In IMS 14 and IMS 15, to make it easier for you to improve the security of your IMS DB resources, weâ€™ve introduced RACF PassTicket support for TCP/IP connections that are made via IMS Connect to IMS DB. RACF PassTickets are cryptographically generated, single-use, short-lifespan alternatives to RACF passwords. RACF PassTickets are also more secure than RACF passwords because PassTickets remove the need to send passwords across the network in clear text. By using RACF PassTickets for TCP/IP connections to IMS DB, you reduce, without having to implement message encryption on TCP/IP sockets, the chances of authorized usersâ€™ credentials from being stolen.
This support is shipped for IMS 15 with APAR PI99040 and for IMS 14 with APAR PI99038 (you can search on APARs here).
How are RACF PassTickets generated for TCP/IP connections to IMS DB?
Weâ€™ve enhanced the IMS SQL Batch utility to generate RACF PassTickets for you. The SQL Batch utility enhancement to support the generation of RACF PassTickets is shipped for IMS 15 with APAR PH02135 and for IMS 14 with APAR PH01167. With this SQL Batch utility enhancement, you can use RACF PassTickets to secure SQL-based calls to IMS databases.
For connections to IMS DB from other IMS Connect clients, you can enable PassTicket generation by implementing existing services that use the RACF PassTicket generator algorithm, as described here.
What happens after the RACF PassTickets are generated?
After the RACF PassTicket is generated, youâ€™ll need to:
- Send to IMS Connect by using the
SECCHKcommand (X’106E’) both the RACF PassTicket and the ID of the user requiring access to IMS DB.
- Define the
APPL=parameter in the HWSCFGxx IMS PROCLIB member either directly in the member or by using the newly added
ODBMAPPLattribute on the IMS type-2 command
APPL= parameter is defined and after receiving the RACF PassTicket and user ID on the
SECCHK command (X’106E’), IMS Connect issues the
RACROUTE REQUEST=VERIFY call to RACF to authenticate the client connection. On this call, IMS Connect includes the RACF PassTicket and the user ID that you sent using the
SECCHK command (X’106E’) as well as the value of the
APPL= parameter. If the
APPL= parameter is not defined, IMS Connect will use instead the value of the ID= parameter of the HWS statement.
Let us know what you think by leaving a comment below. And for more detailed information on this enhancement, see IBM Knowledge Center.