Your SlideShare is downloading. ×
  • Like
Integration_Connection_Security -  IMS UG Phoenix 12-2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Integration_Connection_Security - IMS UG Phoenix 12-2013

  • 194 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
194
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ® IMS, SVL IMS Connect /OTMA updates and IMS TCP/IP Security Shyh-Mei F. Ho, IBM Distinguished Engineer IMS SOA Chief Architect shyhmei@us.ibm.com © 2013 IBM Corporation
  • 2. IMS 13 Connect Updates Support for ISC over TCP/IP XML Converter Enhancements – Query support for XML Converters – Ability to increase the number of Converters that can be loaded Auto-restart of the Language Environment (LE) Expanded Recorder Trace Records Use of RACF Event Notification Facility (ENF) Support for cached RACF UserIDs (UID) Reporting of overall health to Workload Manager (WLM) Configurable TCP/IP backlog (queue) size 2
  • 3. InterSystem Communication (ISC) Over TCP/IP New option that supports TCP/IP network connectivity for Intersystem Communication (ISC) connections – IMS TM - CICS – Supports both static and dynamic terminals – Leverages IMS Connect – Uses Structured Call Interface (SCI) to communicate between IMS and IMS Connect – Requires CICS Transaction Server for z/OS 5.1 • Available December 14, 2012 Benefits – Provides a strategic protocol alternative to SNA/VTAM • Allows an all inclusive TCP/IP solution for networks 3 3
  • 4. IMS Connect Enhancements for SOAP Gateway Enhancements specifically for IMS SOAP Gateway users Query support for XML Converters to see when the converters were last used and how many times they have been used. Ability to increase the number of Converters that can be loaded the maximum number of converters is increased to 2000 Automatic restart of the Language Environment when an XML converter ABENDs Automatic refresh of the BPE User Exit for the XML Adapters after the ABEND limit (ABLIM) has been reached Benefits – Provide better resiliency – Improved efficiencies during error conditions • Eliminates IMS Connect restart and user interactions 4 4 4
  • 5. IMS 13 OTMA Updates Early Termination Notification – Enhancement to allow OTMA to leave XCF group earlier in termination process Reduced TCO Enhancements – More efficient hashing technique for control blocks • IMPACT to an environment depends on volume of activity – Code changes for efficiency Enhancements to OTMA Destination Descriptors for asynchronous callout – Support for WebSphere MQ – Simpler override for Exit Routines ICAL Enhancements – Enhanced ICAL support for Truncated Messages – New AIB field – AIBUTKN • Ability to send a name to a remote ICAL destination that can be used for message formatting or service identification purposes Support for Synchronous Program Switch – New ICAL destination 5
  • 6. IMS Synchronous Callout: DL/I ICAL CALL 'AIBTDLI' USING ICAL, AIB, REQ-AREA, RESP-AREA. where: • ICAL is new call verb (available on AIBTDLI only) and SENDRECV is the new sub-function code • REQ-AREA is the Request data area for sync callout • RESP-AREA is the Response data area for returned data Note: REQ-AREA and RESP-AREA do not specify LLZZ, data can be > 32K IMS V13: Enhance ICAL support for Truncated Messages: – Allow subsequent ICAL to receive response message when partial data was returned because the specified response area was not large enough CALL 'AIBTDLI' USING ICAL, AIB, RESP-AREA. where: • RECEIVE would be a new sub-function code • RESP-AREA is the Response data area for returned data 6
  • 7. OTMA Destination Routing Descriptor IMS 10 OTMA Destination Routing Descriptors externalize the routing definitions and specifications for callout messages without IMS user exits. It is read and initialized at IMS startup. D destname keywords Where: destname is destination names and can be masked by ending in an * keywords are: TYPE=IMSCON TMEMBER=name TPIPE-name SMEM=YES|NO ADAPTER=adapname CONVERTR=convname SYNTIMER=timeout (If both ICAL & Descriptor specify timeout, the lower value is used) IMS 13 provides Synchronous Program Switch with TYPE = IMSTRAN IMS 13 provides Asynchronous Callout to WebSphere MQ via MQBridge with TYPE = MQSERIES D destname keywords Where: destname is destination names and can be masked by ending in an * keywords are: TYPE=IMSTRAN or MQSERIES 7
