Home TOC Index

Search Feedback

EIS-Tier Security

In the EIS tier, an application component requests a connection to an EIS resource. As part of this connection, the EIS may require a sign-on to the resource. The application component provider has two choices for the design of the EIS sign-on:

• With the container-managed sign-on approach, the application component lets the container take the responsibility of configuring and managing the EIS sign-on. The container determines the user name and password for establishing a connection to an EIS instance.
• With the component-managed sign-on approach, the application component code manages EIS sign-on by including code that performs the sign-on process to an EIS.

The component provider can use deploytool to choose the type of sign-on.

Configuring Sign-On

Use the following procedure in deploytool to configure the type of sign-on.

1. Select the component.
2. Select the Resource Refs tab.
3. Click Add.
4. In the Authentication combo box, select either Container for container-managed sign-on or Application for component-managed sign-on.

Container-Managed Sign-On

With container-managed sign-on, an application component does not have to pass any security information for signing on to the resource to the getConnection() method. The security information is supplied by the container, as shown in the following example.

// Business method in an application component	
Context initctx = new InitialContext();
 
// perform JNDI lookup to obtain a connection factory	
javax.resource.cci.ConnectionFactory cxf =	
     (javax.resource.cci.ConnectionFactory)initctx.lookup(	
      "java:comp/env/eis/MainframeCxFactory");
 
// Invoke factory to obtain a connection. The security	
// information is not passed in the getConnection method	
javax.resource.cci.Connection cx = cxf.getConnection();	
...
 

Component-Managed Sign-On

With component-managed sign-on, an application component is responsible for passing the security information that is needed for signing on to the resource to the getConnection() method. Security information could be a user name and password, for example, as shown in the following example.

// Method in an application component	
Context initctx = new InitialContext();
 
// perform JNDI lookup to obtain a connection factory	
javax.resource.cci.ConnectionFactory cxf =	
     (javax.resource.cci.ConnectionFactory)initctx.lookup(	
       "java:comp/env/eis/MainframeCxFactory");
 
// Invoke factory to obtain a connection	
com.myeis.ConnectionSpecImpl properties = //..
 
// get a new ConnectionSpec	
properties.setUserName("...");	
properties.setPassword("...");	
javax.resource.cci.Connection cx = 	
  cxf.getConnection(properties);	
...
 

Configuring Resource Adapter Security

In addition to configuring the sign-on, you must also configure the resource adapter security. To add security to a resource adapter, complete the following steps:

1. Select the resource adapter RAR (Resource Adapter Archive).
2. Select the Security tab. In the Authentication Mechanisms pane, select the authentication mechanisms that this resource adapter supports:
   • Password: A user and password is required to connect to an EIS.
   • Kerberos Version 5.0: The resource adapter supports the Kerberos authentication mechanism. See RFC-1510, The Kerberos Network Authentication Service (V5), for details. This specification can be found at http://www.ietf.org/rfc/rfc1510.txt.

   You can select no mechanism, one mechanism, or multiple mechanisms. If you do not select a mechanism, no security authentication will be supported.

3. Select Reauthentication Supported if the resource adapter supports performing reauthentication on an existing physical connection. Reauthentication will be performed when an application server calls the getConnection() method with a security context that is different from the one that was used to establish the connection.
4. In the Security Permissions pane, click the Add button to add a security permission that your resource adapter needs to access system resources in your operational environment. Specify only permissions that are not included in the default set, which are listed in Table 2 of Section 11.2 in the J2EE Connector Architecture Specification 1.0.
5. For each security permission, click the rightmost column labeled with a folded paper icon to enter a description for the permission.

To delete a security permission, select the permission in the table and click Delete.

Home TOC Index

Search Feedback