![[z/OS]](../images/ngzos.gif)
Securing optimized local adapters for inbound support
Use this task to set up security for your optimized local adapters connections that perform inbound calls.
Before you begin
Run the WebSphere® Application Server for z/OS® servers with global security and activate the Sync-to-OS Thread option if you intend to use the optimized local adapter APIs with those servers. To read about global security, see the topic, Enabling security. To read more about activating the Sync-to-OS Thread option, see the topic, z/OS security options.
Local access to WebSphere Application Server for z/OS servers is protected by the System Authorization Facility (SAF) CBIND class. This class is defined during profile creation and is used to protect WebSphere Application Server for z/OS servers when Internet Inter-ORB Protocol (IIOP) local client connection requests are made, and optimized local adapters requests. Before running any application that uses the Register API, be sure to grant READ access for the user ID for the job, UNIX System Services (USS) process, or Customer Information Control System (CICS®) region to the CBIND class for the target server. This is setup with the BBOCBRAK job. For more information about the CBIND class, read the topic, Using CBIND to control access to clusters.
All inbound requests to WebSphere Application Server run under the authority of the current user on thread. This identity is automatically propagated and is asserted in the Enterprise JavaBeans (EJB) container and this identity is that which the application starts under. Inbound requests that drive into a target enterprise bean arrive in the same manner as method invocations do for local IIOP requests and the security options for RunAs work in the same way as local IIOP requests
For passing requests in to WebSphere Application Server from CICS, you can indicate that you want to use the current CICS application identity by setting a flag for this with the Register API call.
About this task
Procedure
Set the environment variable to permit the CICS application-level identities to be used for authentication when the registration request is made. You can set the variable in the administrative console as follows:
- Click Environment > WebSphere Variables.
- Under Scope, select Cell from the Show scope selection drop-down list. If the ola_cicsuser_identity_propagate environment variable displays in the resources list, you do not have to add it again. You can continue with step c. If you have not added the variable to the resource list, you must Click Add. The ola_cicsuser_identity_propagate environment variable must be added to the display list the first time you do this task. Each time after the initial addition, you are able to select ola_cicsuser_identity_propagate from the display list after you set the scope.
- Click ola_cicsuser_identity_propagate A window displays the General Properties where you can configure the variable.
- Set the WebSphere Application Server environment variable to 1. If you set the environment variable to 0 (zero) or leave it undefined, the CICS application level security is not honored in an inbound call to WebSphere Application Server.
- Click Apply and OK.