We recommend that you run the Bank Account sample in a secure environment.
However, in order to simplify the installation process, you may choose not
to do so at first. If you don't want to activate the secure environment immediately,
set the XEJB system initialization parameter to 'NO' and skip the rest of
this section. To activate the secure environment at a later date, follow the
instructions in the rest of this section.
You can implement security for the sample in a number of ways. For example,
you can use any of the following alternatives:
- Allow all users to run the sample under the default user ID.
- Allow all users to run the sample under a user ID specified by the security
exit program for IIOP.
- Use an SSL server-side certificate to encrypt the data sent between the
Web-tier and CICS, allowing all users to run the sample over a secure transport,
under the default user ID.
- Use an SSL server-side certificate to encrypt the data sent between the
Web-tier and CICS, allowing all users to run the sample over a secure transport,
under a user ID specified by the security exit program for IIOP.
- Use SSL client certification to automatically authenticate the Web-tier
application server to CICS, allowing all users to run the sample over a secure
transport, under a user ID assigned to the Web-tier application server.
- Use the IBM Asserted Identity protocol to allow Web-tier client applications
running in WebSphere® Application Server for
z/OS to propagate their existing userids to CICS over a secure transport.
Note: - By default, the Bank Account application does not require the user to
be authenticated at the Web-tier. You can choose to activate authentication
in the Web container by following your application server's instructions.
If you do authenticate in the Web tier, the security principle is not propagated
to CICS, so in terms of CICS security it has no effect. However, early authentication
in the Web-tier could be used to create a “protection domain” under which
CICS trusts the Web-tier not to allow unauthenticated users to invoke business
methods on CICS enterprise beans.
- In order to use SSL encryption or authentication, you require a J2EE-compliant
Web application server that fully supports SSL. Consult your vendor's documentation
for further details.
- For more information about SSL authentication, see the CICS® RACF® Security Guide.
Whichever authentication method you choose, you need (among other things)
to:
- Provide authorisation information in the deployment descriptor of the
enterprise bean in CICS. This authorisation information consists of:
- A “security role” element
- Identifies a class of user who is allowed to perform a given action or
use a given resource.
- A “method permission” element
- Identifies specific methods of the enterprise bean that members of the
specified security role are authorised to use.
- Update your CICS external security manager (ESM) to map the specified
security role to a number of real user IDs. The following step-by-step instructions
for implementing security assume that your ESM of choice is RACF. If you
use a different ESM, please consult your ESM vendor for guidance.