Figure 3‑1 depicts the process flow for security verifications from TMA TCP for CICS on UNIX to a mainframe.
1. When the TMA TCP gateway client program performs a tpinit(), the user’s Tuxedo identity is validated against the tpusr file.
2. When the client program issues a tpcall() or tpacall(), Tuxedo verifies (against the tpacl file) the user is authorized to invoke the gateway service.
3. When the gateway establishes the initial connection, connection security information (specified as RMTNAME and PASSWORD in the GWICONFIG file) is passed from the TMA TCP gateway to the remote gateway. If the RMTNAME and PASSWORD values match the values configured on the remote gateway, the connection is established.
Note:
5.
Note: You may need to update your surrogate security definitions to allow the successful invocation of the CICS application program (EXEC CICS START TRANSID). See your mainframe security administrator if your site has this requirement.Figure 3‑2 depicts the process flow for security verifications from a mainframe to TMA TCP gateway on UNIX.
Note:
5. The Tuxedo server performs access checks (based on the tpacl file) to verify that the user has access to the requested service.The TMA TCP for CICS product supports enhanced security. This interface allows a requester from Oracle Tuxedo services to pass a User ID through the CICS server interface for authorization through your security package. For field definitions, refer to the “Configuring and Administering Oracle TMA TCP for CICS” section.
1. Specify SECURITY=Y in the Handler Configuration screen.
2. When SECURITY=Y, TMA TCP for CICS verifies the ACCOUNT and PASSWORD values from the User Connection Account match the RMTACCT and PASSWORD values in the TMA TCP gateway GWICONFIG file *FOREIGN section. If these values do not match and SECURITY=Y, a security error occurs.If SECURITY=N, the gateway allows a connection without any verification.
2. Specify SECURITY=Y in the Inbound Services screen for each service you want to secure. When SECURITY=Y, the gateway attempts to start user programs with the username that initiated the request as reported by the remote system.If SECURITY=N, the gateway starts user programs using the gateway’s user ID (as controlled by the socket listener).
1. Specify SECURITY=Y on the appropriate Requester screen.
2. Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the RMTACCT and PASSWORD values in the *FOREIGN section of the TMA TCP gateway GWICONFIG file.When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote UNIX system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.
1. Specify SECURITY=Y on the appropriate Requester screen.
2. Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the User Connection Account screen.When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote CICS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.
1. Specify SECURITY=Y on the appropriate Requester screen.
2. Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the GATEWAY TYPE=REMOTE statement.When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote IMS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.
2. Specify SECURITY=Y on the appropriate Outbound Service screen.