Installation Default
At CA IDMS installation, the security option for signon (the SGON resource in the SRTT) is 'OFF'.
This means that when the online user requests signon, or the first security check request is issued on behalf of the executing user in a local mode batch application, signon is unsecured and unvalidated. In an unvalidated signon, the user is successfully signed on whether or not the user ID and password have been defined.
Internal Signon Security
If you specify the internal security option for the SGON resource in an #SECRTT macro, signon is secured and password checking will be performed by the internal security system.
External Signon Security
If you specify the external security option for the SGON resource in a #SECRTT macro, signon is secured and password or PassTicket checking will be performed by the external security system.
If the external security system issues a failure or even a warning on user identification and validation, signon fails. This means that you cannot use internal security as a backup security system when you specify external security for signon.
Using Pass Tickets
The value of the password passed to the external security system and used for external signon authorization can be either a:
or
A PassTicket is a temporary substitute for a password that is used for authentication for a specific application. A PassTicket is generated from values associated with the userid and application to which the signon is targeted and is valid for only a short period of time. PassTickets are often used as an alternative to sending a clear text password over a network, thereby improving network security.
Note: For externally secured signons, PassTickets are treated in the same way as passwords in the remainder of the signon processing description.
To enhance performance, CA IDMS uses password caching in multi-signon CV environments. Caching is also applied to PassTickets, as PassTickets are implemented by an external security system.
Under certain circumstances, this means that PassTickets can be used more than once. For this reason, CA recommends the implementation of the following points to maximize security when you implement PassTickets:
When signing in to CA IDMS through IDMS Server, there are some cases where a PassTicket behaves like a password, that means the PassTicket can be used multiple times.
Signon When Security Options are Mixed
The security option for some other resources can be different from the security option for signon. For example, signon security might be external while security for other resources is internal.
In the case of mixed security options, the user must be identified to both the external and internal security systems, and a request for signon invokes signon to both security systems. Password checking is performed by either the external system or the internal system, depending on security option for the SGON resource in the SRTT.
If a DDS connection between two CVs exists and one system has internal security while the other has external security, the CV running with internal security must have the userid of its job defined to allow two-phase commit resynchronization processing to complete successfully across the connected CVs.
|
Copyright © 2014 CA.
All rights reserved.
|
|