EntireX RPC Security

We’re entertaining setting up EntireX RPC server on mainframe with Natural backend applications. What would be the security options available to control, provide appropriate access permission for our RPC clients

There are a number of options for security with EntireX and Natural RPC. I?m assuming you are using Natural RPC Server to access the backend applications as EntireX RPC supports Cobol, C and other non-Natural backend applications.

EntireX Security provides the SAF Gateway that lets you identify and authenticate users based on RACF, ACF2 or Top Secret. Depending on the applications, you can either provide a role-based userid (?generic userid?) and password (commonly used approach for public, internet applications) or you can prompt your end-user for their SAF userid and password in your front-end application, passing those credentials to EntireX for authentication with the SAF Security product.

Next, EntireX Security allows you to define resource profiles (which are structured in a similar manner to dataset names). Permission can be granted to allow a user to register the class/server/service (RPC/server/CALLNAT), allowing you to determine who is authorized to start the server and prevent rogue / trojan servers from being started. Permission is granted authorize users (or user groups, as defined by the SAF product) to use the service (again, at the RPC/server/CALLNAT level).

Once into the service in Natural, users can execute client application subprograms that have had Wrappers generated for them. You can either set the Natural RPC Server?s logon option (LOGONRQ) to OFF, allowing any Broker client to access the RPC Server?s library?s subprograms (the initial library can be set via the Natural RPC Server?s STACK command at server startup), or you can start the RPC Server with LOGONRQ=ON, requiring that the client application logon to Natural Security also (the syntax for this varies a bit according to client application tools, but is ?setNaturalLogon(true)? or ?obj.NaturalLogon = true? or something similar). The RPCUserID and RPCPassword must be set to the Natural Security Userid and Password. You can then apply Natural Security requirements to the Natural Security userid (RPCUserID) ? control access to the library, allow or disallow access to modules, etc. *USER will contain the logged-on Natural Security userid.

Use of Natural Security does not require the use of EntireX Security. If both are available to you, and your SAF userids are the same as your Natural Security userids, you can use the LOGON OPTION as of Natural 3.1.6 and above. When set to ?S?, the RPCUserID must match the EntireX userid and the RPCPassword does not have to be given. This makes sense when EntireX Security authenticates the EntireX userid.

If you have Natural SAF installed, you can use SAF profiles to protect RPC calls down to the subprogram level, rather than just at the service level.

Hope this helps.

Douglas Kelly,
Principal Consultant
Software AG, Inc
Sacramento, California