Glossary of terms

Authentication type
This parameter value is used to identify the type of authentication that the requestor needs. Once you specify the desired authentication type, the CMS can better identify which credential mapper to select to handle the request. You can pair multiple authentication types together to give HCMs the freedom to support multiple authentication types. Use the vertical bar character to join multiple authentication types. The five identified authentication types and descriptions are listed in the following table:

Credential Mapper Servlet (CMS)
For the macro-based automation style of Web Express Logon, the CMS is the core of the credential-mapping framework. It is supplied with Host On-Demand and must be deployed to a Web server or some type of Web application framework. At a high level, it has two primary roles: (1) request the client's credentials (called a network ID) and (2) respond with the host access credentials, which consist of the host ID and a password or passticket, depending on the type of HCM.

Digital Certificate Access Server (DCAS)
DCAS is a TCP/IP server that runs on z/OS and OS/390 platforms. TN3270 servers connect to DCAS using Secure Socket Layer (SSL). The purpose of DCAS is to receive an application ID and a digital certificate from a TN3270 server and then ask RACF to return a valid user ID that has been associated with the certificate and to generate a passticket for the input user ID and application ID.

Enterprise Identity Mapping (EIM)
EIM is designed to help you manage multiple user registries and user identities in your enterprise. EIM is a mechanism for mapping (associating) a person or entity to the appropriate user identities in various registries throughout the enterprise. EIM provides APIs for creating and managing these identity mapping relationships, as well as APIs that applications use to query this information. iSeries Navigator, the iSeries graphical user interface, provides wizards to configure and manage EIM. In addition, administrators can manage EIM relationships for user profiles through iSeries Navigator. The iSeries server uses EIM to enable OS/400 interfaces to authenticate users by means of network authentication service. Applications, as well as OS/400, can accept Kerberos tickets and use EIM to find the user profile that represents the same person as the Kerberos ticket represents.

Full class path name
The CMS uses the value of the full class path name to create a class object of the specified type. That object is then used to handle CMS or HCM requests. The specified class file must be in the ...\WEB-INF\classes subdirectory in a loose file (not as a JAR file). From this location, the CMS will be able to access and use it whenever the need arises.

Host Credential Mapper (HCM)
The HCM is a back-end repository that maps users' network IDs to their host IDs. This repository can be a JDBC database such as IBM DB2. The DCAS and Vault plug-ins provided with Web Express Logon are designed to work with a such a database. Another possibility for a repository is an LDAP directory. However, using LDAP as your HCM requires you to write your own plug-in.

host ID
A host ID is the credential used to uniquely identify the user to the host being accessed. In macro-based automation, the host ID is what the HCM returns to the CMS in order to achieve single sign-on.

Host mask
The host mask is a secondary selection criteria used by the CMS to identify the most appropriate credential mapper. This value can contain one or more host addresses. Use the vertical bar character to join multiple addresses. Use the asterisks character to wildcard a host address. The wildcard character may start, end, or start and end a host address. The following table lists valid wild-carded addresses:

Junction (WebSEAL)
A junction is a TCP/IP connection between the front-end WebSEAL server and the destination host.A junction allows WebSEAL to provide protective services on behalf of the back-end server. WebSEAL can perform authentication and authorization checks on all requests before passing those requests on to the back-end server. Junctions between cooperating servers result in a single, unified, distributed Web space that is seamless and transparent to users. The client never needs to know the physical location of a Web resource. WebSEAL translates logical URL addresses into the physical addresses that a back-end server expects.

Kerberos
Kerberos is a secure method for granting users access to individual services in a computer network. Users request tickets from the KDC, and if authenticated, they use a Kerberos ticket to access resources within the network without their passwords being sent through the network.

Key Distribution Center (KDC)
A KDC is a network service that provides tickets and temporary session keys. The KDC maintains a database of principal names (users and services) and their associated secret keys. It is composed of the authentication server and the ticket granting ticket server. You should always use a secure machine to act as your KDC because if an unauthorized user gained access to the KDC, your entire realm could be compromised.

KDC support does not exist on the iSeries system.

Network authentication service (NAS)
NAS allows the iSeries server and several iSeries services, such as iSeries Access for Windows, to use a Kerberos ticket as an optional replacement for a user name and password for authenticating a user. Kerberos protocol, developed by Massachusetts Institute of Technology, allows a principal (a user or service) to prove its identity to another service within an insecure network. Authentication of principals is completed through a centralized server called a key distribution center (KDC). The KDC authenticates a user with a Kerberos ticket. These tickets prove the principal’s identity to other services in a network. After a principal is authenticated by these tickets, they can exchange encrypted data with a target service. NAS verifies the identity of a user or service in a network. Applications can securely authenticate a user and securely pass on his or her identity to other services on the network. Once a user is known, separate functions are needed to verify the user’s authorization to use the network resources.

Network ID
A network ID is the credential that uniquely identifies the user to the network security application. In macro-based automation, the CMS calls upon the Network Security plug-in to acquire the user's network ID from the network security application.

Passticket
A passticket is a credential that is similar to a password, however a passticket expires after a certain period of time and is used only one time.

Principal name
The name of a user or service in a Kerberos network. A user is considered to be a person where a service is used to identify a specific application or set of operating system services. On iSeries, the krbsvr400 service principal is used to identify the service used by iSeries Access for Windows, QFileSrv.400 and Telnet servers when authenticating from the client to the iSeries.

Resource Access Control Facility (RACF)
RACF is an IBM security product that protects resources by granting access to only authorized users of protected resources. RACF retains information about the users, resources, and access authorities in profiles on the RACF database and refers to the profiles when deciding which users should be permitted access to protected system resources.

User registry
A user registry defines a set of user identities known to and trusted by a particular instance of an operating system or application. A user registry also contains the information needed to authenticate the user of the identity. Additionally, a user registry often contains other attributes such as user preferences, system privileges, or personal information for that identity.