  • 8. Synchronous Program Switch Extend IMS Synchronous Callout to allow DL/I ICAL to invoke another IMS Application – DL/I ISRT continues to be used for asynchronous program switch OTMA Descriptor enhanced to recognize an IMS transaction destination Java programs can use the Java Message Service (JMS) API for synchronous program switch Benefits – Provides a single DL/I call to request a synchronous service regardless of where that service resides – Simplifies integration and improves usability WebSphere DataPower WebSphere IMS TMRA IMS SOAP Gateway OTMA IMS CTL Region 1 IMS Connect TCP/IP RYO appl Applications can issue multiple ICALs to different destination TYPEs Synchronous callout (IMSCON) Synchronous program switch (IMSTRAN) TRANA 3 2 Destination Descriptor TYPE(IMSCON) Destination Descriptor TYPE(IMSTRAN) GU, IOPCB ICAL DEST1 4 MSG-Q 7 5 6 ICAL TRANB TRANB GU IOPCB ISRT IOPCB 8 8
  • 9. Asynchronous Callout to WebSphere MQ via MQ Bridge OTMA Descriptor enhancements – New TYPE=MQSERIES to define WebSphere MQ destination • Provides asynchronous callout and messaging support (DL/I ISRT ALTPCB) – New option to allow exits to be called to override descriptor • Applies to all destination descriptors Benefits – Eliminates need to write an OTMA user exit to recognize an MQ destination – Simplifies integration and improves usability WebSphere MQ 9 IMS OTMA IMS Application 9
  • 10. Increase Number of Concurrent Application Threads Increase the limit of concurrent application threads to 4095 Limit applies to the total number of combined: – Dependent Regions – CICS/DBCTL threads – Open Database Access (ODBA) threads Change to MAXPST parameter on IMS control region – MAXPST increased from 999 to 4095 Benefits – Increased capacity and scalability for IMS systems – Allows vertical growth – More dependent regions for use with synchronous callout and program switch 4 Times More Applications! 10 10
  • 11. IMS TM Connectivity via IMS Connect WebSphere Application Server IMS OTMA IMS Application IMS TM EJB/MDB Resource Adapter Web Services IMS SOAP Consumer IMS Connect Gateway WebSphere DataPower User Written Application 11
  • 12. IMS DB Connectivity via IMS Connect WebSphere Application Server IMS Universal EJB/MDB DB Resource Adapter IMS Connect IMS ODBM IMSDB New WebSphere DataPower IMS Universal Resource Adapter User Written Application 12
  • 13. IMS Synchronous Callout via IMS Connect WebSphere Application Server IMS IMS TM EJB/MDB Resource OTMA Descriptor IMS Application Synch Callout (ICAL) Adapter Web Services IMS SOAP Provider Gateway New IMS Connect WebSphere DataPower User Written Application 13
  • 14. IMS TCP/IP Security Overview Multiple levels of security – OTMA • Validates whether an OTMA member (IMS Connect) can communicate with IMS • Implements transaction and command security – Userid that flows in on a message against the IMS resource • Supports callout to web services – ODBM • Passes security information to IMS for database access – IMS Connect • Supports the authentication of userids, groups, passwords and passes the utoken to IMS with the message • Additionally extends the security authentication – PassTicket support – Trusted User support – Network – connection security and encryption • SSL – TLS • AT-TLS 14
  • 15. Security scenarios IMS as a provider – Transactions • Synchronous and asynchronous – Commands – Database • Open DB support and the universal drivers IMS as a consumer – Transactions • Synchronous callout • Asynchronous callout – Including Business Event processing 15
  • 16. IMS Security Continues to be based on userid access to the IMS resource – Transaction, command, PSB, DB, etc.. OTMA to IMS TM – OTMA Client Bid security • Determines whether an OTMA client, e.g., IMS Connect, or MQ, can connect to IMS – OTMA Message security • OTMA setting to determine the level of checking for each message ODBM to IMS DB – APSB security and/or IMS RAS (Resource Access Security) security 16
