EntireX Security and Natural RPC’s use of Natural Security are separate, but can work together.
You can use EntireX Security to authenticate the user to SAF (RACF) and authorize them to use the class/server/service. This has no relationship to any security arrangements internal to that server, including Natural Security (with one useful exception which I will get to). This simply determines whether or not Broker will send messages from the client to the server. The SAF (RACF) userid is supplied in the Broker constructor:
broker = new Broker(brokerId, userId); EntireX Security is connected with the setSecurity method:
broker.setSecurity(new EntireXSecurity(), false); and the SAF password is supplied on the logon method:
broker.logon(password);
To pass Natural Security logon values to the Natural RPC Server, the client must supply these properties to the RPC Wrapper object:
- NaturalLogon=true
- Library = (Natural Security Library to execute in, can use default from IDL)
- RPCUserid = (Natural Security userid)
- RPCPassword = (password for the RPCUserid in Natural Security) For example:
myTest.setLibraryName(“MYLIB”);
myTest.setRPCUserId(“SAF01”);
myTest.setRPCPassword(“SECRET”);
myTest.setNaturalLogon(true);
These values are independent of whether EntireX Security is being used or not. The Natural RPC server can require that all clients do a Natural Security Logon by specifying LOGONRQ=ON. If LOGONRQ=OFF, clients that do not use NaturalLogon=true will execute in the default library that the RPC server is started in, but the clients can still specify NaturalLogon=true and log on to a different library.
If the Natural Security logon is done, *USER is set to the RPCUserID.
Note that the Natural Security RPCUserId does not have to be the same as the EntireX Security userid. However, there are some options when both are used (which I always recommend to my customers). If the Natural Security userid is the same as the SAF userid, there is a Natural Security Library “logon” option (set by library in Natural Security administration) that can be N, A, S or E:
- N - none - Library, RPCUserId and RPCPassword are evaluated by Natural Security
- A - (Auto) RPCPassword not required
- E - EntireX UserId must be the same as Natural Security userid. RPCPassword is required
- S - EntireX UserId must be the same as Natural Security userid. RPCPassword is NOT required
Option “S” is what I recommend when EntireX Security is used - the userid is authenticated by EntireX Security and Natural Security accepts that authentication (similar to AUTO=ON).
Hope this helps,
Douglas Kelly,
Principal Consultant,
SoftwareAG, Inc
-----Original Message-----
Sent: Friday, October 01, 2004 9:07 AM
To: entirex-l
Subject: [entirex-l] EntireX RPC Security
Can someone explain to me how Authentication and Authorization security works with EntireX using RPC not ACI?
My scenario is simple, Java client requests info from Natural/DB2 program running on OS/390, demographic info for instance. Client needs to first be authenticated against RACF and then authorized to access the target RPC service.
I assumed that with EntireX Security when a client issues a typical RPC send command the target program has access to that user-id and can assign it to *user in Natural.
I have scoured the manual and the Java Docs specify a method:
public final void setRPCUserId(java.lang.String