Authentication modes

XCICS/TS supports 4 authentication system to verify the credentials of users performing a SIGNON:

•

basic

•

passwd

•

ldap

•

user

The mode is set using the "set auth_mode" directive in the XCICS/TS configuration file.

BASIC mode

In the BASIC mode, users are defined in the configuration file with the "define user" directive and/or with the "snt_loader" exit_program.

The user's password is directly contained in the configuration file as clear text.

Users cannot change their password.

PASSWD mode

In PASSWD mode, users are defined in the configuration file with the "define user" directive and/or with the "snt_loader" exit_program.

The encrypted passwords are stored in an external file. By default XCICS/TS uses the file name $HOME/etc/xpasswd; to provide an alternative path the "set passwd_file" directive may be used.

With passwd mode, users may change their password online (with CESN or EXEC CICS SIGNON NEWPASSWORD): when required, XCICS/TS will update the passwd file with the new encrypted password.

Additionally, with xpasswd mode, XCICS/TS allows to the administrators to improve the security handling, providing:

•	minimum and maximum password length constraints: users cannot change the new passwords match the specified that violate the specified constraints are automatically rejected

•	password expiration period: users are obliged to re-new their password after a certain period of time

•	password expiration warning: XCICS/TS warns users when the expiration date of their password is incoming

•	login failures handling: after a certain number of login failures, the user account is disabled

•	password reset: administrators may reset the user's password, obliging him to re-new the password

•	password management logging: password changes, login failures and configuration changes are tracked in a log file

The "xpasswd" command line utility may be used to activate and configure all the security settings above (using the its "configuration options") as well as to manage the user account status (enable and disable) and password (reset or definition).

The passwd file must contain the password of all users declared: when an user is declared in the configuration file but it is not found in the passwd file, its SIGNON is denied. Therefore, whenever an user is added to the configuration file, the administrators must take care to put its credentials in the passwd file too (with xpasswd).

The same xpasswd file may be use by more than one region: in this case all the regions will use the same security settings and the user's passwords will be the same on all regions. Note: all regions must have read and write permissions on the file.

LDAP mode

With LDAP, user are may be defined in the configuration file with the "define user" directive or taken by an LDAP server.

The authentication of users credentials is demanded to the LDAP server, so, when an user request a SIGNON, XCICS/TS binds the LDAP server, passing the user DN (LDAP Distinguish Name) and its password: if the LDAP server authenticates the user, XCICS/TS completes the SIGNON successfully.

Users may change their password according to the LDAP server settings and definitions.

For further information on XCICS/TS and LDAP cooperation, please refer to "LDAP integration" section.

USER mode

In USER mode, users are defined in the configuration file with the "define user" directive and/or with the "snt_loader" exit_program.

The SIGNON is verified by an exit program of type "user_signon". This is an user written program the communicates to XCICS/TS if the credentials provided by the operator are authorized.

In this scenario, the password change may be allowed by the presence of an "user_chpasswd" exit program.