Security System Checking Order

Administering › Managing User Authentication › LDAP Authentication › Security System Checking Order for Mainframe and LDAP Authentications

Security System Checking Order for Mainframe and LDAP Authentications

Depending on your installation settings, CA OM Web Viewer checks your LDAP or security credentials first. You normally configure this setting during installation on the LDAP Host Information panel.

Note: For more information about indicating LDAP user authentication, see the Installation Guide.

Regardless of the order of the security checks, if the user fails the first type of security check, the second type of security check is called.

For example, if the LDAP security is checked first and the user failed all of the LDAP Directory checks, CA OM Web Viewer attempts to check user credentials against mainframe security next.

Be aware that this setting might also affect your auto enrollment options.

With mainframe security checked first, if your user passes the mainframe security check, that user logs in to CA OM Web Viewer, and never checked against the LDAP system or enrolled into the Role using LDAP authentication.
With LDAP security checked first, the user is logged in to CA OM Web Viewer before they are given a chance to be automatically enrolled in the Default Role by mainframe security.

If your user has separate credentials for LDAP and mainframe security, this issue does not occur. It is only an issue when the user name and password are the same for both types of security.

External Security EXIT Authentication

External Security EXIT authentication refers to your existing Single-Sign-On security system external to Web Viewer. This authentication method is an extended Web Viewer LDAP security model via exit calls to determine the user access. This lets you bring large numbers of domain users to view report data without your having to define a mainframe profile and a LDAP directory system within Web Viewer.

A predefined profile object is called as EXIT with all profile fields set to EXTERNAL associated with a predefined Directory object named EXIT with all LDAP fields set to EXTERNAL. That means the user proxy profile and user LDAP directory systems are all external to Web Viewer and rely on External Security Service EXIT calls to authenticate web login users using external user directory system and obtain the mainframe user ID for the web user if validated.

Requirements

Except System Administrator, other user type roles can use External Security EXIT authentication
Note: The System Administrator must use the CA Output Management Web Viewer login form with mainframe credentials to log in to the System Administrator role.
Users that authenticated through External Security EXIT and assigned a shared mainframe profile can view data from CA View and CA Bundl repositories, but cannot access data from CA Dispatch repositories (CA Dispatch does not allow for shared credentials).

Profile

EXIT Profile presents a mainframe profile with credentials not stored in Web Viewer, but in customer SSO security system.
You can define a single mainframe user account as EXIT profile returned from exit calls to map your users to a mainframe profile so that many web users can use that single user mainframe account for mainframe report access.
Therefore, you can let your existing SSO security system authenticate the users who share the single set of credentials for the repositories and or for mainframe security.
We recommend that EXIT profile refers to a set of mainframe security credentials returned from exit calls rather than repository level internal security credentials. This practice simplifies administration and usage.
For example, it would be confusing to have the profile credentials expire at different times for different repositories.

Directory

EXIT Directory contains information which is all external to Web Viewer with all LDAP fields set to EXTERNAL.
A role has an assigned EXIT Directory object so that members of that role can be authenticated using authentication exit calls.

Auto Enrollment External Security EXIT Users

By default for the initial login, CA OM Web Viewer creates a user object with the web login user ID and places the authenticated user in the EXIT User Role automatically.

Any user validated via exit calls can log in to the product.
The EXIT User Role has been set up by System Administrator for Exit-authenticated users.
After the user logs in, the system places the user in EXIT User Role automatically. You can edit the options for this role, just as any other Role.
You can give the role access permissions that range from none to all repositories.