![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |
External security is used only if SECLEVEL=1. This security is in addition to any security done when SECLEVEL=0. The external security interface verifies that a TIBCO Object Service Broker authorization ID has access to specific IMS resources at the TIBCO Object Service Broker transaction level.The Gateway issues SAF RACROUTE calls to a SAF-compliant external security package such as CA-ACF2, RACF, or CA-Top Secret to verify the access to specific IMS resources. Refer to the External Security Interface (RACROUTE) Macro Reference IBM manual for z/OS and VM for more information. You must define the appropriate IMS resources and the allowable accesses (read, update, and so on) in the external security package you are using. You must perform this for each existing TIBCO Object Service Broker authorization ID that accesses IMS data using a Gateway with SECLEVEL=1.The external security interface provides six combinations of security levels to check IMS resources. You can choose one of the following methods:
•
•
•
• The external security interface is invoked at the start of a TIBCO Object Service Broker transaction for the specified authorization ID. The EXTERNALUSERID and EXTERNALGROUP parameters determine whether the authorization ID is the TIBCO Object Service Broker session ID, the current security group, or a combination of the two.The Gateway builds a profile in its buffers for each initial SAF request for a TIBCO Object Service Broker authorization ID. The next time an authorization ID requests access to an IMS resource, the Gateway checks its buffers to determine if a profile corresponding to this authorization ID exists. If there is a corresponding profile, the Gateway uses it instead of SAF to verify access to the specified IMS resource.The information logged in the profile and stored in the Gateway buffers for each TIBCO Object Service Broker authorization ID depends upon the level of security requested as described in the table below:
Since the Gateway logs only successful accesses, you must recycle the Gateway to block access. You do not have to recycle the Gateway to grant access.The Gateway must run APF authorized so that it can issue SAF calls. Therefore, the STEPLIB must be APF authorized.To establish resource-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the IMS resource within the specified SAF class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
• Read and update access allowed on each resource for each TIBCO Object Service Broker authorization ID
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the IMS PSB within the specified SAF class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
• Read and update access allowed on each resource for each TIBCO Object Service Broker authorization ID.
To establish database-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the database specified in the IMS table definition within the specified SAF DBDCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
• Read and update access allowed on each resource (IMS databases) for each TIBCO Object Service Broker authorization IDTo establish segment-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify that the TIBCO Object Service Broker authorization ID has access to the database and segments specified in the IMS table definition within the specified SAF SEGCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
• Read and update access allowed on each resource (IMS segments within databases) for each TIBCO Object Service Broker authorization IDTo establish resource- and database-level security, specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify the TIBCO Object Service Broker authorization ID has access to the IMS resource in the specified SAF class. The Gateway issues another SAF call to verify the authorization ID has access to the database specified in the IMS table definition in the specified SAF DBDCLASS. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
• Read and update access allowed on each resource (IMS databases and all other IMS resources) for each authorization IDTo establish resource- and segment-level security specify the gateway parameters as described in the table below:
NO for any other security package. Review the SUBSYS and REQSTOR parameters and modify them as required.The Gateway issues SAF calls to verify the TIBCO Object Service Broker authorization ID has access to the IMS resource in the specified SAF class. The Gateway issues another SAF call to verify that the authorization ID has access to the database and segments specified in the IMS table definition within the specified SAF segment class. Refer to Establishing the TIBCO Object Service Broker Authorization ID and Supplying Gateway Startup Parameters for more information.The external security package must have the SAF interface activated and the following items defined:
•
• Read and update access allowed on each resource (all IMS database and segment combinations and all other IMS resources) for each authorization IDThe Gateway uses the EXTERNALUSERID and EXTERNALGROUP startup parameters to build the authorization ID. SAF uses this ID to verify access to IMS resources. The table below illustrates how TIBCO Object Service Broker evaluates the values you specify for these parameters:
Gateway Parameter SAF user ID = TIBCO Object Service Broker session ID SAF user ID = TIBCO Object Service Broker session ID SAF user ID = TIBCO Object Service Broker session IDSAF group ID = name of current security group. If the name is longer than 8 characters, the SAF group name is set to blank. SAF user ID = name of current security group. If current security group name is more than 8 characters, a SECURITYFAIL is signalled.
![]() |
Copyright © TIBCO Software Inc. All Rights Reserved |