Application access control
For each IMS(TM) system that the IMS bridge connects to, you can define the following RACF(R) profile in the FACILITY class to determine how much security checking
is performed for each message passed to the IMS system.
IMSXCF.xcfgname.imsxcfmname
Where xcfgname is the XCF group name and imsxcfmname is
the XCF member name for IMS. (You need to define a separate profile for each IMS system.)
The access level you allow for the WebSphere MQ queue manager user ID in this
profile is returned to WebSphere MQ when the IMS bridge connects to IMS, and indicates
the level of security that is required on subsequent transactions. For subsequent
transactions, WebSphere MQ requests the appropriate services from RACF and, where
the user ID is authorized, passes the message to IMS.
OTMA does not support the IMS /SIGN command; however, WebSphere MQ allows you
to set the access checking for each message to enable implementation of the
necessary level of control.
The following access level information can be returned:
- NONE or NO PROFILE FOUND
- This indicates that maximum security is required, that is, authentication
is required for every transaction. A check is made to verify that the user
ID specified in the UserIdentifier field of the MQMD structure, and
the password or passticket in the Authenticator field of the MQIIH
structure are known to RACF, and are a valid combination. A Utoken is created
with a password or passticket, and passed to IMS; the Utoken is not cached.
Note:
If profile hlq.NO.SUBSYS.SECURITY exists in the MQADMIN class, this level
of security overrides whatever is defined in the profile.
- READ
- This indicates that the same authentication is to be performed as above
under the following circumstances:
- The first time that a specific user ID is encountered
- When the user ID has been encountered before but the cached Utoken was
not created with a password or passticket
WebSphere MQ requests a Utoken if required, and passes it to IMS.
Note:
If a request to reverify security has been actioned, all cached information
is lost and a Utoken is requested the first time each user ID is subsequently
encountered.
- UPDATE
- A check is made that the user ID in the UserIdentifier field
of the MQMD structure is known to RACF.
A Utoken is built and passed to IMS;
the Utoken is cached.
- CONTROL/ALTER
- These indicate that no security Utokens need to be provided for any
user IDs for this IMS system. (You would probably only use this for development
and test systems.)
Notes:
- This access is defined when WebSphere MQ connects to IMS, and lasts for the duration of the connection.
To change the security level, the access to the security profile must be
changed and then the bridge stopped and restarted (for example, by stopping
and restarting OTMA).
- If you change the authorities in the FACILITY class, you must issue the RACF command SETROPTS RACLIST(FACILITY) REFRESH to activate the changes.
- You can use a password or a passticket, but you must remember that the IMS bridge
does not encrypt data. For information about using passtickets, see Using RACF passtickets in the IMS header.
- Some of the above might be affected by security settings in IMS, using the /SECURE
OTMA command.
- Cached Utoken information is held for the duration defined by the INTERVAL
and TIMEOUT parameters of the WebSphere MQ ALTER SECURITY command.