Configuring Oracle TMA TCP Security

The Oracle TMA TCP product supports a security feature that allows a requester from Oracle Tuxedo services to pass a user ID through the CICS server interfaces for verification through a third-party security package. The following topics explain the how to set up security:

•	Service Request Processing with Security

•	Security Checking from UNIX to Mainframe

•	Security Checking from Mainframe to UNIX

•	Setting Up Security for TMA TCP for CICS

•	Securing User Connections

•	Securing Inbound Services

•	Securing Outbound Connections from CICS to UNIX

•	Securing Outbound Connections from CICS to CICS

•	Securing Outbound Connections from CICS to IMS

•	Securing Outbound Services

Service Request Processing with Security

The following sections describe the process flow for security verification of a service request.

Security Checking from UNIX to Mainframe

Figure 3‑1 depicts the process flow for security verifications from TMA TCP for CICS on UNIX to a mainframe.

Figure 3‑1 Security Checking for UNIX to Mainframe Transactions

1.	When the TMA TCP gateway client program performs a tpinit(), the user’s Tuxedo identity is validated against the tpusr file.

2.	When the client program issues a tpcall() or tpacall(), Tuxedo verifies (against the tpacl file) the user is authorized to invoke the gateway service.

3.

When the gateway establishes the initial connection, connection security information (specified as RMTNAME and PASSWORD in the GWICONFIG file) is passed from the TMA TCP gateway to the remote gateway. If the RMTNAME and PASSWORD values match the values configured on the remote gateway, the connection is established.

With each request, the TMA TCP gateway passes the user’s Tuxedo identity to the remote TMA TCP for CICS gateway (to the Handler).

Note:

To pass authority checking, the user’s Tuxedo identity must match the mainframe user ID exactly.

4.	The remote TMA TCP for CICS gateway Handler initiates an Application Handler to act on behalf of the specified user ID.

5.	The Application Handler calls the specified service using system security to check authorization.

Note:

You may need to update your surrogate security definitions to allow the successful invocation of the CICS application program (EXEC CICS START TRANSID). See your mainframe security administrator if your site has this requirement.

Security Checking from Mainframe to UNIX

Figure 3‑2 depicts the process flow for security verifications from a mainframe to TMA TCP gateway on UNIX.

Figure 3‑2 Security Checking for Mainframe to UNIX Transactions

1.	The user ID, established at mainframe log in, is checked by system security to verify that the user has permission to start a client transaction.

2.	The user ID is checked by system security to verify that the user has permission to send a request to the gateway.

3.	With each request, the gateway passes the user ID to the Tuxedo gateway.

Note:

To pass authority checking, the user’s Tuxedo identity must match the mainframe user ID exactly.

4.	The TMA TCP gateway maps the mainframe user ID to a Tuxedo user ID and issues the service request on behalf of that user.

5.	The Tuxedo server performs access checks (based on the tpacl file) to verify that the user has access to the requested service.

Setting Up Security for TMA TCP for CICS

The TMA TCP for CICS product supports enhanced security. This interface allows a requester from Oracle Tuxedo services to pass a User ID through the CICS server interface for authorization through your security package. For field definitions, refer to the “Configuring and Administering Oracle TMA TCP for CICS” section.

Securing User Connections

Complete the following tasks to enable the security feature for each connection.

1.	Specify SECURITY=Y in the Handler Configuration screen.

2.	Enter values for the ACCOUNT and PASSWORD fields in the User Connection Account screen.

When SECURITY=Y, TMA TCP for CICS verifies the ACCOUNT and PASSWORD values from the User Connection Account match the RMTACCT and PASSWORD values in the TMA TCP gateway GWICONFIG file *FOREIGN section. If these values do not match and SECURITY=Y, a security error occurs.

If SECURITY=N, the gateway allows a connection without any verification.

Securing Inbound Services

Complete the following tasks to enable the security feature for each inbound service.

1.	Set up transaction security through the mainframe with the security administrator.

2.	Specify SECURITY=Y in the Inbound Services screen for each service you want to secure. When SECURITY=Y, the gateway attempts to start user programs with the username that initiated the request as reported by the remote system.

If SECURITY=N, the gateway starts user programs using the gateway’s user ID (as controlled by the socket listener).

Securing Outbound Connections from CICS to UNIX

Complete the following tasks to enable the security feature for each outbound connection.

1.	Specify SECURITY=Y on the appropriate Requester screen.

2.	Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the RMTACCT and PASSWORD values in the *FOREIGN section of the TMA TCP gateway GWICONFIG file.

When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote UNIX system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to CICS

Complete the following tasks to enable the security feature for each outbound connection.

1.	Specify SECURITY=Y on the appropriate Requester screen.

2.	Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the User Connection Account screen.

When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote CICS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Connections from CICS to IMS

Complete the following tasks to enable the security feature for each outbound connection.

1.	Specify SECURITY=Y on the appropriate Requester screen.

2.	Enter ACCOUNT and PASSWORD values on the appropriate Requester screen.

Verify that the parameter values for ACCOUNT and PASSWORD in the Requester screen match the ACCOUNT and PASSWORD values in the GATEWAY TYPE=REMOTE statement.

When SECURITY=Y, the requester program sends the ACCOUNT and PASSWORD to the remote IMS system on connection initiation. When SECURITY=N, the gateway attempts to make a connection without any verification.

Securing Outbound Services

Complete the following tasks to enable the security feature for each outbound service.

1.	Enable security for the corresponding outbound connection.

2.	Specify SECURITY=Y on the appropriate Outbound Service screen.

3.	Set up security for the appropriate users on the target system.