Configuring BEA eLink TCP Security

The eLink TCP product supports a security feature that allows a requester from BEA TUXEDO services to pass a USERID requirement through the OTMA or CICS server interfaces for verification through a third-party security package.

Note: The security feature on eLink for Mainframe TCP for IMS (hereafter referenced as eLink TCP for IMS) runs as an OTMA client only.

Security Checking from UNIX to Mainframe

Figure 3-1 depicts the process flow for security verifications from eLink TCP for TUXEDO on UNIX to a mainframe.

Figure 3-1 Security Checking for UNIX to Mainframe Transactions

1. Verify the user is valid on UNIX. For valid users, access is given; for invalid users, access is rejected.

2. Verify user name (reviewing the tpusr file), group (reviewing the tpgrp file), and ACL (reviewing the tpacl file). If all three pass, the transaction request processes. If any one of the three are rejected, the transaction request stops and a security violation occurs.

   Note: The userids in these files must match in the TUXEDO and the mainframe environments or a security violation occurs.

3. Accept the transaction request at the mainframe gateway based on the request coming from a trusted source. No password is passed.

4. Verify the user name associated with the transaction against the security system (such as RACF). If the user name is not valid, the request is rejected and a security violation occurs.

5. Complete the transaction request to the server.

Figure 3-2 depicts the process flow for security verifications from a mainframe to eLink TCP for TUXEDO on UNIX.

Figure 3-2 Security Checking for Mainframe to UNIX Transactions

1. Authorization checking is done by the mainframe security package prior to initiating the client.

2. Pass the transaction request from the client to the mainframe gateway.

3. Accept the transaction request at the UNIX gateway based on the request coming from a trusted source. No password is passed.

4. Decode the appkey to obtain the user and group numbers. Verify the user name against the security system. If the user name is valid and the user has the authority to run the transaction, the transaction request is accepted. If the user name is not valid, the request is rejected and a security violation occurs.

5. Complete the transaction request to the server if the user name is accepted.

The eLink TCP for IMS product has an OTMA interface that supports enhanced security. This interface allows a requester from BEA TUXEDO services to pass a USERID through the OTMA server interface for authorization through your security package.

Securing Connections from IMS to UNIX

Complete the following tasks to enable the connection security feature.

1. Specify the ACCOUNT and PASSWORD parameters in the GATEWAY configuration statement for local or remote gateways.

2. Verify that the parameter values for ACCOUNT and PASSWORD in the GATEWAY statement match the RMTACCT and PASSWORD values in the *FOREIGN section of the eLink TCP for TUXEDO GWICONFIG file.

Complete the following tasks to enable the connection security feature.

1. Specify the ACCOUNT and PASSWORD parameters in the GATEWAY configuration statement for local or remote gateways.

2. Verify that the parameter values for ACCOUNT and PASSWORD in the GATEWAY statement for the GATEWAY TYPE=LOCAL match the ACCOUNT and PASSWORD values in the GATEWAY TYPE=REMOTE statement.

Complete the following tasks to enable the connection security feature.

1. Specify the ACCOUNT and PASSWORD parameters in the GATEWAY TYPE=LOCAL configuration statement.

2. Verify that the parameter values for ACCOUNT and PASSWORD in the GATEWAY TYPE=LOCAL statement match the ACCOUNT and PASSWORD values in the User Account Connection screen.

Complete the following tasks to enable the service security feature.

1. Set up transaction security through the mainframe with the security administrator.

2. Specify OTMASECURITY=Y in the SYSTEM statement of your eLink TCP for IMS configuration file.

3. Set the security flag for each local service using the SECURITY parameter in SERVICE TYPE=LOCAL statement. For parameter information, refer to the "Defining Local Services" section.

4. Issue the /SEC OTMA PROFILE command in IMS to enable security checking on a service by service basis for the OTMA interface. Issue the /SEC OTMA FULL command in IMS to enable security checking on all services.

   Warning: If SECURITY=N in the SERVICE TYPE=LOCAL statement for any local service definition, issue /SEC OTMA PROFILE. A security failure results if you specify SECURITY=N and issue /SEC OTMA FULL command.