CA Gen client/server applications support for Kerberos authentication

Article Id: 130289
Status: Published
Updated On: 09-04-2020 14:16
Products:
CA Gen , CA Gen - Run Time Distributed
Issue/Introduction:

Can CA Gen client/server applications support Kerberos authentication?

Environment:

CA Gen 8.5, 8.6 client/server applications

Resolution:

CA Gen client/server applications have no direct support for Kerberos authentication but can indirectly support Kerberos by customisation of the security user exits to use Enhanced Security with security token as follows:
1. The Enhanced Security and token parameters should be set in the client side user exit.
For example for Gen Windows GUI clients the user exit source WREXITN.C contains function WRSECTOKEN. In that function a return code of SecurityUsedEnhanced needs to be set and token parameters token & tokenLen need to be set. ONLY if using a Gen Client Manager or a Communications Bridge does the parameter bClntMgrSecurity need to be changed from default of FALSE to TRUE.
More details can be found in the user exit comments and documented here:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/reference/user-exits/windows-c-user-exits/windows-gui-client-user-exits/wrsectoken-client-security-token-user-exit-windows.html

2. The security token would then be authenticated by adding required code to the corresponding server side exit e.g. for Gen CICS servers the user source is TIRSECVX and more details can be found in the user exit comments and documented here::
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/reference/user-exits/z-os-user-exits/z-os-server-user-exits-cics/tirsecvx-server-client-security-validation-exit.html

Additional Information:

For security user exits for other types of clients and servers please see:
CA GEN 8.6 > Distributed Processing > User Exits in Distributed Processing > Working With Distributed Processing

Additional useful references:
Gen 8.6 > Developing > Designing > Designing Client-Server Applications > Security in Client Server Applications > User Identification:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/developing/designing/designing-client-server-applications/security-in-client-server-applications/user-identification.html

Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Security Data > Enhanced Security:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/security-data.html#concept.dita_8493ff7f2fbf49e2151bc06b90dc5bcaf4bc4548_EnhancedSecurity

Gen 8.6 > Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Client Security Processing:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/client-security-processing.html

Gen 8.6 > Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Server Security Processing:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/server-security-processing.html