6. Security

This subsection covers the following topics:

• Security Overview

• Where You Specify Security Parameters

• Setting Up Security in a Configured Application

Security Overview

In order for any security checking to occur, the BEA TUXEDO Local Domain and the Host System must have security mechanisms in place. For the Local Domain, this is the Authorization Server. For the Host System, this is the External Security Manager. Figure 6-1 shows these elements.

There are four sections in two BEA TUXEDO configuration files in which you specify parameters bearing on Local Domain security. The two configuration files are DMCONFIG and UBBCONFIG.

Userid and password mapping between the Local Domain and the Host System also bears on security. There are five DMADMIN subcommands which you use to enter userids and passwords, set up mappings, remove mappings, remove userids and passwords, and modify passwords.

Caution: Mixed environment security is more complex than depicted in Figure 6-1. A domain without an operational security mechanism in place accepts all transaction requests by treating userids as "trusted users." Refer to BEA TUXEDO documentation for more detailed information about domain security.

Figure 6-1 BEA eLink for Mainframe SNA Security Elements

Where You Specify Security Parameters

The configuration sections where security is specified are:

• RESOURCES section of the UBBCONFIG file

• DM_LOCAL_DOMAINS section of the DMCONFIG file

• DM_SNALINKS section of the DMCONFIG file

• DM_ACCESS_CONTROL section of the DMCONFIG file

UBBCONFIG File Security Parameters

The RESOURCES section in this file contains a SECURITY parameter which works in conjunction with the SECURITY parameter in the DMCONFIG file to establish how eLink SNA controls access to the BEA TUXEDO local domain. This parameter takes the form:

SECURITY = {value}

where value is:

NONE

No security is enforced (default)

APP_PW

Requires password authorization for BEA TUXEDO clients and administrative tools to connect to the local application.

USER_AUTH

Same as APP_PW, but additional authorization is required on a per-user basis.

ACL

Same as USER_AUTH, but additional access-control checks are done on service names, queue names, and event names. If no Access Control Lists (ACL) exists for a given name, access is granted.

MANDATORY_ACL

Same as ACL, but if no ACL exists for a given name, access is denied.

In most cases, the UBBCONFIG file has already been configured and you don't need to establish the SECURITY parameter settings, but examining this file enables you to ascertain how eLink SNA enforces security.

If this parameter is set to NONE, no security is enforced. If set to APP_PW, the local BEA TUXEDO domain's Authorization Server prompts for the application password. If set to USER_AUTH, ACL, or MANDATORY_ACL, the qualified security is enforced as specified.

DMCONFIG File Security Parameters

Three sections in the DMCONFIG file contain parameters affecting eLink SNA control of access to the BEA TUXEDO local domain:

• DM_LOCAL_DOMAINS section contains a SECURITY parameter which specifies the type of security enforced for the BEA TUXEDO local domain.

• DM_SNALINKS section contains a SECURITY parameter which records the security in effect for the host system.

• DM_ACCESS_CONTROL section contains local access control lists used by the BEA TUXEDO local domain to associate local resources with host systems permitted to have access to them.

  Caution: Do not delete the DMCONFIG binary file before running the dmlloadcf command. Tables of remote users, remote passwords, and remote mappings are stored in this file. If deleted, all security information must be re-entered.

DM_LOCAL_DOMAINS section

The SECURITY parameter settings in this section work in conjunction with the SECURITY parameter in the RESOURCES section of the BEA TUXEDO local domain's UBBCONFIG file to establish how eLink SNA controls access to the BEA TUXEDO local domain. The parameter takes the form:

SECURITY = {value}

where value is:

NONE

No security is enforced.

APP_PW

No security is enforced.

DM_USER_PW

User and password security is enforced.

If this parameter is set to NONE or APP_PW, the local domain takes no action with regard to security. If this parameter is set to DM_USR_PW, the local domain enforces security according to the setting in the UBBCONFIG file (refer to "UBBCONFIG File Security Parameters").

DM_SNALINKS section

This section of the DMCONFIG file is dedicated to eLink SNA parameters. It records the security in effect for the host system. It correlates to the values set for the ATTACHSEC parameter in the connection resource definition. In the following parameter definition, remote refers to the TUXEDO domain and local refers to the host system. The parameter takes the form:

SECURITY_TYPE = {value}

where value is:

LOCAL

Specifies that a user identifier is not to be supplied by the remote system. LOCAL is the default value.

IDENTIFY

Specifies that a user identifier is expected on every attach request. All remote users of a system must be identified to the remote external security manager.

VERIFY

Attaches a userid and valid password to the remote region. The userid and password are controlled by the region's external security manager.

PERSISTENT

Not fully supported. Functions the same as VERIFY.

MIXIDPE

Not fully supported. Functions the same as VERIFY.

The values LOCAL and IDENTIFY are roughly equivalent to NONE and APP_PW for the SECURITY parameter in the DMCONFIG file.

DM_ACCESS_CONTROL section

This section contains local Access Control Lists (ACL) used by the BEA TUXEDO local domain to restrict access by remote regions to local resources. (Refer to "Security Administration" in the BEA TUXEDO Administrator's Guide.) Each entry consists of an ACL_NAME resource identifier along with a list of required parameters designating remote domains permitted to access the resource. If no entry exists for a local service, the service is accessible to all remote domains.

Security Setting Summary

The domain administrator can add or delete users from the domain security table in two ways: first, through data entry panels in the TUXEDO System administration Graphical Administrative Interface; second, by using the dmadmin command.

The combined settings of the SECURITY parameters in the UBBCONFIG and the DMCONFIG files have the following effects:

• When the DM_LOCAL_DOMAINS Security parameter is set to NONE or APP_PW, no action is taken by the eLink SNA gateway with regard to security.

• However, when the UBBCONFIG file Security parameter is set to APP_PW, the application password is validated by an AUTHSVC when clients join the application. The AUTHSVC is provided by the user application.

If security is to be enforced by both the local domain and the host system for each request inbound from the host system to the local domain, the following settings must be made:

• The UBBCONFIG file SECURITY parameter must be set to one of USER_AUTH, ACL, or MANDATORY_ACL;

• The DMCONFIG file DM_LOCAL_DOMAINS section SECURITY parameter must be set to DM_USER_PW

• The DM_SNALINKS SECURITY parameter must be set to IDENTIFY or VERIFY.

(Refer to Table 6-1 for a summary of the file settings required to achieve different security combinations for inbound requests from the host system.)

If security is to be enforced by both the local domain and the host system for each request outbound from the local domain, the following settings must be made:

• UBBCONFIG file SECURITY parameter must be set to one of USER_AUTH, ACL, or MANDATORY_ACL

• the DMCONFIG file DM_LOCAL_DOMAINS section SECURITY parameter must be set to DM_USER_PW

• and the DM_SNALINKS SECURITY parameter must be set to IDENTIFY or VERIFY

(Refer to Table 6-2 for a summary of the file settings required to achieve different security combinations for outbound requests from the local domain.)

For a request sent to the host system, the local principal userid is located in the domain security table and the associated remote userid, or userid and password, are put into the conversation start-up request before being sent over the LU6.2 conversation. (This occurs if SECURITY is set to IDENTIFY or VERIFY in the DM_SNALINKS section of the DMCONFIG file.)

For requests sent from the host system, the local domain extracts the remote userid, or userid and password, from the conversation start-up request and checks the domain security table. That table contains pairs of local principal userids and remote userids, maintained on a service-by-service basis. The remote userid is mapped to the local principal userid. The local principal userid and password are used for further Access Control List (ACL) checking, as specified in the UBBCONFIG file.

When a request is received from the host system, the local domain checks the DMCONFIG file ACL for the local service to see if requests from the remote domain are permitted. If the DMCONFIG file does not contain an ACL for the local service, the service is accessible to all requests.

Therefore, if the ATTACHSEC level for the connection definition in the host system is Identify or Verify, the DMCONFIG SECURITY parameter must be set to DM_USER_PW so that a userid and a password are sent on the conversation start-up requests.

Security Setting Summary Tables

Table 6-1 shows settings for the SECURITY parameters in the UBBCONFIG and DMCONFIG files required to achieve local domain and host system security combinations for inbound requests.

Note: Security setting combinations other than those shown in the tables will have unpredictable results.

Table 6-1 Security Setting Summary (Inbound Requests from Host System)

SECURITY COMBINATION		SETTINGS IN UBBCONFIG FILE	SETTINGS IN DM_LOCAL_DOMAINS SECTION of DMCONFIG FILE	SETTINGS IN DM_SNALINKS SECTION of DMCONFIG FILE	OUTBOUND USERID and PASSWORD ACTIVITY (UID/PW)
LOCAL DOMAIN	HOST SYSTEM
NO	NO	SECURITY = NONE or APP_PW	SECURITY = NONE or APP_W	SECURITY= LOCAL	Not Applicable
YES	NO	SECURITY = USER_AUTH, ACL, or MANDATORY_ACL	SECURITY = NONE or APP_PW	SECURITY = LOCAL	Not Applicable
NO	YES	SECURITY = NONE or APP_PW	SECURITY = DM_USER_PW	SECURITY = IDENTIFY or VERIFY	INVALID
YES	YES	SECURITY = USER_AUTH, ACL, or MANDATORY_ACL	SECURITY = DM_USER_PW	SECURITY = IDENTIFY or VERIFY	UID or UID+PW checked by Host System

Table 6-2 shows settings for the SECURITY parameters in the UBBCONFIG and DMCONFIG files required to achieve local domain and host system security combinations for outbound requests.

Note: Security setting combinations other than those shown in the tables will have unpredictable results.

Table 6-2 Security Setting Summary (Outbound Requests from Local Domain)

SECURITY COMBINATION		SETTINGS IN UBBCONFIG FILE	SETTINGS IN DM_LOCAL_DOMAINS SECTION of DMCONFIG FILE	SETTINGS IN DM_SNALINKS SECTION of DMCONFIG FILE	INBOUND USERID and PASSWORD ACTIVITY (UID/PW)
LOCAL DOMAIN	HOST SYSTEM
NO	NO	SECURITY = NONE or APP_PW	SECURITY = NONE or APP_W	SECURITY= LOCAL	Not Applicable
YES	NO	SECURITY = USER_AUTH, ACL, or MANDATORY_ACL	SECURITY = NONE or APP_PW	SECURITY = LOCAL	INVALID
NO	YES	SECURITY = NONE or APP_PW	SECURITY = DM_USER_PW	SECURITY = IDENTIFY or VERIFY	UID or UID+PW from Host System ignored
YES	YES	SECURITY = USER_AUTH, ACL, or MANDATORY_ACL	SECURITY = DM_USER_PW	SECURITY = IDENTIFY or VERIFY	UID or UID+PW checked by Local Domain

Setting Up Security in a Configured Application

This subsection gives step-by-step instructions for setting up security in an application that has already been configured.

Configuring Security in the TUXEDO Domain

1. Edit the UBBCONFIG file.

   1. In the RESOURCES section, add SECURITY USER_AUTH.

   2. In the RESOURCES section, add the following value to the AUTHSVC parameter:

      AUTHSVC

   3. In the SERVERS section, add AUTHSVR server.

      Note: SECURITY USER_AUTH level implies that application passwords, user IDs, and user passwords are required to join the application. AUTHSVR is the TUXEDO-supplied authentication server. It advertises the service AUTHSVC.

2. Enter the tmloadcf command to load the TUXEDO configuration, for example:

   tmloadcf -y ubbconfig.sna

3. Set the application password. (The tmloadcf command prompts for the application password.)

4. Add users to the TUXEDO domain by using the tpusradd command. The command prompts for each password, for example:

   tpusradd me 

   (Enter password for me.)

   Note: Do not use the command tpaddusr.

5. Modify the TUXEDO client to specify security parameters in the tpinit call. Listing 6-1 is an example of the code to do this.

   Listing 6-1 Security Parameters Added to tpinit Call

   ---

       TPINIT *tpinitbuf;
       char passwd[30];
       int security_level;

   /* Initialize security parameters */

       if ((tpinitbuf = (TPINIT *) tpalloc("TPINIT", NULL,
       TPINITNEED(sizeof(passwd)))) == NULL)

       {
   	userlog("tpalloc tpinit failed %s \n", tpstrerror(tperrno));
   	exit(1);
       }
       strcpy(tpinitbuf->usrname,"");
       strcpy(tpinitbuf->cltname,"");
       strcpy(tpinitbuf->passwd,"");
       strcpy(tpinitbuf->grpname,"");
   

   /* Determine level of enforced security */
       security_level = tpchkauth();
   
       if ((security_level == TPSYSAUTH) || (security_level ==
       TPAPPAUTH))

       {
   	fprintf(stdout,"\nApplication passwd required.");
   	fprintf(stdout,"\nApplication passwd:");
   	gets(tpinitbuf->passwd);
       }

       if (security_level == TPAPPAUTH)

       {
   	fprintf(stdout,"\nUser Name required.");
   	fprintf(stdout,"\nUser Name:");
   	gets(tpinitbuf->usrname);
   
   	fprintf(stdout,"\nUser Password required.");
   	fprintf(stdout,"\nUser Password:");
   	gets(passwd);
   	strcpy(&tpinitbuf->data,passwd);
   	tpinitbuf->datalen=strlen(passwd);
       }

       if (tpinit(tpinitbuf) == -1) 
       {
           userlog("TPINIT %s \n", tpstrerror(tperrno));
           exit(1);
       }

   ---

6. Verify security in TUXEDO domain by running the client.

7. Enter the dmload command to load the domain configuration, for example:

   dmloadcf -y dmconfig.sna

8. Enter the tmboot command to boot the TUXEDO domain, for example:

   tmboot -y

9. Configure security for SNA domain by editing the DMCONFIG file.

   1. In the DM_LOCAL_DOMAINS section, add the parameter:

      SECURITY=DM_USER_PW

   2. In the DM_SNALINKS section, add the parameter for the remote link:

      SECURITY=VERIFY

10. Add the user name mapping for remote domain by invoking dmadmin and using the addumap command to map local user IDs to remote user IDs, for example:

    dmadmin
    	addumap -d mylocaldomain -R myremotedomain -p localme -u REMOTEME

11. Add password for remote user ID(s) of the remote domain by invoking dmadmin and using the addusr command to provide remote password(s), for example:

    dmadmin
    addusr -d mylocaldomain -R myremotedomain -u REMOTEME

    (The system responds with the following prompts:

    ERROR: Enter Remote User's Password:
ERROR: Re-enter Remote User's Password:)

12. Change the security of connection definition(s) on the mainframe host by doing the following:

    1. Expand the group that contains the connection definition(s) by entering the command:

       CEDA EX GR(MYCONNGRP)

    2. Alter security of each connection definition by entering the command:

       Set ATtachsec = VERIFY

    3. Put each connection out of service by entering the command:

              CEMT I CONN(MYCN)

    and tabbing to the connection, then changing the INS entry to OUT.

13. Install the modified connection definition(s) by entering the command:

    CEDA I GR(MYCONNGRP)

14. The security definition is complete. Run the application.

If you want to set the security level to IDENTIFY, then change the SECURITY parameter in the DMCONFIG to IDENTIFY and change the ATtachsec parameter on the connection to IDENTIFY. Change the remote user password by using the addusr -w option so that no password is specified, for example:

addusr -d mylocaldomain -R myremotedomain -u REMOTEME -w)

Once the user security information in both domains is mapped, you can perform administration on the affected security files in each domain. To do this, use the addumap, dmadmin, delumap, modusr, and delusr subcommands.

The following paragraphs discuss how you enter these commands. Refer to Appendix A, "Reference Pages," for detailed information about each subcommand.

Adding a Userid and Password

Use the addusr subcommand to add a BEA TUXEDO local domain's userid and password to the remote CICS/ESA domain's user and password file. Enter the following command:

addusr {-d} local_domain_id {-R} remote_domain_id {-u} remote_userid

where:

-d

Specifies the name of the local domain with which the userid and password are associated.

-R

Specifies the name of the remote domain to which the userid and password are to be added.

-u

Specifies the user name to be added. Enter the user's password when prompted.

Use the addumap subcommand to map a local domain principal userid number to a remote domain user name. The userid must be added before it can be mapped (refer to "Adding a Userid and Password"). Enter the following command:

addumap {-d} local_domain_id {-R} remote_domain_id
{-p}  local_principal_userid {-u} remote_userid

where:

-d

Specifies the name of the local domain with which the userid is associated.

-R

Specifies the name of the remote domain to which the userid is mapped.

-p

Specifies the local principal userid number defined in the ACL.

-u

Specifies the remote user name as defined in the security application of the remote domain.

Use the delumap subcommand to remove the mapping for a local domain principal userid to a remote domain user name. Enter the following command:

delumap {-d} local_domain_id {-R} remote_domain_id
{-p}  local_principal_userid {-u} remote_userid

where:

-d

Specifies the name of the local domain with which the userid is associated.

-R

Specifies the name of the remote domain to which the userid is mapped.

-p

Specifies the local principal userid number defined in the ACL.

-u

Specifies the remote user name as defined in the security application of the remote domain.

Use the delusr subcommand to remove a local BEA TUXEDO domain's user ID and password from the CICS/ESA remote domain's user and password file. The mapping for a userid must be removed before the userid can be removed (refer to "Removing a Userid's Mapping"). Enter the following command:

delusr {-d} local_domain_id {-R} remote_domain_id {-u} remote_userid

where:

-d

Specifies the name of the local domain with which the userid and password are associated.

-R

Specifies the name of the remote domain from which the userid and password are to be deleted.

-u

Specifies the user name to be deleted. Enter the user's password when prompted.

Use the modusr subcommand to modify a local BEA TUXEDO domain user's password recorded in a CICS/ESA remote domain's user and password file. Enter the following command:

modusr {-d} local_domain_id {-R} remote_domain_id {-u} remote_userid

where:

-d

Specifies the name of the local domain with which the userid and password are associated.

-R

Specifies the name of the remote domain in which the userid and password are to be modified.

-u

Specifies the user name to be modified. Enter the user's password when prompted.