Security Configuration

Security Configuration

Security Configuration

Authentication Configuration

CICS provides two system transactions for authentication purposes:

•

CESN is the sign on transaction;

•

CESF is the sign off transaction;

ARTTCP implements a similar authentication function leveraging Tuxedo's security mechanisms. Two Tuxedo system services CESN and CESF are provided by CICS Runtime to emulate the CESN and CESF transactions in CICS.

When a terminal connects to ARTTCP, ARTTCP creates a 3270 session and the session joins Tuxedo with the default security profile. The user name defined in the default security profile has the similar role as the CICS default user CICSUSER. The authentication process is then as follows:

1.

The operator calls the CESN transaction to sign on to Tuxedo CICS Runtime Runtime.

2.

CESN sends a sign-on MAP to ask for username and password.

3.

The username and password are entered from the terminal.

4.

ARTTCP re-joins Tuxedo using the username and password entered from the terminal.

5.

If the authentication:

•

succeeds, a success message is returned to the terminal.

•

fails, an error message is returned to the terminal.

6.

When completing the operations, the operator calls service CESF to sign off from Tuxedo CICS Runtime Runtime.

Tuxedo Security Mechanisms

ARTTCP supports three types of Tuxedo security mechanisms: application password (APP_PW), user-level authentication (USER_AUTH), and access control list (ACL and MANDATORY_ACL).

The application password security mechanism requires that every client provide an application password as part of the process of joining the Tuxedo ATMI application. The administrator defines a single password for the entire Tuxedo ATMI application and gives the password only to authorized users. For more information on how to configure Tuxedo application password, please refer to Tuxedo documentation.

The user-level authentication security mechanism requires that in addition to the application password, each client must provide a valid username and password to join the Tuxedo ATMI application. The per-user password must match the password associated with the user name stored in a file named tpusr. Client name is not used. The checking of per-user password against the password and user name in tpusr is carried out by the Tuxedo authentication service AUTHSVC, which is provided by the Tuxedo authentication server AUTHSVR. For more information on how to configure Tuxedo user-level authentication, please refer to Tuxedo documentation.

When Tuxedo security is enabled, a default security profile, which includes the default USER_AUTH username and password and/or the APP_PW password,, is required to allow users to join the Tuxedo domain before calling the CESN service. A security profile generator tool is introduced to generate the default security profile. Please refer to Security Profile Generator for details.

In the case of APP_PW, the Tuxedo application password must be created in Tuxedo configuration.

In the case of USER_AUTH, the Tuxedo application password, a Tuxedo username and password must be created in the Tuxedo configuration.

In both cases, the password (and username for USER_AUTH) must be specified in the default security profile file that is specified in the command line option (-p profile-name) of theTuxedo ARTTCPL server. The password (and username for USER_AUTH) will be used as parameters of tpinit() when ARTTCP server joins Tuxedo.

Integration with the External Security Manager

CICS Runtime offers a security framework which allows a customer to choose integration with an external security manager. The Tuxedo application key (appkey) is used as the credential to be passed to an external security manager. The appkey is 32 bits long, Tuxedo user identifier is in the low order 17 bits and the Tuxedo group identifier is in the next 14 bits (the high order bit is reserved for administrative keys). For more information, please refer to Tuxedo documentation.

The appkey is passed in AUTH-GROUPID.

An authorisation function is available for customization by the integration team. This function is called by CICS Runtime each time a resource authorization should be checked for a given resource.

A default function that always returns an ok status is provided. It can be replaced by a project specific version by the integration team, for a project where CICS resource authorization must be activated in addition to transaction authorization.

Listing 8‑1 COBOL CICS Resource Authorization Interface

01 ret-code usage int.

LINKAGE SECTION.

01 AUTH-USERID PIC X(30).

01 AUTH-GROUPID PIC X(256).

01 AUTH-RSRCE-TYPE PIC X(256).

01 AUTH-RSRCE-NAME PIC X(512).

01 AUTH-ACCESS-TYPE PIC X(6).

PROCEDURE DIVISION USING LK-AUTH-USERID LK-AUTH-GROUPID

LK-AUTH-RSRCE-TYPE LK-AUTH-RSRCE-NAME

LK-AUTH-ACCESS-TYPE.

Accepting

AUTH-USERID

Connection name of the user limited to 8 characters

AUTH-GROUPID

Reserved for future extension

AUTH-RSRCE-TYPE

Type of resource being checked (see Codification).

AUTH-RSRCE-NAME

Name of the resource to check authorization on

AUTH-ACCESS-TYPE

Type of access requested on the resource ("READ", "ALTER", "UPDATE")

Returning

0

For authorization approved.

-1

For authorization refused or failed.

Codification

The resources types are codified as in a native CICS/RACF environment: XTST for Temporary Storage resources, XFCT for files, …

See native CICS documentation for more information. The default version of this function provided with CICS Runtime always returns 0.

TDI_TRIGGER command

Synopsis

TDI_TRIGGER -t Transaction_Name [-p <profile>];

Parameters

Transaction_name

The transaction to trigger this service should empty the queue.

profile

The name of the profile file to use for autthentification; this file must have been created with genappprofile. When not provided it defaults to ~/.TDappProfile.

Security Profile Generator

When Tuxedo security is enabled, a default security profile, which includes the APP_PW password and the default USER_AUTH username and password, is required to allow the user to join the Tuxedo domain before calling the CESN service.

A security profile generator tool is introduced to generate the default security profile for TCP.

genappprofile (1)

Name

genappprofile — Security Profile Generator

Synopsis

genappprofile [-f <output_file>]

Description

This utility generates the security profile for Tuxedo applications. When the utility is launched, you are prompted to enter the Tuxedo application password, user name and user password. The output is a security profile file which contains the user name and encrypted passwords. The generated security profile file can be used by CICS Runtime ARTTCPL server to login to the Tuxedo domain.

Options

The command option is:

[-f <output_file>]

The location of the generated security profile file. If this option is not specified, the default value is ~/.tuxAppProfile.

AUTH-USERID	Connection name of the user limited to 8 characters
AUTH-GROUPID	Reserved for future extension
AUTH-RSRCE-TYPE	Type of resource being checked (see Codification).
AUTH-RSRCE-NAME	Name of the resource to check authorization on
AUTH-ACCESS-TYPE	Type of access requested on the resource ("READ", "ALTER", "UPDATE")

0	For authorization approved.
-1	For authorization refused or failed.