Sunday, October 5, 2014

CICS External Authentication Module (EAM)


To enable EAM

  • Set the EAMLoad attribute to yes in the /var/cics_regions/region_name/RD/RD.stanza file. 
  • Set the EAMModule attribute to the compiled output of the EAM Module Name along with the patch in the /var/cics_regions/region_name/RD/RD.stanza file. 


To enable the LDAP connection through EAM, set the following values in the CICS® region's environment file:

  • CICS_LDAP_HOST is used to specify the name of the host where the LDAP server is configured and running, for example:  CICS_LDAP_HOST=myldap.aetna.com  CICS_LDAP_PORT is used to specify the port where the LDAP server is listening for the client connections, for example: 
  • CICS_LDAP_PORT=4000.  If the CICS_LDAP_PORT environment variable is not specified in the region's environment file, the EAM assigns 389 as the default port. 


This EAM module is called whenever:

  • A user ID and password combination needs authentication 
  • A password needs changing in the external user ID and password repository 
  • A user definition that is in UD.stanza is not present for the user who is trying to log on 
  • After a successful password validation of an EAM user, EAM is called to install the user definition at CICS runtime. 


By default, CICS uses internal authentication that uses UD stanza. To use an External Authentication Manager instead of CICS, you must:


  • Install the EAM module 
  • Change the Region Definitions (RD) EAMLoad attribute to yes 
  • Use the RD EAMModule attribute to specify the EAM program path and name 
When the CICS region comes up, the EAMModule that the CICS Administrator specified is loaded into each cicsas process. When a CICS user tries to login with a user ID and password, CICS checks whether EAM is loaded. If the EAM is loaded, it passes that user ID and password to the EAM program for authentication.

No comments: