The IMS™ TM
resource adapter (IMS Connector for Java™), follows the J2C security architecture.
Information in an Enterprise Information System (EIS) such as IMS must be protected
from unauthorized access. The J2EE Connector Architecture (J2C) specifies
that the application server and the EIS must collaborate to ensure that only
authenticated users are able to access an EIS. The J2C security architecture
extends the end-to-end security model for J2EE-based applications to include
integration with EISs.
EIS signon
The J2C security architecture supports
a user ID and password authentication mechanism specific to an EIS.
The
user ID and password to be used to sign into the target EIS are supplied either
by the application component (component-managed
signon) or by the application server (container-managed
signon).
For the IMS TM resource adapter, IMS is the target
EIS. The security information provided by the application component or the
application server is passed to the IMS TM resource adapter, which then passes
it to IMS Connect. IMS Connect
can use this information to perform user authentication and passes it on to IMS OTMA. IMS OTMA
can then use this information to verify authorization to access certain IMS resources.
In
a typical environment, the IMS TM resource adapter passes on the security information
(user ID, password, and optional group name) that it receives to IMS Connect in
an IMS OTMA
message. Depending on its security configuration, IMS Connect may then call the host's Security
Authorization Facility (SAF).
- For WebSphere® Application
Server on distributed platforms or z/OS® with TCP/IP, using either component-managed
or container-managed signon:
- If RACF=Y is set in the IMS Connect configuration member or if the IMS Connect command
SETRACF ON has been issued, IMS Connect calls
the SAF to perform authentication using the user ID and password passed by IMS Connector
for Java in
the OTMA message. If authentication succeeds, the user ID, optional groupname,
and UTOKEN returned from the IMS Connect call to the SAF are passed to IMS OTMA for use
in verifying authorization to access IMS resources.
- IF RACF=N is set in the IMS Connect configuration member or if the IMS Connect command
SETRACF OFF has been issued, IMS Connect does
not call the SAF. However, the user ID and groupname, if specified, are still
passed to IMS OTMA
for use in verifying authorization to access IMS resources.
- For WebSphere Application
Server on z/OS using
Local Option and container-managed EIS signon, user authentication is performed
by the application server only. It is not performed in IMS Connect regardless of the RACF® setting
in the IMS Connect
configuration member or set as a result of invoking a SETRACF command. WebSphere Application
Sever for z/OS calls RACF,
then passes the UTOKEN representing the user identity to the IMS TM resource
adapter. The IMS TM
resource adapter then passes the UTOKEN to IMS Connect. When IMS Connect sees the UTOKEN, it does not
call the SAF, because it knows that authentication has already been performed
by WebSphere Application
Server for z/OS. IMS Connect
passes the UTOKEN to IMS OTMA for use in verifying authorization to access IMS resources.
- There are two ways in which the user identity can be provided to the application
server:
- The user ID and password can be provided in a Java Authentication and Authorization Service
(JAAS) alias. The JAAS alias is associated with either the connection factory
used by the application that accesses IMS or, depending on the version of WebSphere Application
Server, with the EJB resource reference used by the application. The application
server creates and passes the UTOKEN representing the user identity in the
alias to the IMS TM
resource adapter.
- WebSphere Application
Server for z/OS can
be configured to obtain the user identity associated with the thread of execution
of the application. The application server creates and passes the UTOKEN representing
this user identity to the IMS TM resource adapter.
The level of authorization checking performed by IMS is controlled
by the IMS command,
/SECURE OTMA. See the IMS OTMA Guide
and Reference for more information about this command.
Java2 Security Manager
The IMS TM resource adapter works with the WebSphere Application
Server Java2 Security Manager. Components such as resource adapters must be
authorized to perform protected tasks, such as making socket calls. The IMS TM
resource adapter is already authorized to perform these tasks.
Secure Sockets Layer (SSL) Communications
The IMS TM
resource adapter and IMS Connect, if properly configured, are able to use
TCP/IP's Secure Sockets Layer protocol to secure the communications between
them.
SSL connections are more secure than regular, non-SSL
TCP/IP connections, providing authentication for the IMS Connect server and, optionally, for the IMS TM
resource adapter client. Messages that flow on SSL connections
may also be encrypted
SSL with Null Encryption provides an
intermediate level of security in which the authentication takes place but
the messages are not encrypted. SSL Null Encryption offers a trade off between
encrypted communications' higher security and lower throughput versus non-encrypted
SSL communications' lower security and higher throughput. Non-encrypted SSL
communications have a higher throughput because of the elimination of the
overhead required to encrypt each message which flows between the IMS TM resource
adapter and IMS Connect.