature to authenticate users and authorize access to web applications through Java™ Platform, Enterprise Edition roles (Java EE roles), providing integration with CICS transaction and resource security. You can also use CICS resource security to authorize the appropriate users to manage the lifecycle of both the JVMSERVER resource and Java web applications that are deployed in a CICS BUNDLE resource. In this topic, authentication verifies the identity of a given user, typically by requiring the user to enter a username and password. Authorization then grants access control permissions based on the identity of the authenticated user.
Before you begin
- Ensure that the CICS region is configured to use SAF
security and is defined with SEC=YES as a system initialization parameter. If CICS security is turned off (
SEC=NO
), you can still use Liberty security by manually configuring the server.xml file as described in 6. - Authorize application developers and system administrators to create, view, update, and remove JVMSERVER and BUNDLE resources to deploy web applications into a Liberty JVM server.
The JVMSERVER resource controls the availability of the JVM server, and the BUNDLE resource is a
unit of deployment for the Java applications and controls the
availability of the applications. The default behavior of the CICS TS security feature, cicsts:security-1.0
, is to use the SAF registry. If
you use an LDAP registry, a SAF registry is not created. For more information, see Configuring security for a Liberty JVM server by using distributed identity
mapping. The basic user registry (which is also used by
quickStartSecurity
) is only suitable for simple security testing. Be aware that if
you configure and run with basic user registry and you need to switch to
cicsts:security-1.0
, you need to delete the session tokens.
About this task
This task explains how to configure security for a Liberty JVM server and integrate Liberty security with CICS security. For information about how to configure security for Link to Liberty, see Linking to Java applications in a Liberty JVM server by using the @CICSProgram annotation. For guidance on configuring security for the JCICSX remoting server, see Configuring security for remote JCICSX API development.
The default transaction ID for running web requests is CJSA. However, you can configure CICS to run web requests under a different transaction ID by using a URIMAP of type JVMSERVER. Typically, you might specify a URIMAP to match the generic context root (URI) of a web application to scope the transaction ID to the set of servlets that make up the application. Or you might choose to run each individual servlet under a different transaction with a more precise URI.
Calls to the JCICSX Liberty JVM server are run under transaction CJXA.
The default user ID for running web requests is the CICS default user ID. If a URIMAP is available and contains a static user ID, it is used in preference to the default user ID. If the web request contains a user ID in its security header, it takes precedence over all other mechanisms.
com.ibm.cics.jvmserver.unclassified.tranid
and the default user ID by using the JVM
profile property com.ibm.cics.jvmserver.unclassified.userid
.Procedure
Results
What to do next
- Configure Liberty application security authentication rules; see Authenticating users in a Liberty JVM server.
- Define authorization rules for web applications; see Authorizing users to run applications in a Liberty JVM server and Authorization using SAF role mapping.
- Modify the Liberty authentication cache.
For more information about using Secure Sockets Layer (SSL), see Configuring SSL (TLS) for a Liberty JVM server using a Java keystore.