EIS-Tier Security

In the EIS tier, an application component requests a connection to an EIS resource. As part of this connection, the EIS may require a sign-on for the requester to access the resource. The application component provider has two choices for the design of the EIS sign-on:

Container-Managed Sign-On


In container-managed sign-on, an application component does not have to pass any sign-on security information to the getConnection() method. The security information is supplied by the container, as shown in the following example.

// Business method in an application component
Context initctx = new InitialContext(); 
// Perform JNDI lookup to obtain a connection factory
javax.resource.cci.ConnectionFactory cxf =
     (javax.resource.cci.ConnectionFactory)initctx.lookup(
      "java:comp/env/eis/MainframeCxFactory"); 
// Invoke factory to obtain a connection. The security
// information is not passed in the getConnection method
javax.resource.cci.Connection cx = cxf.getConnection();
... 

Component-Managed Sign-On

In component-managed sign-on, an application component is responsible for passing the needed sign-on security information to the resource to the getConnection() method. For example, security information might be a user name and password, as shown here:

// Method in an application component
Context initctx = new InitialContext(); 
// Perform JNDI lookup to obtain a connection factory
javax.resource.cci.ConnectionFactory cxf =
     (javax.resource.cci.ConnectionFactory)initctx.lookup(
       "java:comp/env/eis/MainframeCxFactory"); 
// Get a new ConnectionSpec
com.myeis.ConnectionSpecImpl properties = //.. 
// Invoke factory to obtain a connection
properties.setUserName("...");
properties.setPassword("...");
javax.resource.cci.Connection cx = 
  cxf.getConnection(properties);
... 

Configuring Resource Adapter Security

In addition to configuring the sign-on, you can configure the following security settings for the resource adapter:

To configure these settings using deploytool, do the following:

  1. Select the resource adapter file.
  2. Select the Security tabbed pane.
  3. In the Authentication Mechanisms pane, specify the authentication mechanisms that are supported by this resource adapter:
    1. Select Password to require a user name and password to connect to an EIS.
    2. Select Kerberos Version 5.0 to require the resource adapter to support the Kerberos authentication mechanism.
    3. You can select more than one mechanism or no mechanism. If you do not select one, no standard security authentication is supported as part of the security contract.

  4. Select Reauthentication Supported if the resource adapter implementation supports performing reauthentication on an existing physical connection. Reauthentication is performed when an application server calls the getConnection method with a security context that is different from the one used to establish the connection. This information is for the resource adapter implementation and not for the underlying EIS instance.
  5. In the Security Permissions pane, click Add to enter a security permission that the resource adapter needs to access system resources in the operational environment. You specify only those permissions that are not included in the default set (see section 11.2 of the Connector specification). For example, to allow the resource to look up the name of any remote host, add the following security permission:
  6. permission java.net.SocketPermission *, "resolve";

    For each security permission you add, click the column to the far right (labeled with a folded paper) to enter a description for the permission. To delete a security permission, select the permission in the table and click Delete.