Security Overview

By default, Host Integrator security is disabled. When security is enabled, an administrative login is required for Host Integrator administrative tools. You can also configure security on servers or domains, which forces an encrypted channel with clients (connectors) and requires userID and password parameters in connection method calls.

Host Integrator security includes authentication, access control, and encryption. This overview of Host Integrator security covers the following concepts:

The procedures for configuring security between the Host Integrator Server and other Host Integrator components are described in Configuring Host Integrator Security.

Note: You can also use SSL to ensure security between the Host Integrator Server and an IBM 3270 or AS/400 host. Your model must be configured to use Telnet SSL or Extended Telnet SSL as a transport.

Authentication and Access Control

Host Integrator access control and authentication are provided by Authentication Authorization and Directory Services (AADS). When you install the Host Integrator, the authentication component of AADS is disabled and you do not need a password to access the Administrative WebStation or any Host Integrator Servers or domains.

Configuring Host Integrator security is a three-step process:

  1. Associate Host Integrator security profiles with security groups on the operating system of the currently selected directory server.

  2. Enable security, which establishes access control to the currently selected directory server. Since the Administrative WebStation is the only way to configure Host Integrator Servers and Domains, enabling security controls access to Servers and Domains for configuration purposes.

  3. Enable security on Domains and Servers, which establishes access control for data objects and client programs.

It is recommended that the first time system administrators run the Administrative WebStation, they add themselves to the Host Integrator Administrator profile, enable security, and then save their configuration. Doing this enables access control for the currently selected directory server the Servers and Domains associated with it.

The Host Integrator provides three different security profiles:

The type of access allowed on the server is determined by the security profile the user ID belongs to. This access control is separate from and in addition to the access control provided by the host. There are scenarios in which host user ID's and passwords are sufficient for controlling access; in these cases you may decide not to enable authentication on your servers and domains.

Security Configuration Concepts

As explained above, the only security profile that allows you to configure Host Integrator Servers, security, and domains is the administrator profile. When you log on to the Administrative WebStation using the administrator profile, you can configure servers and domains. Users belonging to the developer and user profiles are never able to modify Host Integrator configurations, even on servers they are able to log on to.

Configuring Domain and Server Authentication

There are three places where security can be enabled in the Host Integrator:

When security is enabled on the Administrative WebStation, access to servers and domains to view or modify configurations is controlled. This setting also limits access to the Session Monitor and Log Viewer. Security on the Administrative WebStation does not, however, control access to domains and servers by data objects and client programs. This access control is established when security is enabled on individual domains and servers. When security is enabled on a domain, security is enabled on all servers in that domain. You can also configure security on individual servers that do not belong to a domain.

Note: Find out how enabling security on your servers and domains can affect performance by reading About Security and Server Performance.

When security is disabled on the Administrative WebStation, security on all Host Integrator Servers and domains associated with the currently selected directory server is also disabled. If you then re-enable security, however, security is not re-enabled on your domains and servers.

Note: Disabling security on Host Integrator Servers and domains affects encryption, which is described next.

Encryption

Enabling security on a Host Integrator Server or domain also secures the channel between the server or domain and the clients that connect to it. When security is enabled, a server or domain forces encryption over SSL with every client that connects to it.

When security is disabled on a server or domain, the channel between it and its clients is encrypted only if the clients use the RequireSecureConnection API call. RequireSecureConnection is a state flag. Once it is set, all communication between the client and server is encrypted, regardless of the authentication setting on the server. This scenario is appropriate for environments in which it is not necessary to have access control to the Host Integrator Server, but you still want to encrypt information such as host user IDs and passwords. For more information about working with Host Integrator APIs, see the Development Kit online help.

Note: If RequireSecureConnection is not used or is set to No, the channel between the client and server will still be encrypted if authentication is enabled on the server it connects to. Setting this flag to No does not disable encryption.

Securing the Connection Between the Administrative WebStation and a Browser

The Administrative WebStation can be accessed from any browser that has network access to it. To secure the connection between the Administrative WebStation and a browser running on another machine, you should enable https on your web server. See the documentation for your web server for instructions on enabling SSL.