BEA Logo BEA eLink for Mainframe TCP Release 3.2

  BEA Home  |  Events  |  Solutions  |  Partners  |  Products  |  Services  |  Download  |  Developer Center  |  WebSUPPORT

   http://www.oracle.com/technology/documentation/index.html   |   Search   |   PDF Files   |   Contact   |  

 

   eLink for Mainframe TCP Documentation   |   eLink TCP for CICS User Guide   |   Previous Topic   |   Next Topic   |   Contents   |   Index

Configuring the eLink TCP Security

 

The eLink TCP product supports a security feature that allows a requester from BEA Tuxedo services to pass a user ID through the CICS server interfaces for verification through a third-party security package. The following topics explain the how to set up security:

 

Service Request Processing with Security

The following sections describe the process flow for security verification of a service request.

Security Checking from UNIX to Mainframe

Figure 3-1 depicts the process flow for security verifications from eLink for Mainframe TCP for CICS on UNIX to a mainframe.

Figure 3-1 Security Checking for UNIX to Mainframe Transactions


 

  1. When the eLink TCP for Tuxedo client program performs a tpinit(), the user's Tuxedo identity is validated against the tpusr file.

  2. When the client program issues a tpcall() or tpacall(), Tuxedo verifies (against the tpacl file) the user is authorized to invoke the gateway service.

  3. When the gateway establishes the initial connection, connection security information (specified as RMTNAME and PASSWORD in the GWICONFIG file) is passed from the eLink TCP for Tuxedo gateway to the remote gateway. If the RMTNAME and PASSWORD values match the values configured on the remote gateway, the connection is established.

    With each request, the eLink TCP for Tuxedo gateway passes the user's Tuxedo identity to the remote eLink TCP for CICS gateway (to the Handler).

    Note: To pass authority checking, the user's Tuxedo identity must match the mainframe user ID exactly.

  4. The remote eLink TCP for CICS gateway Handler initiates an Application Handler to act on behalf of the specified user ID.

  5. The Application Handler calls the specified service using system security to check authorization.

    Note: You may need to update your surrogate security definitions to allow the successful invocation of the CICS application program (EXEC CICS START TRANSID). See your mainframe security administrator if your site has this requirement.

Security Checking from Mainframe to UNIX

Figure 3-2 depicts the process flow for security verifications from a mainframe to eLink TCP for Tuxedo on UNIX.

Figure 3-2 Security Checking for Mainframe to UNIX Transactions


 

  1. The user ID, established at mainframe log in, is checked by system security to verify that the user has permission to start a client transaction.

  2. The user ID is checked by system security to verify that the user has permission to send a request to the gateway.

  3. With each request, the gateway passes the user ID to the Tuxedo gateway.

    Note: To pass authority checking, the user's Tuxedo identity must match the mainframe user ID exactly.

  4. The eLink for Tuxedo gateway maps the mainframe user ID to a Tuxedo user ID and issues the service request on behalf of that user.

  5. The Tuxedo server performs access checks (based on the tpacl file) to verify that the user has access to the requested service.

 

Setting Up Security for eLink TCP for CICS

The eLink TCP for CICS product supports enhanced security. This interface allows a requester from BEA Tuxedo services to pass a User ID through the CICS server interface for authorization through your security package. For field definitions, refer to the Configuring and Administering BEA eLink TCP for CICS section.

Securing User Connections

Complete the following tasks to enable the security feature for each connection.

  1. Specify SECURITY=Y in the Handler Configuration screen.

  2. Enter values for the ACCOUNT and PASSWORD fields in the User Connection Account screen.

    When SECURITY=Y, eLink TCP for CICS verifies the ACCOUNT and PASSWORD values from the User Connection Account match the RMTACCT and PASSWORD values in the eLink TCP for Tuxedo GWICONFIG file *FOREIGN section. If these values do not match and SECURITY=Y, a security error occurs.

    If SECURITY=N, the gateway allows a connection without any verification.

Securing Inbound Services

Complete the following tasks to enable the security feature for each inbound service.

  1. Set up transaction security through the mainframe with the security administrator.

  2. Specify SECURITY=Y in the Inbound Services screen for each service you want to secure. When SECURITY=Y, the gateway attempts to start user programs with the username that initiated the request as reported by the remote system.

    If SECURITY=N, the gateway starts user programs using the gateway's user ID (as controlled by the socket listener).

Securing Outbound Connections from CICS to UNIX

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the RMTACCT and PASSWORD values in the *FOREIGN section of the eLink TCP for Tuxedo GWICONFIG file.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote UNIX system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to CICS

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the User Connection Account screen.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote CICS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to IMS

Complete the following tasks to enable the security feature for each outbound connection.

  1. Specify SECURITY=Y on the appropriate Requester screen.

  2. Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

    Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the GATEWAY TYPE=REMOTE statement.

    When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote IMS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Services

Complete the following tasks to enable the security feature for each outbound service.

  1. Enable security for the corresponding outbound connection.

  2. Specify SECURITY=Y on the appropriate Outbound Service screen.

  3. Set up security for the appropriate users on the target system.

 

back to top previous page next page

 

Copyright © 2001 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.