The J2EE Connector Architecture (JCA) specifies that the
application server and the Information in an enterprise information
system (EIS) must collaborate to ensure that only authenticated users
are able to access an EIS.
The JCA security architecture extends the end-to-end security model
for Java™ EE-based applications to include integration
with EISs. The IMS™ TM
resource adapter follows
the J2EE Connector Architecture security architecture, and works with
the WebSphere® Application
Server Java 2 Security Manager.
EIS signon
The JCA security architecture
supports the user ID and password authentication mechanism that is
specific to an EIS. The user ID and password that are used to sign
on to the target EIS are supplied either by the application component
(component-managed signon) or by the application server
(container-managed signon).
For the IMS TM
resource adapter, IMS is
the target EIS. The security information provided by the application
component or the application server is passed to the IMS TM
resource adapter. IMS TM
resource adapter then
passes it to IMS Connect. IMS Connect
uses this information to perform user authentication, and passes that
information to IMS OTMA. IMS OTMA
can then use this information to verify authorization to access certain IMS resources.
In
a typical environment, the
IMS TM
resource adapter passes
on the security information (user ID, password, and optional group
name) that it receives to IMS Connect in an IMS OTMA
message. Depending on its security configuration, IMS Connect
might then call the Security Authorization Facility (SAF) on the host.
- For WebSphere Application
Server on
distributed platforms or z/OS® with TCP/IP, using either
component-managed signon or container-managed signon:
- If RACF=Y is set in the IMS Connect configuration member,
or if the IMS Connect command SETRACF ON has
been issued, IMS Connect calls the SAF to perform authentication
using the user ID and password that are passed by the IMS TM
resource adapter in the
OTMA message. If authentication succeeds, the user ID, optional group
name, and UTOKEN returned from the IMS Connect
call to the SAF are passed to IMS OTMA for verifying authorization
to access IMS resources.
- If RACF=N is set in the IMS Connect configuration member,
or if the IMS Connect command SETRACF OFF has
been issued, IMS Connect does not call the SAF. However, the
user ID and group name, if specified, are passed to IMS OTMA
for authorization to access IMS resources.
- For WebSphere Application
Server for z/OS that uses
Local Option and container-managed EIS signon, user authentication
is performed only by the application server. User authentication is
not performed in IMS Connect, regardless of the RACF® setting
in the IMS Connect configuration member or the result
of a SETRACF command. WebSphere Application
Server for z/OS calls RACF,
then passes the user token that represents the user identity to the IMS TM
resource adapter. The IMS TM
resource adapter then
passes the user token to IMS Connect. When IMS Connect
sees the user token, it does not call the SAF, because authentication
has already been performed by WebSphere Application
Server for z/OS. IMS Connect
passes the user token to IMS OTMA to verify authorization
to access IMS resources.
- You can provide the user identity to the application server in
two ways:
- The user ID and password can be provided in a Java Authentication
and Authorization Service (JAAS) alias. The JAAS alias is associated
with either the connection factory that is used by the application
that accesses IMS or, depending on the version of WebSphere Application
Server, with the
EJB resource reference that is used by the application. The application
server creates and passes the user token that represents the user
identity in the alias to the IMS TM
resource adapter.
- WebSphere Application
Server for z/OS can
be configured to obtain the user identity that is associated with
the thread of execution of the application. The application server
creates and passes the user token that represents this user identity
to the IMS TM
resource adapter.
The level of authorization checking that IMS completes
is controlled by the IMS command, /SECURE OTMA.
Secure Sockets Layer (SSL) Communications
You
can configure IMS TM
resource adapter and IMS Connect,
if properly configured, are able to use the TCP/IP SSL protocol to
secure the communications between them.
SSL connections are
more secure than non-SSL TCP/IP connections, and provide authentication
for the IMS Connect server and, optionally, for the IMS TM
resource adapter client.
Messages that flow on SSL connections might also be encrypted.
SSL
with null encryption provides an intermediate level of security in
which the authentication occurs but the messages are not encrypted.
SSL null encryption offers encrypted communications with higher security
but lower throughput. Non-encrypted SSL communications offer higher
throughput. because of the elimination of the overhead that is required
to encrypt each message that flows between the IMS TM
resource adapter and IMS Connect.