The following terms are used throughout this chapter:
Enhanced Security is a term used to indicate that a client cooperative flow request Common Format Buffer (CFB) contains the optional security offset section. The security offset section will contain the CA Gen CLIENT_USERID and CLIENT_PASSWORD system attribute values as defined by the generated GUI applications. Additionally, the security offset can contain an optional security token. Enhanced security is enabled using the WRSECTOKEN GUI runtime user exit.
Standard security is a term used to indicate that a client cooperative flow request CFB does not contain the optional security offset section. The CLIENT_USERID and CLIENT_PASSWORD attribute values are included in the CFB header area. Standard security is enabled using the WRSECTOKEN GUI runtime user exit.
Neither the CLIENT_USERID nor CLIENT_PASSWORD attribute values are inserted into any portion of the CFB. Using No security is the default configuration set by the WRSECTOKEN() GUI runtime user exit.
An optional data area located in CFB of CA Gen that contains security data consisting of the values assigned to the CLIENT_USERID and CLIENT_PASSWORD attributes. Additionally, the Security Offset section of the CFB can contain an optional security token that can be set within the WRSECTOKEN GUI runtime user exit.
If present in the CFB, the security offset section is part of the data area that can be encrypted. Encryption is performed within the WRSECENCRYPT GUI runtime user exit.
The term Client User ID has various usages within a discussion of the Client Manager. Client User ID can be used in reference to the following topics:
The use of the CLIENT_USERID attribute during a cooperative flow is optional and depends on the application designer causing the cooperative flow to contain Enhanced Security data. The request to make use of Enhanced Security data for a given cooperative flow is controlled by the WRSECTOKEN GUI runtime user exit.
Assuming Enhanced security is being used, the values assigned to the CLIENT_USERID attribute can be used to identify the user id context associated with the user that initiates a cooperative flow request. In some cases, the specified value can be used to establish the user id context under which the DPS will be executed. The specified value is carried in the cooperative flow request as data and processed by the TIRSECV server side user exit.
Client Manager can process either Standard or Enhanced cooperative flow requests. The basic difference is if the CFB being processed contains a security offset area. Only those CFBs that contain a security offset area support the use of Enhanced Security, those that don't support the use of Standard Security.
A default Client User ID value can be specified as part of the Client Manager configuration. Additionally, each individual target server can have its own User ID value specified in the Client Manager configuration file as part of its unique configuration definition.
Similar to Client User ID, the term Client Password has multiple usages within a discussion of the Client Manager. Client Password can be used in reference to the following topics:
The use of the CLIENT_PASSWORD attribute during a cooperative flow is optional and depends on the application designer causing the cooperative flow to contain Enhanced Security data. The request to make use of Enhanced Security data for a given cooperative flow is controlled by the WRSECTOKEN GUI runtime user exit.
Assuming Enhanced security is being used, the values assigned to the CLIENT_PASSWORD attribute can be used during the validation processing performed by the server execution environment. In some cases, the specified value can be used when validating the user id associated with the cooperative flow request. The specified value is carried in the cooperative flow request as data and processed by the TIRSECV server side user exit.
A default Client Password value can be specified as part of the Client Manager configuration. Additionally, each individual target server can have its own password value specified in the Client Manager configuration file as part of its unique configuration definition.
Every target server defined to a Client Manager has its own Security Level attribute. The Security Level of a given target server indicates to the Client Manager that it should or should not attempt to make use of security data when processing flows to that target server environment. A server Security Level can be set to one of the following:
Indicates that the Client Manager should attempt to provide security data and perform security processing on all cooperative flows targeting this associated server. The Client Manager performs whatever security processing is appropriate for the target server based on its defined configuration (for example, CPI/C (LU 6.2) as compared to Sockets (TCP/IP)).
When the Security Level of a target server is determined to be Remote, the process of obtaining the security data to use for a given flow depends on the type of CFB received from the DPC application.
Standard CFB:
The security data is obtained from the Client Manager configuration data, if defined. Otherwise, it may be necessary to prompt the application user for security data using a logon dialog.
Note: For details of the processing to obtain the security data from the Client Manager configuration, see the Derived Security Level Details.
When processing an Enhance CFB, the choice of which security data the Client Manager will use depends on the setting of the CFB CMUseSecure flag byte. If set, the Client Manager will use the data specified in the security offset of the CFB, otherwise, the Client Manager will use the data provided by its configuration data the same as if the CFB received was a Standard CFB. The setting of the CFB CMUseSecure flag is influenced by the GUI runtime WRSECTOKEN user exit.
Regardless of which type of CFB is received by a Client Manager, the security data (user id and password) that is selected for use will be populated into the CFB header of the CFB.
Indicates that the Client Manager will not attempt to provide any security data, or provide any additional security processing for flows that target the associated server.
The determination of a given Server's Security Level is obtained from the Client Manager's Default Security Parameters setting. If the Client Manager's Default Security Level is set to None, the security level associated with the target server will be None. The same is true if the default setting is Remote. The security level associated with the target server will be Remote.
A derived security level is determined by taking into account the configured security level of the current target server and the default security level of the Client Manager. The hierarchical combination of these configurations is what is called the derived security level. The Client Manager attempts to derive the security level of a given server if their specified security level is set to Defer. A derived security level can be either Remote or None.
If the WRSECTOKEN user exit indicates that the CFB contains a security offset, the Client Manager uses the provided security data as part of its processing of the cooperative flow request. Refer to the WRSECTOKEN GUI runtime user exit for details on how this is accomplished.
Note: You can find a description of the WRSECTOKEN user exit in the Distributed Processing – Overview Guide.
If the target server has a derived security level of Remote, the Client Manager uses the value of the CMUseSecure CFB flag to determine whether the security data located in the CFB offset should be used. If the flag is set, the data in the CFB security offset is used. If not set, the Client Manager uses the security data located in its configuration file or prompts the user with a logon dialog.
This CFB flag can be set for either a request CFB or a response CFB. Both the DPC and DPS runtime code support the use of an encryption user exit. The CFB encryption flag is set by the DPC or DPS runtime if their respective encryption user exit returns indicate the CFB has been encrypted.
The Client Manager is only concerned that a CFB request has been encrypted when:
The selected target server has a derived security level of Remote.
|
Copyright © 2013 CA.
All rights reserved.
|
|