How To Configure a Host Security Domain for Single Sign-On When Using COMTI in TCP/IP (299729)

SUMMARY

This article describes how to configure a Host Security Domain (HSD) for Single Sign-on (SSO) when using COM Transaction Integrator (COMTI) in a TCP/IP-only environment.

This article assumes that the following steps have been completed:

SNA Server or Host Integration Server, COMTI and the Host Security components are installed.
A COMTI remote environment (RE) has been configured.
The COMTI CedarBank sample program that is included with SNA Server or Host Integration Server works going to your mainframe.

NOTE: Although any COM-aware language program that uses COMTI can take advantage of the host account cache (HAC) for SSO look-ups, the CedarBank sample might provide a better test because the correct files are already included. For more information about how to set up the CedarBank sample program, see the application's Help documentation.

MORE INFORMATION

This section describes the four steps that must be completed to configure a Host Security Domain for COMTI:

Create a "dummy" connection in SNA Manager.
Create a host security domain.
Enable security on the remote environment.
Populate the host account cache.

Before COMTI can perform a look-up using the host account cache, a "dummy" connection must first be configured in SNA Manager. Although the dummy connection is not used, you must have it to configure a Host Security Domain.

Step 1: Create a Dummy Connection

Open SNA Manager.
Add a Demo SDLC Link Service: right-click the Link Service folder, and then click New/Link Service.
Create a connection: right-click the Connections folder, and then click New/SDLC.
On the Connection Properties page, name the connection (COMTI), select the link service that you created in step 2 (SnaDemo1), and leave all other default settings.

Step 2: Create a Host Security Domain

To start the Host Security Domain Wizard, right-click the Host Security Domain folder, and then click New/Host Security Domain.
When prompted, name your Host Security Domain as COMTIHSD.
Select the SNA Connection using the drop-down menu. For this example, it looks similar to COMTI on Server_Name.

Accept all the other default settings while you continue through the wizard.

Step 3: Enable Security on the Remote Environment

Open COMTI Manager.
Right-click the CedarBank remote environment, click Properties, and then click the Security tab.
To enable security, click the Set security on check box and then select the appropriate authentication (package or user credentials).

NOTE: Enabling Allow application to override selected authentication (also known as Explicit Security) prevents look-ups to the host account cache. Using Explicit Security means the program that calls the COMTI method supplies the userid and password that is sent to the host.
In the Host Security Domain list, type the Host Security Domain name that you created earlier (that is, COMTIHSD) because it does not appear in the list.

Step 3: Populate the Host Account Cache

To take advantage of SSO, the user account that you will be using must be populated in the HAC. To populate the HAC, use one of the following methods:

For an existing user account, force a password change on the user account in question. The next time the user changes his/her password, the HAC will be populated.
For an existing user account, use Host Account Manager (UDCONFIG), select the user account in question, type the user's password, and then select Update Cache.
If you are setting up a new user account for the first time, after you create a UserID and password, this user is automatically entered into the HAC.

To verify a user in the HAC database, you can type the following command from either the SNA Server or the Host Integrations Server command prompt:

snacfg hsmapping *\* /print