Container-managed EIS sign-on

When <res-auth>Container</res-auth> is specified in the deployment descriptor of the application, container-managed EIS sign-on will be used. When container-managed sign-on is used, your application does not programmatically provide the security information. Instead, the application server (the container) provides the security information (user ID and password). One way to accomplish this when using DefaultPrincipalMapping, is to provide values for the user ID and password to be used by the application server as follows:

For TCP/ IP, the application server passes the security information in the alias to the IMS resource adapter. The IMS resource adapter passes the security information to IMS Connect for authentication. IMS Connect authenticates the user and passes the security information for sign-on to IMS™. If IMS Connect cannot authenticate the user, a security failure is returned to the IMS resource adapter which, in turn, passes an exception back to the application.

For Local Option, a z/OS-only feature in which both the server and WebSphere® Application Server are running in the same MVS™ image, the application server authenticates the user based on the security information defined in the container-managed alias. The application server creates and passes a UTOKEN representing the authenticated user to the IMS resource adapter. The IMS resource adapter then passes the UTOKEN to IMS Connect which in turn passes it on to IMS OTMA for use in signing on to IMS.

Alternatively, when using Local Option communications, you can specify in the application server configuration that the user identity associated with the current thread of execution is to be used by the application server when performing user authentication. In this case, you do not specify a JAAS container-managed authentication alias in the J2C connection factory used by your application. This option is only available if you are using Local Option communications.

Note: When using container-managed sign-on, if your application does pass security information to the IMS resource adapter using the userName, password or groupName properties of IMSConnectionSpec, it is ignored. However, if you pass other information in the IMSConnectionSpec object, such as clientID used with commit mode 0 interactions, this information will be used by the IMS resource adapter.

Related concepts
IMS resource adapter security
Component-managed EIS sign-on
Overview of secure socket layer (SSL)
Related tasks
Configuring component-managed EIS sign-on
Configuring container-managed EIS sign-on
Using secure socket layer (SSL) support
Feedback
(C) Copyright IBM Corporation 2000, 2005. All Rights Reserved.