IMS Connectivity in an On Demand Environment: A Practical Guide to IMS Connectivity

Chapter 8. IMS Connect security 113

8.2.2 User verification

After IMS Connect has successfully joined the XCF group and connected as an OTMA client

to IMS, you have the option to let IMS Connect do RACF user ID and password verification of

each client on a per-message basis. This facility is driven by the RACF=Y | N parameter, as

specified in the HWSCFG configuration file. See 4.3.4, “Creating the IMS Connect

configuration member” on page 47 for an example.

You can modify the RACF status by using the IMS Connect command SETRACF=ON |

OFF. See 5.1.6, “SETRACF” on page 66 for an example. The user ID and password can

be set up in one of two places:

 The originating client can build and send the security data as part of the message that is

sent to IMS Connect through TCP/IP.

 The user message exit that gets driven after IMS Connect received the complete message

from the TCP/IP client.

After IMS Connect receives control back from the user message exit and the RACF= option is

set to Y, IMS Connect issues the RACF call to verify the user ID and password. If not

authorized, the message is rejected and sent back to the originating client.

8.2.3 User exit security

The last option available with IMS Connect security is available in the user exit that is driven

by IMS Connect after the complete message has been received from the TCP/IP client. This

option is really open ended to such a degree that the user exit can perform any data

manipulation, or checking that it wants to do, which can include RACF verification or any other

security verification that the author of the exit wants to implement and execute. This is totally

separate from the optional user ID and password verification performed by IMS Connect, as

discussed previously in this chapter.

8.2.4 Local option security

To configure security for the local option using RACF, you must add HWS.IMSConnect_name

as the SAF FACILITY class name (whether you configured security with the IMS Connect

configuration member or the SETRACF command). IMSConnect_name is how IMS Connect

is defined in the ID parameter of the HWS statement in the IMS Connect configuration

member. The resource that must access IMS Connect is WebSphere Application Server, and

UPDATE authority is required to update the RACF profile.

8.3 OTMA security

OTMA provides various levels of security checking that can be implemented, which is

independent of the optional RACF verification that can be performed by IMS Connect. OTMA

verifies security in two instances:

1. When a client bids to connect

2. When an input message from a client is processed

Note: IMS Connect Extensions provide RACF identification and authorization caching.

This can dramatically improve IMS Connect performance. See Chapter 11, “IMS Connect

Extensions” on page 155 for details.

Get IMS Connectivity in an On Demand Environment: A Practical Guide to IMS Connectivity now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

IMS Connectivity in an On Demand Environment: A Practical Guide to IMS Connectivity by Jouko Jantti, Jordi Guillaumes i Pons, Gen Sasaki, Egide Van Aerschot, Andres Wolf Andreoni