Checking that the connection is secure

To check that the connection is secure you run the ECIDateTime application.

LDAP names and RACF® names have not yet been mapped using RACMAP. As a result, the application returns various error messages. The appearance of these messages at this stage is to be expected and is normal. If some messages do not appear, their nonappearance might indicate a problem such as security setting SEC=NO, a default user ID that has too much authority, or RACF mapping that has already been defined.

  1. To run the ECIDateTime application, start the launchClient utility from the command line by issuing the following command:
    app_server_root/bin/launchClient filepath/ECIDateTime.ear
    Where filepath is the path to the ECIDateTime .ear file.
  2. With application security enabled, when you run the ear file from launchClient, a dialog prompts you to supply the security credentials (username and password). Because the application is being authenticated against the LDAP registry, you must supply the "username" (in reality a Distinguished Name) that has been defined in the LDAP registry (uid=CTGuser1,ou=TMS,dc=CTGTest,o=COMPANYCTG). The password is also required. You now see the return code ECI_ERR_SECURITY_ERROR and a Java™ stack trace in the console. The exception starts as follows:
    javax.resource.spi.SecurityException: CTG9631E Error occurred during interaction with CICS:
    ECI_ERR_SECURITY_ERROR, error code: -27
  3. Check the CICS® user message log and the JES message log for the CICS job. A message confirms that the error occurred because identity propagation has not yet been configured. The JES message log for the CICS job contains this message:
    11.36.45 JOB09604 ICH408I USER(TESTID ) GROUP(TSOUSER ) NAME(TEST )
    113 113 DISTRIBUTED IDENTITY IS NOT DEFINED:
    113 uid=CTGuser1,ou=TMS,dc=CTGTest,o=COMPANYCTG ctg-test-registry.ibm.com:389
    11.36.45 JOB09604 IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND
    The CICS user message log contains this message:
    DFHIS1027 10/26/2009 11:36:45 IY24CTGC Security violation has been detected using IPCONN
    IPCONN IPICIP and transaction id CSMI by userid BADLINK 
    Note: In this example, BADLINK is the CICS default user ID defined in the DFLTUSER system initialization parameter, and does not have permission to run the CSMI transaction.

If these messages appear, this is not an indication of a problem. On the contrary, the messages are expected because although the connection to CICS was established, the application failed because the LDAP identity was not propagated through to CICS. In the next step Configuring identity propagation on RACF, you configure the mapping between LDAP and RACF identities.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tgzos_latest/help/topic/com.ibm.cics.tg.zos.doc//ctgzos/sc_idprop_check.html