CA Gen client/server applications support for Kerberos authentication

book

Article ID: 130289

calendar_today

Updated On:

Products

CA Gen CA Gen - Run Time Distributed

Issue/Introduction

Can CA Gen client/server applications support Kerberos authentication?

Environment

CA Gen 8.5, 8.6 client/server applications

Resolution

CA Gen client/server applications have no direct support for Kerberos authentication but can indirectly support Kerberos by customisation of the security user exits to use Enhanced Security with security token as follows:
1. The Enhanced Security and token parameters should be set in the client side user exit.
For example for Gen Windows GUI clients the user exit source WREXITN.C contains function WRSECTOKEN. In that function a return code of SecurityUsedEnhanced needs to be set and token parameters token & tokenLen need to be set. ONLY if using a Gen Client Manager or a Communications Bridge does the parameter bClntMgrSecurity need to be changed from default of FALSE to TRUE.
More details can be found in the user exit comments and documented here:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/reference/user-exits/windows-c-user-exits/windows-gui-client-user-exits/wrsectoken-client-security-token-user-exit-windows.html

2. The security token would then be authenticated by adding required code to the corresponding server side exit e.g. for Gen CICS servers the user source is TIRSECVX and more details can be found in the user exit comments and documented here::
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/reference/user-exits/z-os-user-exits/z-os-server-user-exits-cics/tirsecvx-server-client-security-validation-exit.html

Additional Information

For security user exits for other types of clients and servers please see:
CA GEN 8.6 > Distributed Processing > User Exits in Distributed Processing > Working With Distributed Processing

Additional useful references:
Gen 8.6 > Developing > Designing > Designing Client-Server Applications > Security in Client Server Applications > User Identification:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/developing/designing/designing-client-server-applications/security-in-client-server-applications/user-identification.html

Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Security Data > Enhanced Security:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/security-data.html#concept.dita_8493ff7f2fbf49e2151bc06b90dc5bcaf4bc4548_EnhancedSecurity

Gen 8.6 > Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Client Security Processing:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/client-security-processing.html

Gen 8.6 > Distributed Processing > Working With Distributed Processing > Security in Distributed Processing > Server Security Processing:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/devops/ca-gen/8-6/distributed-processing/working-with-distributed-processing/security-in-distributed-processing/server-security-processing.html