BEA eLink TCP for CICS 3.1   Information Center     

        HOME   |   SEARCH   |   CONTACT   |   PDF FILES |   WHAT'S NEW 
 
        TABLE OF CONTENTS   |   PREVIOUS TOPIC   |   NEXT TOPIC   |   INDEX  

Configuring the eLink TCP Security

The eLink TCP product supports a security feature that allows a requester from BEA TUXEDO services to pass a USERID requirement through the CICS server interfaces for verification through a third-party security package. The following topics explain the how to set up security:

Service Request Processing with Security

The following sections describe the process flow for security verification of a service request.

Security Checking from UNIX to Mainframe

Figure 3-1 depicts the process flow for security verifications from eLink for Mainframe TCP for CICS on UNIX to a mainframe.

Figure 3-1 Security Checking for UNIX to Mainframe Transactions

  1. When the eLink TCP for TUXEDO client program performs a tpinit(), the user's TUXEDO identity is validated against the tpusr file.

  2. When the client program issues a tpcall() or tpacall(), TUXEDO verifies (against the tpacl file) the user is authorized to invoke the gateway service.

  3. When the gateway establishes the initial connection, connection security information (specified as RMTNAME and PASSWORD in the GWICONFIG file) is passed from the eLink TCP for TUXEDO gateway to the remote gateway. If the RMTNAME and PASSWORD values match the values configured on the remote gateway, the connection is established.

    With each request, the eLink TCP for TUXEDO gateway passes the user's TUXEDO identity to the remote eLink TCP for CICS gateway (to the Handler).

    Note: To pass authority checking, the user's TUXEDO identity must match the mainframe userid exactly.

  4. The remote eLink TCP for CICS gateway Handler initiates an Application Handler to act on behalf of the specified userid.

  5. The Application Handler calls the specified service using system security to check authorization.

Security Checking from Mainframe to UNIX

Figure 3-2 depicts the process flow for security verifications from a mainframe to eLink for Mainframe TCP for CICS on UNIX.

Figure 3-2 Security Checking for Mainframe to UNIX Transactions

  1. The userid, established at mainframe log in, is checked by system security to verify that the user has permission to start a client transaction.

  2. The userid is checked by system security to verify that the user has permission to send a request to the gateway.

  3. With each request, the gateway passes the userid to the TUXEDO gateway.

    Note: To pass authority checking, the user's TUXEDO identity must match the mainframe userid exactly.

  4. The eLink TCP for CICS gateway maps the mainframe userid to a TUXEDO userid and issues the service request on behalf of that user.

  5. The TUXEDO server performs access checks (based on the tpacl file) to verify that the user has access to the requested service.

Setting Up Security for eLink TCP for CICS

The eLink TCP for CICS product supports enhanced security. This interface allows a requester from BEA TUXEDO services to pass a USERID through the CICS server interface for authorization through your security package. For field definitions, refer to the "Configuring and Administering BEA eLink TCP for CICS."

Securing User Connections

Complete the following tasks to enable the security feature for each connection.

  1. Specify SECURITY=Y in the Handler Configuration screen.

  2. Enter values for the ACCOUNT and PASSWORD fields in the User Connection Account screen.

    When SECURITY=Y, eLink TCP for CICS verifies the ACCOUNT and PASSWORD values from the User Connection Account match the RMTACCT and PASSWORD values in the eLink TCP for TUXEDO GWICONFIG file *FOREIGN section. If these values do not match and SECURITY=Y, a security error occurs.

    If SECURITY=N, the gateway allows a connection without any verification.

Securing Inbound Services

Complete the following tasks to enable the security feature for each inbound service.

  1. Set up transaction security through the mainframe with the security administrator.

  2. Specify SECURITY=Y in the Inbound Services screen for each service you want to secure. When SECURITY=Y, the gateway attempts to start user programs with the username that initiated the request as reported by the remote system.

    If SECURITY=N, the gateway starts user programs as the same user the gateway is running (as controlled by the socket listener).

Securing Outbound Connections from CICS to UNIX

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the RMTACCT and PASSWORD values in the *FOREIGN section of the eLink TCP for TUXEDO GWICONFIG file.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote UNIX system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to CICS

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the User Connection Account screen.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote CICS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to IMS

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the GATEWAY TYPE=REMOTE statement.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote IMS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Services

Complete the following tasks to enable the security feature for each outbound service.

  1. Enable security for the corresponding outbound connection.

  2. Specify SECURITY=Y on the appropriate Outbound Service screen.

  3. Set up security for the appropriate users on the target system.


        TABLE OF CONTENTS   |   PREVIOUS TOPIC   |   NEXT TOPIC   |   INDEX