Configuration is required on WebSphere® Application Server to enable
identity propagation.
Setting up the identity propagation login module
WebSphere Application Server
must be configured to specify a user registry to enable user ID and
password verification for applications. Any registry supported by WebSphere Application Server
is supported by CICS® Transaction
Gateway. Examples of the registries supported by WebSphere Application Server are:
- IBM® Tivoli® Directory Server (ITDS)
- Microsoft Active Directory
- SunOS Directory
- Novel Directory Service
For more information about supported registries, see the
WebSphere Application
Server Information Center.
All JEE applications that
call the CICS Transaction Gateway
ECI resource adapter must be configured for container-managed security.
CICS Transaction
Gateway includes a JAAS (Java™ Authentication
and Authorization Service) login module in the ECI resource adapter
RAR (cicseci.rar). You must install the login module into WebSphere Application Server
to enable identity propagation. Install the login module by creating
a new JAAS Application Login alias that refers to the fully-qualified
name of the login module: com.ibm.ctg.security.idprop.LoginModule
One
of the following must be configured to use the CICS Transaction Gateway identity propagation
login module:
- The JEE application must be configured to use a custom login configuration
that refers to the CICS Transaction
Gateway identity propagation login module. This is accessed via the
connection factory resource references on the application's configuration
panel.
- The connection factory that is used by the application must have
a mapping configuration alias that refers to the CICS Transaction Gateway identity propagation
login module. This is accessed by the connection factory's configuration
panel.
For more information about configuring WebSphere Application Server, see the
WebSphere Application
Server Information Center.
Specifying the authentication information to propagate
If
identity propagation has been configured and activated, the identity
information that can be propagated with a request can be either the
identity of the user who invoked the application, or the identity
under which the application programmer has configured the application
to run.
- The identity of the user who invoked the application is known
as the "caller" or "received" identity.
- The identity under which the application programmer has configured
the application to run is known as the "run as" or "invocation" identity.
To specify the identity to propagate to CICS, you set the
propIdentity custom
property on the CICS Transaction
Gateway identity propagation login module. You do this from the WebSphere Application Server
admin console by setting one of the following name-value pairs:
propIdentity=Caller
or
propIdentity=RunAs
For
example, if you want the
"run as" identity to be propagated to CICS, do this:
- From the WebSphere administrative console; click , expand Java Authentication and Authorization
Service and select Application logins.
In the new window, click New.
- Enter CTG_idprop as the Alias.
- Click New under JAAS login modules.
- Enter com.ibm.ctg.security.idprop.LoginModule as
the Module class name.
- Clear the Use login module proxy check
box.
- Select REQUIRED from the Authentication strategy drop-down
list.
- Under "Custom properties" create an entry with Name as propIdentity and
Value as RunAs.
- Click OK.
If you do not specify a setting or if you specify an invalid
key or value, the system propagates the "run as" identity by
default for application users. The propIdentity key,
and the values RunAs and Caller are
not case-sensitive.