Identity propagation is a new identity assertion capability provided by z/OS V1R11 and CICS Transaction Server (CICS TS) V4.1. Together with new functions in WebSphere DataPower or the CICS Transaction Gateway (CICS TG), it supports a cross-platform, end-to-end security solution, providing for identity assertion, control, and auditing.
Modern enterprise information processing systems typically consist of multiple software components, each of which perform distinct services. Over time, these services tend to be reused in different topologies. This often introduces the challenge of how to provide secure access between middleware components that use disparate security technologies. When considering IBM z/OS, any application that requires access to data will usually need to provide a valid credential for authentication and subsequent authorization via the IBM RACF security manager. The security strengths z/OS provides can then become an issue if it’s necessary to authorize requests that originate from a remote security registry unknown to RACF. The solution has often been to provide a form of identity assertion, where a RACF identity can be asserted without a password check. This typically requires a level of predefined trust between the two systems. With IBM CICS TS, various techniques are possible, including:
- Use of a predefined link user ID
- Dynamic mapping of Secure Sockets Layer (SSL) client certificate identities to RACF user IDs
- Delegation via third-party identity management products such as IBM Tivoli Federated Identity Manager.
No matter what solution is used for identity assertion, the process of mapping distributed user identities to a RACF identity has, until now, been a one-way function, resulting in the loss of the original distributed identity once the mapping occurs. Although effective, such mapping solutions have several issues, including lack of end-to-end accountability, inflexibility, and loss of control. Identity propagation addresses these issues by allowing the z/OS security administrator to create a set of flexible rules, stored in the RACF database, ensuring the distributed identity persists after the mapping stage and remains visible for operational support and further auditing if required (see Figure 1).
The identity propagation function provided with RACF in z/OS V1R11 can be exploited when using CICS TS V4.1 with a set of enabling APARs: PK83741, PK95579, and PM01622, along with an additional APAR PK98426 for IBM CICSPlex SM. If Web service requests are being sent to CICS, then an IBM WebSphere DataPower appliance can be used to propagate the distributed identity to CICS so it can be mapped to a RACF user ID. Alternatively, if Java EE (JEE) components are using the CICS JEE Connector Architecture (JCA) resource adapter to call CICS applications, then CICS TG V8 can be used to propagate the distributed identity.
Distributed Identities and LDAP
A distributed identity is the user security context that originates from a security registry in the distributed system and consists of the Distinguished Name (DN), which identifies the specified user, and the realm that identifies the name of the security registry. The identity of the distributed user is expected to be represented in the X.500 naming standard as used in Lightweight Directory Access Protocol (LDAP) directories, the security registry commonly used for WebSphere Application Server (WAS) on multi-platforms. Each distinguished name is comprised of multiple, relative distinguished names, each of which consists of a unique attribute value pair as defined by RFC4514. For example, consider the mythical user, Alice, working in the sales organization of IBM U.K. She could be described using the following distinguished name:
Here, the distinguished name is identified using four different attributes (CN, OU, O, and C), which are abbreviations for Common Name (CN), Organizational Unit (OU), Organization (O), and Country (C). There are five additional standard attributes that may also be used, namely localityName (L), stateOrProvinceName (ST), streetAddress (STREET), domainComponent (DC), and userId (UID). Other attributes can be created as required.