  • 17. IMS Connect Security Accessing IMS transactions from a remote client – Remote TCP/IP Client • Provides Userid, Password, Groupid in message header – IMS Connect authenticates the userid/password • Configuration values for IMS Connect (HWSCFGxx) – RACF = Y | N and RACFID = userid (default) – Issues RACROUTE calls to authenticate user if RACF=Y • Message exits can also call a user-written routine which are called before any SAF/RACF calls: – IMSLSECX –security exit routine for transactions and commands – HWSAUTH0 – security exit routine for DB requests • Default RACFID – Useful if the inbound request does not carry a userid value and a value needs to be passed into IMS for authorizing access to resource » Does not provide an override for requests that carry a blank userid from the IMS TM resource adapter (e.g., WAS environment) 17
  • 18. SSL, TLS and AT-TLS Secure sockets layer (SSL and Transport Layer Security (TLS) SSL provides security for your interactions by securing the TCP/IP connection between SOAP Gateway and IMS Connect. System SSL System SSL, a feature of the Cryptographic Services base element of z/OS, provides a complete SSL/TLS implementation and a full set of APIs that allow z/OS client and server applications to enable SSL/TLS protection for their TCP network traffic. Security support through z/OS Communications Server Application Transparent Transport Layer Security (AT-TLS) – Participation in AT-TLS is transparent to IMS Connect • IMS Connect can therefore be invoked by a remote client using TLS and • Rely on the z/OS TCPIP stack to perform the handshaking protocol to negotiate as well as perform all the require authentications and encryption – Supports multiple ports • SSL support in IMS Connect is limited to a single port for the IMS Connect instance – No additional configuration specifications in IMS Connect 18
  • 19. IMS SOAP Gateway Security SAF/RACF secure environment RACF=Y|N OTMASE= Msg-level HTTPS (http over SSL/TLS) Transport level Authentication: Client Server Basic (callout) WS-security IMS Soap Gateway SSL (Userid/PW/group: Per web-svc (connection bundle) Per web-msg (WS-security) Exit routines GU,IOP Access to IMS/OTMA Access to TXN AT/TLS IMS security: User validation to access IMS resources Connection bundle: Resume TPIPE for synch callout Resume TPIPE security Connection bundle: Resume TPIPE for business event processing (OTMA) Userid/PW Authentication ICAL Can pass userid outbound ISRT,ALT IMS Connect IMS 19
  • 20. IMS SOAP Gateway Security SOAP Gateway supports HTTPS communication with its clients, and SSL communications with its host, IMS™ Connect. You can configure SOAP Gateway with standards that are specified by the US Department of Commerce National Institute of Standards and Technology (NIST) to define security requirements for encryption. – Federal Information Processing Standards (FIPS) 140-2 requires that the Transport Layer Security (TLS) protocol and the cryptographic modules are certified. – SP800-131a requires stronger cryptographic algorithms and key lengths that are used in FIPS 140-2 cryptographic modules. 20
  • 21. IMS SOAP Gateway Security Notes Server authentication is the provision of server authentication information (digital certificate), from the server to the client, that binds the server identify to subsequent communications. Client authentication is the provision of authentication information from the client to the server. – Client authentication is also referred to as mutual authentication, because server authentication is required in order to support client authentication. Consumer scenarios only: Basic authentication where the server that hosts the web service requires SOAP Gateway, the client (i.e. IMS), to have appropriate basic authentication credentials in order to call a service. SOAP Gateway supports authentication of users on a per-web service or permessage basis. – When the user ID and password information is provided by the connection bundle, the authentication is performed on a per-web service basis. All requests use the same user ID to access IMS. Security certificates can be sent at the transport level for server authentication and client authentication. – When users are authenticated on a per-message basis, user ID and password information is enclosed as tokens in the WS-Security header in each message. Requests might come from different user IDs. This feature is known as web service security or WSSecurity. 21
