Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 2 Operating the Service Gateway for IMS/DB : Implementing External Security

Implementing External Security
External security is used only if SECLEVEL=1. This security is in addition to any security done when SECLEVEL=0. The external security interface verifies that a TIBCO Object Service Broker authorization ID has access to specific IMS resources at the TIBCO Object Service Broker transaction level.
The Gateway issues SAF RACROUTE calls to a SAF-compliant external security package such as CA-ACF2, RACF, or CA-Top Secret to verify the access to specific IMS resources. Refer to the External Security Interface (RACROUTE) Macro Reference IBM manual for z/OS and VM for more information. You must define the appropriate IMS resources and the allowable accesses (read, update, and so on) in the external security package you are using. You must perform this for each existing TIBCO Object Service Broker authorization ID that accesses IMS data using a Gateway with SECLEVEL=1.
Security Levels
The external security interface provides six combinations of security levels to check IMS resources. You can choose one of the following methods:
The external security interface is invoked at the start of a TIBCO Object Service Broker transaction for the specified authorization ID. The EXTERNALUSERID and EXTERNALGROUP parameters determine whether the authorization ID is the TIBCO Object Service Broker session ID, the current security group, or a combination of the two.
The Gateway builds a profile in its buffers for each initial SAF request for a TIBCO Object Service Broker authorization ID. The next time an authorization ID requests access to an IMS resource, the Gateway checks its buffers to determine if a profile corresponding to this authorization ID exists. If there is a corresponding profile, the Gateway uses it instead of SAF to verify access to the specified IMS resource.
Information Logged in TIBCO Object Service Broker Authorization ID Profile
The information logged in the profile and stored in the Gateway buffers for each TIBCO Object Service Broker authorization ID depends upon the level of security requested as described in the table below:
Since the Gateway logs only successful accesses, you must recycle the Gateway to block access. You do not have to recycle the Gateway to grant access.
Authorizing the Gateway for SAF
The Gateway must run APF authorized so that it can issue SAF calls. Therefore, the STEPLIB must be APF authorized.
Establishing Resource Security
To establish resource-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the IMS resource within the specified SAF class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Establishing PSB Security
To establish PSB-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the IMS PSB within the specified SAF class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Establishing Database Security
To establish database-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the database specified in the IMS table definition within the specified SAF DBDCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Establishing Segment Security
To establish segment-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the database and segments specified in the IMS table definition within the specified SAF SEGCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Read and update access allowed on each resource (IMS segments within databases) for each TIBCO Object Service Broker authorization ID
Establishing Resource and Database Security
To establish resource- and database-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify the TIBCO Object Service Broker authorization ID has access to the IMS resource in the specified SAF class. The Gateway issues another SAF call to verify the authorization ID has access to the database specified in the IMS table definition in the specified SAF DBDCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Establishing Resource and Segment Security
To establish resource- and segment-level security specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.
The Gateway issues SAF calls to verify the TIBCO Object Service Broker authorization ID has access to the IMS resource in the specified SAF class. The Gateway issues another SAF call to verify that the authorization ID has access to the database and segments specified in the IMS table definition within the specified SAF segment class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.
The external security package must have the SAF interface activated and the following items defined:
Read and update access allowed on each resource (all IMS database and segment combinations and all other IMS resources) for each authorization ID
Establishing the TIBCO Object Service Broker Authorization ID
The Gateway uses the EXTERNALUSERID and EXTERNALGROUP startup parameters to build the authorization ID. SAF uses this ID to verify access to IMS resources. The table below illustrates how TIBCO Object Service Broker evaluates the values you specify for these parameters:
Userid and Group ID Values
 
Gateway Parameter
SAF user ID = TIBCO Object Service Broker session ID
SAF user ID = TIBCO Object Service Broker session ID
SAF user ID = TIBCO Object Service Broker session ID
SAF group ID = name of current security group. If the name is longer than 8 characters, the SAF group name is set to blank.
SAF user ID = name of current security group. If current security group name is more than 8 characters, a SECURITYFAIL is signalled.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved