Padlock representing security

In today’s distributed computing environment, the ability to preserve a user’s identity from one security realm to another can significantly enhance accountability and reduce vulnerabilities. The IMS™ service provider in IBM® z/OS® Connect Enterprise Edition (z/OS Connect EE) was recently enhanced to support distributed identity propagation to IMS 15 for subsequent auditing and tracing purposes.

Network security credential propagation is a new feature added in the recently announced IMS 15 (see announcement letter). The network security credential includes a network user ID and a network session ID, or security realm.

When the IMS service provider in z/OS Connect EE detects that the IMS Connect it is connecting to is V15, it sends the user ID and the security realm to IMS Connect to be added to the IMS log records. This distributed user ID is not used by IMS for authentication or authorization. The IMS service provider extracts the security realm from the security registry; therefore the user ID must be defined in an LDAP user registry, basic registry, or SAF registry. In the following basic registry example, the realm for user “Fred” is “zosConnect”.

<!-- Basic user registry definition -->
<basicRegistry id="basic1" realm="zosConnect">
<user name="Fred" password="{xor}PjMzbiw7KjE=" />
</basicRegistry>

You can also configure the IMS interaction profile in z/OS Connect EE to turn off sending the network security credential to IMS Connect V15 (the default is true). The IMS service provider does not pass the network security credential if the IMS Connect it is connecting to is V14 or earlier.

For more information, see Configuring distributed identity propagation to IMS in the z/OS Connect EE documentation.

Join The Discussion

Your email address will not be published. Required fields are marked *