We are looking into Kerberos as a way of authenticating users accessing CICS 3270 legacy transactions. These users...
will be coming into CICS through WebMethods from a browser via TN3270E. We do not want to use RACF user IDs and passwords since they will be exposed along the way.
We cannot tell from what we have read if this will be transparent to CICS -- handled by RACF -- and CICS will get whatever it needs to satisfy the sign-on. Is this something that you can answer or at least point me to an explicit document that addresses Kerberos and CICS?
There is rather more to this question than meets the eye -- which is why I've been slightly tardy in replying to it. There is a lot more I could say on this topic, but I've limited my reply to what is most relevant.
My initial observation is that you appear to be wanting to run TN3270 sessions outside of your firewall. I deduce this because a concern about sensitive information like a logon ID/password flowing over IP would not apply inside a firewall as your own organization would have enough controls in place to stop worrying about this. Afterall, Logonid+Password are only SOME of the sensitive things that will be wizzing around, and you probably don't worry too much about these other items inside a firewall.
So, you are probably worried about evesdroping over an external network and so want to protect -- at least -- some part of your flows. The only way you are going to get a TN3270 session protected over a potentially insecure network is by using SSL connections from the client to the host. This comes in two parts depending on whether you only need encryption (so securing the flows) or need authentication as well (that the user of the client is authorized).
I think that you are only really interested in the encryption part -- as there does not seem to be any significant benefit to getting authorization to use the TN3270 server on the host when you are going to sign-on to CICS once you have arrived in MVS.
Thus, you need SSL certificates all round. You will configure your host TCP/IP stack to accept SSL traffic upon a given port, and then use this port on the 3270 emulator installed on the clients. The emulator will be set to contact this port with SSL protocols flowing. The initial handshake will check the certificates and establish the encrytion regime between the TN3270 client on the workstation and the TN3270 server on the host. Flows are then secure from prying. You then session manager route to the APPLID of the relevant CICS region and signon there with the usual LOGONID+PASSWORD.
There does not seem to be any way to use Kerberos facilities to communicate with a host CICS. You could try using a TxSeries CICS on an AIX/UNIX box as an intermediary -- but that does not seem very appealing.
I also had a look at the possibility of getting a passticket down to a workstation and then using that as a paassword to avoid using a SSL communication -- but that turns out to be very tedious. You would have to use a CICS Transaction Gateway to route a request to MVS which would issue the passticket. Once this had returned to the workstation, you then have the problem of how to get this returned temporary-use-once-in-an-interval password inserted onto the emulated screen. I guess you would have to write a macro or Java script to do this operation of getting the passticket and inserting it onto the screen. Again, this is does not fill me with an huge ammount of glee. You also have an exposed user ID in addition to all the screens being visible.
A better possibility might be to use CICS/Windows on the workstation or even restructure the applications so that the CTG can do the work via the equivalent of a routed XC LINK.
However you arrange things, unless you use SSL you are always going to be open to the potential of evesdroping using IP over a public network -- the degree of risk depends upon what architectural arrangements (firewalls, etc.) you adopt along with the code and functions implemented.
Dig Deeper on IBM system z and mainframe systems
Related Q&A from Robert Crawford
For better mainframe capacity planning, how do I convert CPU hours to MIPS? And is there a way to calculate the relationship between MIPS and MSUs? Continue Reading
I have two years of experience in mainframe technology, currently working as a mainframe developer. I want to change to Java technology. Continue Reading
I want to replicate DB2 from the mainframe to an AIX box since it's cheaper and the copy can be used for testing. Is this possible? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.