(ZOS) Security considerations using optimized local adapters with IMS
This topic reviews considerations for security using optimized local adapters with IMS™.
Optimized local adapters APIs can be used in the following IMS-dependent region environments:
- MPR (MPPs)
- Fast Path (IFPs)
- Batch Message Processing (BMPs)
- Batch DL/I
The registration process requires that the user ID on the current thread, or TCB in the dependent region, be authorized, or at least have READ access, to the System Authorization Facility (SAF) CBIND class for the target WebSphere Application Server server. Registration is required before we can send any other requests to WAS.
There are several ways that the user identity is associated with the current IMS task and its TCB. For BMPs, the job user ID is the identity that requires access to the CBIND class. For IFPs and MPPs, the user identity on the TCB can be set another way. If the SECURITY macro for the IMS environment specifies SECLVL=(TRANAUTH,SIGNON), the user ID provided at sign-on is required to be in the local SAF database and SAF authentication occurs. In addition, transaction access is checked with SAF.
Running with these options, and using the "Build Security Environment", exit DFSBSEX0 passes back a return code 4 to IMS. Then, IMS ensures that the TCB that the transaction it is dispatched under is synchronized with the SAF ID that was authenticated.
The user ID of the application user requires READ access to the WAS CBIND SAF class for a successful optimized local adapters Register API call. IMS transactions initiated from callers using the Open Transaction Manager Access (OTMA) protocol, use the OTMASE parameter to determine if the current thread/TCB security context is updated. Setting the OTMASE parameter to OTMASE=FULL, indicates that the identity passed in by the OTMA client call is the identity on the thread of the MPP or IFP. In this scenario, the client ID requires READ access to the CBIND class.
When transaction work passes from IMS to WAS for z/OS, the user ID is propagated into the WAS EJB container and asserted.
When using the optimized local adapters to call existing unchanged IMS transactions over OTMA, the identity of the current WAS client can be propagated to IMS transactions implemented and asserted in Message Processing (MPR) and Fast Path (IFP) dependent regions. To do this, ensure that the WebSphere server is configured to run with the SyncToOS Thread option enabled. To read more about activating the SyncToOS Thread option, see the topic, z/OS security options. Once SyncToOS Thread is enabled, ensure that the OTMASE parameter for the target IMS environment is set to F, FULL. With these options configured this way, the identity of the user in the WAS environment is propagated to an IMS MPP or IFP and asserted. This does not apply to Batch Message Processing (BMP) dependent regions.
Configure a BBO.SYNC profile if we are using SAF. Refer to the topic System Authorization Facility classes and profiles for a description of how to configure a BBO.SYNC profile.
Related:
System Authorization Facility classes and profiles Enable the server environment to use optimized local adapters Enable optimized local adapters over OTMA/IMS support Secure optimized local adapters for inbound support Secure optimized local adapters for outbound support Security states with thread identity support z/OS security options