CICS® Transaction Gateway security classes

The CICS Transaction Gateway provides the following classes (security exits) for implementing security.

com.ibm.ctg.security.JSSEServerSecurity
Use this interface to allow the exposure of of X.509 Client Certificates when using the JSSE protocol.

See your JSSE, or Java™, documentation for information on using X.509 certificates.

com.ibm.ctg.security.ServerSecurity
Use this interface for server-side security classes that do not require the exposure of SSL Client Certificates.
com.ibm.ctg.security.ClientSecurity
Use this interface for all client-side security classes.

The JSSEServerSecurity and ServerSecurity interfaces and partner ClientSecurity interface define a simple yet flexible model for providing security when using CICS Transaction Gateway. Implementations of the interfaces can be as simple, or as robust, as necessary; from simple XOR (exclusive-OR) scrambling to use of the Java Cryptography Architecture.

The JSSEServerSecurity interface works in conjunction with the Secure Sockets Layer (SSL) protocol. The interface allows server-side security objects access to a Client Certificate passed during the initial SSL handshake. The exposure of the Client Certificate depends on the the CICS Transaction Gateway being configured to support Client Authentication.

An individual JavaGateway instance has an instance of a ClientSecurity class associated with it, until the JavaGateway is closed. Similarly, an instance of the partner JSSEServerSecurity or ServerSecurity class is associated with the connected Java client, until the connection is closed.

The basic model consists of:

ClientSecurity, JSSEServerSecurity, or ServerSecurity class instances maintain as data members sufficient information from the initial handshake to correctly encode and decode the flows. At the server, each connected client has its own instance of the ServerSecurity implementation class.

If you are implementing the security exits you must implement both a client-side security class and server-side security class.

For applications using Java base classes, the security classes are specified using the setSecurity method prior to opening the JavaGateway object. When using a JEE application server, the security classes are specified using the clientSecurity and serverSecurity connection factory properties. For non-managed JCA applications, the security classes are specified using the setClientSecurity and setServerSecurity methods.

The client-side security class must be available on the class path of the application for Java base classes and non-managed JCA applications, or on the class path of the resource adapter when using a JEE application server. The server-side security class must be available on the class path of the Gateway daemon

Start of change To use the com.ibm.ctg.security.ClientSecurity security classes, you must configure the requiresecurity configuration parameter available with the TCP and SSL protocol handlers. End of change


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tg_latest/help/topic/com.ibm.cics.tg.doc//progde/secclass.html