We are looking into Kerberos as a way of authenticating users accessing
CICS 3270 legacy transactions. These users will be coming into CICS through
WebMethods from a browser via TN3270E. We do not want to use RACF user IDs
and passwords since they will be exposed along the way.
We cannot tell from what we have read if this will be transparent to CICS --
handled by RACF -- and CICS will get whatever it needs to satisfy the
sign-on. Is this something that you can answer or at least point me to an
explicit document that addresses Kerberos and CICS?
There is rather more to this question than meets the eye -- which is why
I've been slightly tardy in replying to it. There is a lot more I could say
on this topic, but I've limited my reply to what is most relevant.
My initial observation is that you appear to be wanting to run TN3270
sessions outside of your firewall. I deduce this because a concern about
sensitive information like a logon ID/password flowing over IP would not
apply inside a firewall as your own organization would have enough controls
in place to stop worrying about this. Afterall, Logonid+Password are only
SOME of the sensitive things that will be wizzing around, and you probably
don't worry too much about these other items inside a firewall.
So, you are probably worried about evesdroping over an external network and
so want to protect -- at least -- some part of your flows. The only way you
are going to get a TN3270 session protected over a potentially insecure
network is by using SSL connections from the client to the host. This comes
in two parts depending on whether you only need encryption (so securing the
flows) or need authentication as well (that the user of the client is
authorized).
I think that you are only really interested in the encryption part -- as
there does not seem to be any significant benefit to getting authorization
to use the TN3270 server on the host when you are going to sign-on to CICS
once you have arrived in MVS.
Thus, you need SSL certificates all round. You will configure your host
TCP/IP stack to accept SSL traffic upon a given port, and then use this
port on the 3270 emulator installed on the clients. The emulator will be
set to contact this port with SSL protocols flowing. The initial handshake
will check the certificates and establish the encrytion regime between the
TN3270 client on the workstation and the TN3270 server on the host. Flows
are then secure from prying. You then session manager route to the APPLID
of the relevant CICS region and signon there with the usual LOGONID+PASSWORD.
There does not seem to be any way to use Kerberos facilities to communicate
with a host CICS. You could try using a TxSeries CICS on an AIX/UNIX box
as an intermediary -- but that does not seem very appealing.
I also had a look at the possibility of getting a passticket down to a
workstation and then using that as a paassword to avoid using a SSL
communication -- but that turns out to be very tedious. You would have to
use a CICS Transaction Gateway to route a request to MVS which would issue
the passticket. Once this had returned to the workstation, you then have
the problem of how to get this returned temporary-use-once-in-an-interval
password inserted onto the emulated screen. I guess you would have to write
a macro or Java script to do this operation of getting the passticket and
inserting it onto the screen. Again, this is does not fill me with an huge
ammount of glee. You also have an exposed user ID in addition to all the
screens being visible.
A better possibility might be to use CICS/Windows on the workstation or
even restructure the applications so that the CTG can do the work via the
equivalent of a routed XC LINK.
However you arrange things, unless you use SSL you are always going to be
open to the potential of evesdroping using IP over a public network -- the
degree of risk depends upon what architectural arrangements (firewalls, etc.) you adopt along with the code and functions implemented.
