What Does 'Impersonation' Actually Do?

John_Fowler · October 14, 2011, 8:31pm

We have been struggling to get a grasp on Impersonation under CICS. We have an RPC Server running, but the actual implications of what ‘impersonation’ still seem to ellude us.

From the documentation:

If impersonation is active for the Natural RPC server, a client request that uses the Logon Option is from the perspective of CICS executed under the user ID that the client passes in the LOGON data (called Natural RPC user ID). Impersonation under CICS uses the CICS option to start a CICS task under a given user ID. After a client request has arrived the Natural RPC server front-end starts a new CICS task using the USERID() option of the EXEC CICS START TRANSID() command, where USERID is the Natural RPC user ID. The User authentication (verification of the Natural RPC user ID) is performed by CICS, typically by using the underlying external security system. After successful authentication, the user’s identity is established for the CICS task. Any subsequent authorization checks will be performed based on this identity. This means that all accesses to resources that are controlled by CICS are authorized for this identity. This applies especially to accesses to CICS resources and to data bases.

What are the implications? What value should be in some of the system variables when executing a Natural object through a CICS RPC Server with Impersonation? e.g. What will be the values for:

*APPLIC-ID/*APPLIC-NAME:
*DEVICE:
*INIT-PROGRAM:
*INIT-USER:
*LIBRARY-ID:
*NET-USER:
*TP:
*TPSYS:
*USER:

Our specific issue appears to be that when the RPC Server task is started under CICS, the user (or owner) associated with that task is the user-id that is loaded into *INIT-USER as well as in the ‘control block’ that is utilized or referenced by CICS as well as by RACF in our case. Thus, even though we pass a user-id through the web service, we are not able to truly verify authority with RACF as the user-id that is passed is not the user-id that gets loaded into *INIT-USER or the ‘control block’. We were hoping to be able to leverage our existing security infrastructure as we modernize our system.

Just looking to get a discussion going on Impersonation, what it ‘truly’ is or will do, who is using, how, etc.

Thanks.

Versions of Stuff:
Natural 4.2.6
Natural CICS Interface 4.2.6
Natural for DB2 4.3.1
z/OS 1.10.00
Natural nucleus version : 4.2.6
Natural system file version : 4.2.6 service pack 5
Natural RPC version : 6.3.3 update level 3
Natural RPC front-end version : 6.3.2

anon66457657 · October 15, 2011, 6:59pm

John,
I don’t know to which ‘control block’ that is utilized or referenced by CICS as well as by RACF you are referring. If you access the ACEE in the impersonated CICS task using EXEC CICS ADDRESS ACEE() you get the ACEE for the impersonated user ID (which is the client user ID in the LOGON data).
*INIT-USER contains indeed always the user ID of the user who has started the RPC server front-end.
Best regards

John_Fowler · October 17, 2011, 6:17pm

I believe RACF is accessing data in the ACEE.

Can you give a specific example of

What is LOGON data? What user ID do you expect to be in there?

Example:

CICS RPC Server with Impersonation is started as a task under owner TXU.

A web service is called with following in SOAP Header:
User = RACF-USER-ID
PW = RACF-USER-ID-PW
RPC-User = Natural-User-ID <---- This is the user ID we are trying to impersonate
RPC PW = Natural-User-ID-PW

The web service returns system variables, and shows the following values:

*INIT-USER = TXU <-------- The owner that started the task
*USER = Natural-User-ID

I am 99.99% certain that the ACEE block contains ‘TXU’ as a user ID. This is the result of TXU being the ‘user’ that created/initiated the CICS connection. The ACEE does not get overlaid/updated through Impersonation.

Is that what you would expect?

Douglas_Kelly · October 21, 2011, 10:41pm

are your RPC User IDs the same as the RACF User IDs? If so, use the Natural Security Logon Option to ensure that the user id is authenticated by EntireX Security and the two id’s are the same. Then *USER will be your ACEE user id.