Securing optimized local adapters for outbound support

Use this task when you want to set up security for your optimized local adapters that perform outbound calls.

Before you begin

You must install WebSphere® Application Server for z/OS® Version 7.0 Fix Pack 4.

It is recommended that you run the WebSphere Application Server for z/OS servers with global security and activate the Sync-to-OS Thread option if you intend to use the optimized local adapter APIs with those servers. To read about global security, see the topic, Enabling security. To read more about activating the Sync-to-OS Thread option, see the topic, z/OS security options.

Local access to WebSphere Application Server for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. This class is defined during profile creation and is used to protect WebSphere Application Server for z/OS servers when Internet Inter-ORB Protocol (IIOP) local client connection requests are made, as well as optimized local adapters requests. Before running any application that uses the Register API, be sure to grant READ access for the user ID for the job, UNIX® System Services (USS) process, or Customer Information Control System (CICS®) region to the CBIND class for the target server. this is setup with the BBOCBRAK job. For more information about the CBIND class, read the topic, Using CBIND to control access to clusters.

For calling from WebSphere Application Server to an application using either the optimized local adapters Host Service and Receive Request APIs, the identity on the thread that the API was called on is used. For environments other than CICS, there is no attempt by the optimized local adapters to assert the WebSphere Application Server application identity. This includes Information Management System (IMS™) dependent regions. For these, transactions execute under the ID of the user that started the transaction. This includes IMS dependent regions. For these regions, transactions execute under the ID of the user that started the transaction.

When transaction work passes between CICS and WebSphere Application Server for z/OS, either inbound or outbound, you must take into account some special security considerations. For example, you need determine if the authentication for inbound to WebSphere Application Server work should run with the authority of the specific CICS application or the overall CICS region authority. There are similar concerns when WebSphere Application Server sends outbound work to a CICS application; you need to determine if CICS should honor the originating application's authority or its own CICS current security profile.
Attention: You need to make sure that the client applications are authenticated in order for CICS to process the request.

For receiving requests in CICS and processing them with the optimized local adapter CICS Link server (BBO$ task), you can indicate when you start the Link server that you wish to have Link server assert the propagated WebSphere Application Server thread-level identity to the CICS thread where the target program will execute. This is done with a parameter on the optimized local adapters BBOC CICS transaction.

About this task

The following steps include the tasks that you need to complete to secure the optimized local adapters for an outbound call:

Procedure

Configure the security settings. When using the optimized local adapters Host Service or Receive Request APIs in an application that is running under CICS, the authority of the CICS application that called these APIs is used. When using the optimized local adapters CICS Link server, you can indicate that you want the Link server task, BBO$, to assert the WebSphere Application Server identity before calling the target program as follows:
  1. On the optimized local adapters BBOC CICS transaction that you are using to start the Link server (with BBOC START_SRVR), pass the SEC=Y parameter. When this is specified, the optimized local adapters Link server task, BBO$, starts the link task, BBO#, with the identity that was propagated from calling the WebSphere Application Server thread.
  2. Ensure that the CICS region is running with security enabled and EXEC CICS START checking enabled. Security is enabled at start up with the parameter SEC=YES. The EXEC CICS START checking is enabled at start up with the parameter XUSER=YES.
  3. Create a SAF surrogate class that grants the identity that the optimized local adapters Link server is running with the authority to issue EXEC CICS START TRANSACTION API and pass the USERID that was propagated to CICS from WebSphere Application Server. The following is a sample that shows a surrogate class defined for user ID USER1 that allows user ID OLASERVE to issue EXEC CICS START TRANS(BBO#) USERID(USER1) and process optimized local adapters CICS Link transactions that run with the identity of USER1.
    RDEFINE SURROGAT USER1.DFHSTART UACC(NONE) OWNER(USER1)  
    PERMIT USER1.DFHSTART CLASS(SURROGAT) ID(USER1)          
    PERMIT USER1.DFHSTART CLASS(SURROGAT) ID(OLASERVE)       
    SETROPTS RACLIST(SURROGAT) REFRESH 

Results

You have set up security for the optimized local adapters connections.

What to do next

For more information about using security with IMS, see the topic, Security considerations when using optimized local adapters with IMS.



In this information ...


Related reference

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 22, 2010 12:21:29 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=tdat_security_out
File name: tdat_security_out.html