  • 22. IMS SOAP Gateway Security Notes WS-Security (Web Services Security or WSS) is a published SOAP extension standard (XMLbased) that allows security (authentication and authorization) information to be exchanged in support of web services. Its goal is to protect the integrity and confidentiality of a message as well as the ability to authenticate the sender. The protocol specifies how to enforce integrity and confidentiality on messages and supports a variety security token formats, e.g., UNTP, SAML, x.509 certificates, kerberos tickets, etc Of the various security token formats supported, IMS Soap Gateway allows UNTP and SAML. Use of WS-Security supports a custom authentication module (CAM) that can perform Service (JAAS) additional checking by using a Java Authentication and Authorization module. Therefore, when WS-Security is enabled, you can provide your own custom authentication module to perform additional checking by using a JAAS module. 22
  • 23. Summary IMS SOAP Gateway Security Support Provider – Key type • Java keystore (JKS) • System Authorization Facility (SAF) – SAF is for the z/OS® platform only. Use of SAF requires the AT-TLS feature in IBM® z/OS Communications Server – Authentication type • Server authentication • Client authentication – WS Security • UsernameToken Profile 1.0 tokens (UNTP) – Use of server or client authentication is recommended. » Without server or client authentication, user name and password are transmitted in clear text. – Custom authentication module (CAM) for WS-Security » Server authentication or client authentication is required. • SAML 1.1 unsigned & signed tokens – Custom authentication module (CAM) for WS-Security » Client authentication is required. • SAML 2.0 unsigned & signed tokens – Custom authentication module (CAM) for WS-Security » Client authentication is required. 23
  • 24. Summary IMS SOAP Gateway Security Support Consumer – Key type • Java keystore (JKS) – Authentication type • Basic authentication • Server authentication • Client authentication – WS Security for Synchronous Callout • SAML 1.1 unsigned tokens – Custom authentication module (CAM) for WS-Security » Client authentication is required. • SAML 2.0 unsigned tokens – Custom authentication module (CAM) for WS-Security » Client authentication is required. 24
  • 25. IMS TM Resource Adapter (IMS TMRA) SAF/RACF secure environment Client-Bid RACF=Y|N JEE e.g., WAS (Userid/PW/group): EIS signon can be Container-managed Component-managed - Userid/PW Authentication - PassTicket -Trusted user - Default User Message retrieval Security (userid) Resume TPIPE WS-security ... Authentication and access to Application, EJB, service ... SSL IMS universal drivers (OTMA) GU,IOP Access to IMS/OTMA Access to TXN IMS security: User validation to access IMS resources Exit routines JCA Security architecture IMS TMRA Transport level Authentication Msg-level OTMASE= ICAL AT/TLS Can pass userid outbound Resume TPIPE security ISRT,ALT Userid/PW Access to PSB IMS Connect ODBM Access to DB IMS 25
  • 26. JEE Environment & WAS A java platform based on a standard architecture for developing and running mainframe-scale software, including network and web services, and other large-scale, multi-tiered, scalable, reliable, and secure network applications – IBM WebSphere Application Server (WAS) implements this framework • Supports transport-level (connection) security – HTTPS, SSL, etc. » Client, Server, and Basic authentication • Hosts applications – EJBs, MDBs, servlets, JSPs,... • Provides the ability to authenticate credentials and ensure access to hosted components are authorized • Provides secure connections from WAS applications to EIS systems, e.g., IMS – Secure connections using SSL, AT/TLS – Propagation of secure credentials to the EIS for each message » IMS TM Resource Adapter can be deployed in WAS The JCA security architecture extends the end-to-end security model for JEEbased applications to include integration with EISs (e.g., IMS) Note: a more comprehensive environment than the IMS Soap Gateway 26
