| Author |
Message
|
| sebastia |
 Posted: Wed May 16, 2007 5:17 am Post subject: LTPA and RACF |
 |
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
We have an environment where a (web browser) application
enters the system thru a WAS,
then, using a MQ Client,
reaches z/OS using MQ.
[appl] <---> [AIX + WAS + MQ Client] <---> [z/OS + MQ Server]
We have used "user+password" as session credentials until now,
but are considering to use LTPA tokens.
We have some doubts ...
1) do/can the LTPA tokens travel in the MQ headers ?
2) does RACF accept LTPA tokens to validate the message ?
Any bibliography is welcome.
S. |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed May 16, 2007 5:30 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You are rather assuming that MQ on z/OS "validates" the message.
It doesn't. Unless you code a message exit, then messages are not validated. QM connection authority is checked, queue open access is checked (by RACF).
Validation of messages can be performed by the receiving application - we have a sort of CICS trigger monitor which does this (and more).
The userid from the client connection is normally used for the RACF check but this depends on the configuration of MQ (eg MCAUSER).
If you want end to end message integrity then Tivoli Access Manager for e-business is your (expensive on z/OS) friend.
There is a Redbook on MQ Security
http://www.redbooks.ibm.com/abstracts/sg246814.html?Open
Last edited by zpat on Wed May 16, 2007 5:38 am; edited 1 time in total |
|
| Back to top |
|
|
| sebastia |
| Posted: Wed May 16, 2007 5:36 am Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
*) MQ Security = SC34-6588-01
*) we want to access z/OS from a WAS.
I do not want MQ to "validate" the message.
I want MQ to "transport" the token. Hoped MQ header is used.
*) our problem is we have heard that RACF does NOT like LTPA,
but can not find the sentence on any paper.
Thanks a lot. S. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 16, 2007 5:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You can place the token in a RFH2 header yourself. Or use a "spare" MQMD field like AccountingInfo, or place it in the message data.
I am not sure why you think there is support builtin support for LTPA in MQ?
Assuming RACF supports LTPA (and I think it does), then I presume that you would have to pass the LTPA token as a parameter on a RACROUTE VERIFY call, the result of which was acted upon accordingly to accept or reject the message.
This RACROUTE call could be coded in a MQ exit or your application - it's not going to happen any other way AFAIK! |
|
| Back to top |
|
|
| sebastia |
| Posted: Wed May 16, 2007 5:49 am Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
Thanks, LPAT.
Using "own" part of the header is not our purpose.
I had the dummy intuition the support was included into MQ ...
LTPA is "ibm", WAS is "ibm, RACF is "ibm" .... looks logical to me.
Can you provide any pointer to any place I can find written
"RACF does support LTPA" (or not) ???
S. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed May 16, 2007 10:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
|
| Back to top |
|
|
| sebastia |
| Posted: Wed May 16, 2007 12:13 pm Post subject: |
|
|
Grand Master
Joined: 07 Oct 2004
Posts: 1003
|
mr ZPAT : those 4 pointers will have me busy and happy
for few days. Thanks a lot. S. |
|
| Back to top |
|
|
|
|
