IMS TM resource adapter security

The IMS™ TM resource adapter (IMS Connector for Java™), follows the J2C security architecture.

Information in an Enterprise Information System (EIS) such as IMS must be protected from unauthorized access. The J2EE Connector Architecture (J2C) specifies that the application server and the EIS must collaborate to ensure that only authenticated users are able to access an EIS. The J2C security architecture extends the end-to-end security model for J2EE-based applications to include integration with EISs.

EIS signon

The J2C security architecture supports a user ID and password authentication mechanism specific to an EIS.

The user ID and password to be used to sign into the target EIS are supplied either by the application component (component-managed signon) or by the application server (container-managed signon).

For the IMS TM resource adapter, IMS is the target EIS. The security information provided by the application component or the application server is passed to the IMS TM resource adapter, which then passes it to IMS Connect. IMS Connect can use this information to perform user authentication and passes it on to IMS OTMA. IMS OTMA can then use this information to verify authorization to access certain IMS resources.

In a typical environment, the IMS TM resource adapter passes on the security information (user ID, password, and optional group name) that it receives to IMS Connect in an IMS OTMA message. Depending on its security configuration, IMS Connect may then call the host's Security Authorization Facility (SAF).
  • For WebSphere® Application Server on distributed platforms or z/OS® with TCP/IP, using either component-managed or container-managed signon:
    • If RACF=Y is set in the IMS Connect configuration member or if the IMS Connect command SETRACF ON has been issued, IMS Connect calls the SAF to perform authentication using the user ID and password passed by IMS Connector for Java in the OTMA message. If authentication succeeds, the user ID, optional groupname, and UTOKEN returned from the IMS Connect call to the SAF are passed to IMS OTMA for use in verifying authorization to access IMS resources.
    • IF RACF=N is set in the IMS Connect configuration member or if the IMS Connect command SETRACF OFF has been issued, IMS Connect does not call the SAF. However, the user ID and groupname, if specified, are still passed to IMS OTMA for use in verifying authorization to access IMS resources.
  • For WebSphere Application Server on z/OS using Local Option and container-managed EIS signon, user authentication is performed by the application server only. It is not performed in IMS Connect regardless of the RACF® setting in the IMS Connect configuration member or set as a result of invoking a SETRACF command. WebSphere Application Sever for z/OS calls RACF, then passes the UTOKEN representing the user identity to the IMS TM resource adapter. The IMS TM resource adapter then passes the UTOKEN to IMS Connect. When IMS Connect sees the UTOKEN, it does not call the SAF, because it knows that authentication has already been performed by WebSphere Application Server for z/OS. IMS Connect passes the UTOKEN to IMS OTMA for use in verifying authorization to access IMS resources.
  • There are two ways in which the user identity can be provided to the application server:
    • The user ID and password can be provided in a Java Authentication and Authorization Service (JAAS) alias. The JAAS alias is associated with either the connection factory used by the application that accesses IMS or, depending on the version of WebSphere Application Server, with the EJB resource reference used by the application. The application server creates and passes the UTOKEN representing the user identity in the alias to the IMS TM resource adapter.
    • WebSphere Application Server for z/OS can be configured to obtain the user identity associated with the thread of execution of the application. The application server creates and passes the UTOKEN representing this user identity to the IMS TM resource adapter.

The level of authorization checking performed by IMS is controlled by the IMS command, /SECURE OTMA. See the IMS OTMA Guide and Reference for more information about this command.

Java2 Security Manager

The IMS TM resource adapter works with the WebSphere Application Server Java2 Security Manager. Components such as resource adapters must be authorized to perform protected tasks, such as making socket calls. The IMS TM resource adapter is already authorized to perform these tasks.

Secure Sockets Layer (SSL) Communications

The IMS TM resource adapter and IMS Connect, if properly configured, are able to use TCP/IP's Secure Sockets Layer protocol to secure the communications between them.

SSL connections are more secure than regular, non-SSL TCP/IP connections, providing authentication for the IMS Connect server and, optionally, for the IMS TM resource adapter client. Messages that flow on SSL connections may also be encrypted

SSL with Null Encryption provides an intermediate level of security in which the authentication takes place but the messages are not encrypted. SSL Null Encryption offers a trade off between encrypted communications' higher security and lower throughput versus non-encrypted SSL communications' lower security and higher throughput. Non-encrypted SSL communications have a higher throughput because of the elimination of the overhead required to encrypt each message which flows between the IMS TM resource adapter and IMS Connect.

Related concepts
Container-managed EIS signon
Component-managed EIS signon
Secure Sockets layer (SSL)

Feedback