  • 27. WAS – IMS TM Resource Adapter IMS TM resource adapter (TM RA) – Follows the Java EE Connector Architecture (JCA) security architecture, and works with the WebSphere Application Server (WAS) security manager Connectivity between IMS TMRA and IMS Connect – Transport Level: recommendation is to use AT/TLS with IMS Connect – Message Level: Supports passing the userid/password/groupid authentication credentials that are supported by IMS Connect • Supplied either by – The WAS application component (component-managed signon) – Or by the application server (container-managed signon). 27
  • 28. WAS – IMS TM RA IMS as a provider scenario Container-managed signon: – Relies on the security manager in the application server to provide and manage the security information • Uses the directive <res-auth>Container</res-auth> specified in the deployment descriptor of the application to provide the userid, password, groupid Component-managed signon: – Relies on the application (the component) in WAS to provide and manage the security information to be used for signing on to IMS Connect • Uses the <res-auth> element in the resource reference of the deployment descriptor of the application • Provides the security information (user ID, password, and optional group name) in IMSConnectionSpec object and passes it to IMS TMRA – IMS TMRA passes this security information to IMS Connect for use in signing on (authentication and authorization) 28
  • 29. WAS - IMS TMRA IMS as a consumer scenario – IMS callout requests (synchronous ICAL or asynchronous) are retrieved from IMS Connect by using the Resume TPIPE call • Resume TPIPE security ensures that the userid associated with the Resume TPIPE is authorized against the TPIPE • If security is enabled and the tpipe does not exist at the time the RESUME TPIPE call is issued, the call is rejected. – For message-driven beans (MDBs) • SSL authentication is supported for communication with IMS • Security information is specified in the J2C activation specification (IMSActivationSpec) that is configured in WAS – For non-MDB applications • Userid must be specified in the connection specification of the WAS application or the connection factory that is used by the application 29
  • 30. Open DB Security SAF/RACF secure environment Client-Bid RACF=Y|N JEE e.g., WAS (Userid/PW/group): EIS signon can be Container-managed Component-managed - Userid/PW Authentication - PassTicket -Trusted user - Default User Message retrieval Security (userid) Resume TPIPE WS-security ... Authentication and access to Application, EJB, service ... SSL IMS universal drivers (OTMA) GU,IOP Access to IMS/OTMA Access to TXN IMS security: User validation to access IMS resources Exit routines JCA Security architecture IMS TMRA Transport level Authentication Msg-level OTMASE= ICAL AT/TLS Can pass userid outbound Resume TPIPE security ISRT,ALT Userid/PW Access to PSB IMS Connect ODBM Access to DB IMS 30
  • 31. Open Database Security IMS Connect can use the IMS Connect DB Security user exit routine (HWSAUTH0), a security product such as RACF, or both to authenticate a user. IMS does the authorization APSB security. A security check is performed to determine if the user is authorized to use the PSB. IMS checks the authority of a user to allocate a PSB by using APSB APSB security is enabled by specifying the ODBASE parameter. Or, Resource access security (RAS). A security check is performed by RACF to determine if the user is authorized to use the PSB. RACF determines authorization by looking at the RACF security class profile defined for the dependent region. IMS checks the authority of a user to access IMS resources by using RAS RAS security is specified by the ISIS parameter. ODBM does not perform any user authentication or authorization. ODBM assumes the end client Userid associated with an allocate PSB request has been authenticated, or userid associated with the ODBM address space 31
  • 32. ® IMS, SVL IMS Connectivity and Security Consideration © 2013 IBM Corporation
  • 33. Propagation of identity for Improved auditability Today’s distributed model: End-user signs on to a distributed application, e.g. WAS, with distributed User ID System z z/OS DB 2 WebSphere Application Server IMS CICS LDAP IBM Directory Server RACF MQ • Distributed applications often use a common RACF user-ID when invoking IMS, CICS, DB2 to process the request. • This distributed User ID not passed to IMS, etc. and on to RACF, making end-user accountability difficult to determine. 33 • Do you have a requirement of propagating original Network Identity? 33
