IMS Connect security for clients of IMS DB

For clients that connect to IMS DB through ODBM, such as the IMS Universal drivers and clients using the Distributed Relational Database Architecture (DRDA), IMS Connect authenticates the user, but does not check the authority of the user to perform any actions.

To authenticate a user ID for an IMS DB client, IMS Connect can use the IMS Connect DB Security user exit routine (HWSAUTH0), a security product such as RACF®, or both. For IMS DB clients, IMS Connect also provides support for RACF PassTickets.

IMS Connect always calls the HWSAUTH0 user exit, regardless of whether RACF or another security product is enabled. If RACF support is included in your IMS Connect configuration, IMS Connect calls the HWSAUTH0 user exit before invoking RACF.

If IMS Connect is configured to call RACF, you can enable RACF security statistics to be recorded when IMS Connect issues the RACF call RACF RACROUTE REQUEST=VERIFY to authenticate ODBM client connections to IMS DB. You can enable RACF statistics either by specifying ODRACFST=Y in the ODACCESS statement or by issuing the online IMS Connect command UPDATE IMSCON TYPE(CONFIG). After you enable RACF statistics, the statistics are recorded by RACF no more than once per day to a system management facility (SMF) data set or log stream. The SMF data set or log stream that is used to record the RACF statistics is specified in the RACF configuration.

The HWSAUTH0 user exit routine can override the input user ID with a different user ID and can provide a RACF group ID to be authenticated further by IMS Connect.

The HWSAUTH0 user exit routine is a BPE type-1 user exit routine and is refreshable.

IMS Connect does not support Secure Sockets Layer (SSL) directly for clients that connect to IMS DB. To secure connections to IMS DB with SSL, use IBM® z/OS® Communications Server Application Transparent Transport Layer Security feature (AT-TLS). The use of AT-TLS is transparent to IMS Connect.