Stage 2. Configuring other security settings

  1. Ensure that both the SEC and the XEJB CICS system initialization parameters specify 'YES'. (If either specifies 'NO', EJB role-based security is turned off.)
  2. If you reused an existing security role that had already been set up in your installation, you can skip this step, which is to update RACF to associate the EJB security role with a set of CICS user IDs.
    Note: If your ESM is not RACF, you must seek advice from your ESM vendor as to how to perform this step.
    The CICS user ID (or IDs) that you choose to associate with the security role defined in the enterprise bean's deployment descriptor should be chosen according to which security implementation you opted for at the start of this section. For example:
    • If you want to allow all anonymous users to run the sample (whether using SSL or not), you should associate the CICSUSER default user ID with the security role.
    • If you want to run the sample under a user ID (or IDs) selected by the security exit program for IIOP (whether using SSL or not), you should associate that user ID (or IDs) with the security role.
    • If you want to use full SSL client certification, you should associate the user ID of the Web-tier application server's certificate with the security role.
    To set up the necessary EJB security role-to-CICS user ID mapping:
    1. Run the RACF EJBROLE generator utility against the updated SampleEJB.jar file. (The RACF EJBROLE generator utility is a Java program that extracts security role information from deployment descriptors, and generates a REXX program which defines security roles to RACF. For information on how to use the generator utility, see Using the RACF EJBROLE generator utility.)
    2. Ask your RACF administrator to run the REXX program generated by the RACF EJBROLE generator utility.
  3. If you don't want to use the the security exit program for IIOP to alter the user ID that the sample runs under (from the default CICS user ID to another ID of your choice), you can skip this step.

    CICS supplies a sample security exit program, DFHEBURM, that alters the user ID under which the Bank Account sample runs from the default CICS user ID to “SAMPLE”. You can use this version of the user-replaceable program, or alter it to suit your needs. If you already have a customized security exit program for IIOP, you can update your version to perform a similar function.

    You must specify the name of your security exit program on the URM option of the TCPIPSERVICE definition under which the sample is to be run.

    For guidance information about the security exit program for IIOP, seeUsing the IIOP user-replaceable security program.

    For information about writing a security exit program for IIOP, see the CICS® Customization Guide. Also, study the source of the supplied sample program, which contains comments and tips.

    For information about compiling and installing user-replaceable programs, see the CICS Customization Guide.

    For information about coding TCPIPSERVICE definitions, see the CICS Resource Definition Guide.

  4. If you are using SSL encryption or authentication, you must:
    • Configure your J2EE-compliant Web application server to use SSL. Refer to your Web server's documentation for guidance.
    • Have a server certificate available for use.
    • Alter the definitions of the CORBASERVER and TCPIPSERVICE resources under which the sample is to be run. That is:
      • If you are using SSL client-side authentication, the CLIENTCERT option of the CORBASERVER definition must specify the name of a TCPIPSERVICE that defines the port to be used for inbound IIOP requests with SSL client certification. Also, the Web application server's SSL certificate must be:
        • Included in the list of certificates trusted by CICS, in RACF
        • Mapped to a RACF userid
      • If you are using SSL server-side authentication, the SSLUNAUTH option of the CORBASERVER definition must specify the name of a TCPIPSERVICE that defines the port to be used for inbound IIOP requests with SSL but no client certification.

      For information about coding CORBASERVER resource definitions and TCPIPSERVICE resource definitions, see the CICS Resource Definition Guide.

    • If you are using the IBM Asserted Identity protocol for encryption, authentication, and identity propagation, you must:
      • Configure WebSphere® Application Server for z/OS to authenticate users.
      • Enable SSL client certification in WebSphere.
      • Have a server SSL certificate available for use in CICS.
      • Include the server certificate associated with WebSphere Application Server in the RACF's list of certificates trusted by CICS. Additionally, the userid associated with the RACF certificate must be granted permission to assert the identity of other users.
      • Alter the definitions of the CORBASERVER and TCPIPSERVICE resources under which the sample is to run. The ASSERTED option of the CORBASERVER definition must specify the name of a TCPIPSERVICE that defines the port to be used for inbound IIOP requests with asserted identity security.