  • 34. IMS Synchronous Callout Security IMS synchronous callout using enhanced IMS Resume TPIPE and Send Only protocols to retrieve synchronous callout requests and send responses Resume TPIPE authorization – Supports both the asynchronous callout and synchronous (ICAL) callout – Authorization is performed by IMS OTMA when the message is retrieved from the hold queue – RACF • Authorization is performed for each Resume TPIPE request. – OTMA Resume TPIPE Security exit (DFSYRTUX) • Authorization is performed for each Resume TPIPE request. • Can accept RACF results, override RACF results, or enforce more restrictive rules. External Application Server IMS Connect IMS Applications 34
  • 35. Security Consideration for IMS Callout Propagating security information from IMS Synch Callout – IMS user ID is included in the correlator token of the ICAL. However, it may not flow to the external applications or servers. And there is no password associated with the ICAL. Is there a requirement for passing security credentials with the Callout request to the external server? – What should be used for the identity passed ? • User id & password ? • a digital certificate ? • SAML token ? • Original network identity invoked the IMS application which in turn goes outbound to external server? – Which format(s) of credential would be required ? – Would credentials be used just for authorization or authentication as well ? 35
  • 36. IMS Synchronous Callout Security Propagating security information from IMS – IMS application user ID (PSTUSID) is included in the correlator token (CORTKN) of the ICAL. However, it may not flow to the external application servers • When IMS calls out to WAS, EJB can retrieve the user ID via the getter method, but the correlator token is not exposed to MDB, thus MDB does not have a way to retrieve the user ID • Requirements: IMS TMRA needs to support JCA 1.6 to propagate security/transaction context inflow to WAS from IMS via ICAL • Generic Work Context: A generic mechanism for Resource Adapter to propagate useful contextual information from EIS to end point during message delivery • Security Inflow enables an end-to-end security model for Java EE application and EIS integration; provides a protocol to allow MDB to pickup security inflow • IMS SOAP Gateway extracts the user ID and constructs a security token, e.g. SMAL token, to pass to external server via SOAP header • DataPower FSH passes the correlator token in the header to DataPower to allow user ID to be extracted and constructed. Requirements: Propagate original network identity 36
  • 37. Securing IMS Callout Request Flow (Current solution) Credential: security token Credential: User ID DataPower Request MPG policy configuration IMS IMS Callout FSH with security token Services Application Services //Application Response 37 Generate security token, Extract ID from correlation LTPA, SAML, pass ticket, etc. Authenticated user Extract correlation token token Request with IMS Connect OTMA correlation token Corr token Request with SAML token SOAP Gateway Response Custom module with Additional Security Response (optional) WS policy configuration Extract ID Generate SAML token from correlation Generates correlation Token (incl user ID) IMS application : ICAL (synchronous) correlation token token 37
  • 38. Think BIG with IMS Transactional Messages IMS Transactions with Large Messages and Large Attachments – Do you foresee a need to drive IMS transactions with large messages? – Do you foresee a need to invoke external application server with large IMS transactional messages? – Do you foresee a need to drive IMS transactions with large attachments for both structured and non-structured data, e.g. XML documents, medical records (X-Ray or MRI images), and picture files, etc.? – Do you have the need to propagate original network identity? – Do you have the need to propagate original network identity when going outbound from IMS to external application server? 38
  • 39. IMS Transactions and Large Attachments: Requirements z/OS IMS WebSphere (e.g. WAS, DataPower), IMS SOAP Gateway, RYO Application, Etc. TCP/IP XCF IMS Connect O T M A Application Network Identity Or Images, Picture files, etc. 39
  • 40. ® IMS, SVL Thank You © 2013 IBM Corporation