Currently it seems the only way to sign on to NDV from SPoD is to use Natural Security ID and password. Our other mainframe Natural nuclei use RACF (USERID=YES parm in the nucleus assembly). Is there a way to get the NDV nucleus to honor the same security? It is a hassle to maintain our users in two separate security systems.
On another security front, the PC client talking to the mainframe NDV does not encrypt or secure the logon data. Is it possible to get SSL working between SPoD and NDV?
I am not asking for it to check everything in RACF, only the ID and password as they sign on. The rest of the SPoD session would still be governed by NSC. This is how it works with every other Natural nucleus, even the Shared one (and CICS also a multi-user environment).
Natural currently does a call to NSC to authorize each SPoD user at sign-on time. Why not (optionally) also do RACROUTE call to check the individual ID/Password? I am just asking for the same functionality that is provided by Natural everywhere else.
What about the possibility of SSL between the client and NDV?
This is something that was requested back when NDV first came out, it has been indicated that the functionality IS going to be built into NDV.
The first document indicating this was from the ServLine24 knowledge base document # 47643, which originally indicated that the next release of NDV whould have this functionality. When NDV v2.1.1 did not support external security packages the referenced document was updated to read that it is “planned for future releases”.
NATURAL doesn’t “check the password” using RACROUTE, I assume what you are referring to is AUTO=ON processing where NATURAL assumes your identity / password are already verified.
With NDV214 (Mainframe) external security and client impersonation is supported.
The Client is authenticated by the external security system and all operations performed on the NDV server are performed under the client account instead under the anonymous NDV account.
Natural Security definitions are still in effect. And additionally the rules of the external security system, defined for each particular client, are apply.
How about one further request for the future of SPoD? When a person signs on to their PC, they currently use a domain ID known to our (Microsoft) AD server. Could we propogate this same ID as the NDV ID and have it validated via AD (perhaps using ADFS)? Just some thought for the future of a PC based product… single signon is extremely high in demand these days and we are moving that direction on all of our platforms. It would help us greatly if SAG has similar ideas for the future.
It might work without AD dependency. For me/us a simple “Remember user and password” checkbox on the Map Environment logon dialog box would be sufficient. In addition we should have an option for “Auto Map at startup”, so that Natural Studio maps to (a) selected environment(s) immediately after startup.
The option to auto-map certain environments would be fairly simple to do yourself using plugins, the only tough part would be storing the password someplace. I think one would want to use a good encrypt/decrypt method for storing it locally (registry?? encrypted file for mapping/password pairs??)
If one could assume that logging into a machine on the network is enough then the auto-map becomes quite simple, as long as the logon userid is the same for both environments.