IMS resource adapter security

Information in an Enterprise Information System (EIS) such as IMS™ must be protected from unauthorized access. The J2EE Connector Architecture (J2C) specifies that the application server and the EIS must collaborate to ensure that only authenticated users are able to access an EIS. The J2C security architecture extends the end-to-end security model for J2EE-based applications to include integration with EISs.

EIS sign-on

The J2C security architecture supports a user ID and password authentication mechanism specific to an EIS. For more information, see Java™ 2 Connector security in the WebSphere® Application Server documentation.

The user ID and password for the target EIS is supplied either by the application component (component-managed sign-on) or by the application server (container-managed sign-on).

For IMS resource adapter, IMS is the target EIS. The security information is passed to the IMS resource adapter, which then passes it to IMS Connect. IMS Connect uses this information to perform user authentication and passes it on to IMS OTMA which also uses this information to verify authorization to access IMS.

In a typical environment, the IMS resource adapter passes on the security information (user ID, password, and optional group name) that it receives to IMS Connect in an IMS OTMA message. Depending on its security configuration, IMS Connect may then call the host's Security Authorization Facility (SAF).
  • For WebSphere Application Server on distributed platforms or z/OS® with TCP/IP, using either component-managed or container-managed sign-on, or with Local Option using component-managed sign-on:
    • If RACF=Y is set in the IMS Connect configuration member or if the IMS Connect command SETRACF ON has been issued, IMS Connect calls the SAF to perform authentication using the user ID and password passed by IMS Connector for Java in the OTMA message. If authentication succeeds, the user ID and optional groupname, along with the UTOKEN returned from the IMS Connect call to the SAF, are passed to IMS OTMA for use in verifying authorization to access IMS.
    • IF RACF=N is set in the IMS Connect configuration member or if the IMS Connect command SETRACF OFF has been issued, IMS Connect does not call the SAF. However, the user ID and optional groupname are still passed to IMS OTMA for use in verifying authorization to access IMS.
  • For WebSphere Application Server on z/OS with Local Option using container-managed sign-on:
    • Regardless of the value of the RACF parameter in IMS Connect (either from the value in the IMS Connect configuration member or from the SETRACF command), IMS Connect does not call the SAF, because authentication has already been performed by WebSphere Application Server for z/OS. The UTOKEN generated when WebSphere Application Server for z/OS calls the SAF is passed to IMS for use in verifying authorization to access IMS.
    • WebSphere Application Server for z/OS can be configured to use the RunAs identity associated with the thread of execution to authenticate a user. This identity is commonly referred to as the Thread Identity. The application server creates and passes the UTOKEN representing the user identity to the IMS resource adapter. The IMS resource adapter then passes the token to IMS Connect for sign-on to IMS. For information about the RunAs Identity support in WAS, consult the security documentation for WebSphere Application Server z/OS.

The level of authorization checking performed by IMS is controlled by the IMS command, /SECURE OTMA. See the IMS OTMA Guide and Reference for more information about this command.

Java2 Security Manager

The IMS resource adapter works with the WebSphere Application Server Java2 Security Manager. Components such as resource adapters must be authorized to perform protected tasks, such as making socket calls. The IMS resource adapter is already authorized to perform these tasks. No action is required by the application component.

See the Managing secured applications in the WebSphere Application Server documentation for more information about the Java2 Security Manager.

Related concepts
Component-managed EIS sign-on
Container-managed EIS sign-on
Overview of secure socket layer (SSL)
Related tasks
Configuring component-managed EIS sign-on
Configuring container-managed EIS sign-on
Using secure socket layer (SSL) support
Terms of use | Feedback
(C) Copyright IBM Corporation 2000, 2005. All Rights Reserved.