COMTI: Allow Use Of Already Verified and Application Override (222947)



The information in this article applies to:

  • Microsoft COM Transaction Integrator for CICS and IMS 4.0 SP2
  • Microsoft SNA Server 4.0

This article was previously published under Q222947

SYMPTOMS

When you enable user or package-level security in the Remote Environment on the Security tab within the COM Transaction Integrator Manager, the following security options may be selected, but are not currently designed to function together:
  • Allow application to override selected authentication
  • Use Already Verified or Persistent Verification authentication
Because of a non-trusted domain architecture, a customer was unable to deploy the SNA Server Host Security Integration feature, and wanted their application to supply the host user ID and password credentials. This is possible by selecting the Allow application override option. But, if this option is selected along with Already Verified or Persistent Verification, the application-supplied credentials are ignored, and the user ID and password are sent to the host. It was requested that both options to be allowed to work together. Prior to this update, the use of the COMTI Already Verified or Persistent Verification check box required that the SNA Server Host Security Integration feature had been deployed.

CAUSE

These security options were not designed to work together, because this would allow a user application to provide any arbitrary host user ID on a host request, which the host would accept if the CICS region is defined with Attachsec=Identify. By allowing "Identify" security, CICS will accept requests with only the host user ID being provided in the user request, without requiring host verification of the host password.

RESOLUTION

To resolve this problem, obtain the latest service pack for SNA Server version 4.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

215838 How to Obtain the Latest SNA Server Version 4.0 Service Pack


STATUS

Microsoft has confirmed that this is a problem in SNA Server 4.0, 4.0 SP1 and 4.0 SP2. This problem was first corrected in SNA Server version 4.0 Service Pack 3.

MORE INFORMATION

When COM Transaction Integrator is configured to support both of these security options and this update is applied, the following behavior occurs.

If the host is configured to accept "Already Verified" security:
  1. Within the CICS region, "Attachsec=Identify" allows CICS to accept requests with only the user ID provided by the application.
  2. The COM application provides a user ID when invoking the COM object associated with their host transaction.
  3. COMTI accepts the user ID, converts it to EBCDIC, and calls MC_ALLOCATE with the user ID and security=AP_SAME. The Wappc32.dll detects that the host BIND allows FMH-5 Attach requests with the "already verified" indicator set (within byte 23 of the BIND request), and formats the FMH-5 with the "already verified" indicator and the user ID security vector (but no password vector).
  4. The host accepts the user ID only, and executes the transaction.
If the host is configured to accept "Persistent Verification" security:
  • Within the CICS region, "Attachsec=Persistent" is configured. See the following article in the Microsoft Knowledge Base for other host configuration settings required to enable persistent verification:

    222565 SNA Server Caches User in PV Signed-On List if Attach Fails

  • The COM application provides a user ID and password when invoking the COM object associated with their host transaction.
  • COMTI accepts the user ID and password, converts it to EBCDIC, and calls MC_ALLOCATE with the user ID and password, with security=AP_SAME. The Wappc32.dll detects that the host BIND allows FMH-5 Attach requests with "persistent verification" (within byte 23 of the BIND request), and formats the FMH-5 with the "PV sign-on requested" bit along with both the user ID and password security vectors.
  • SNA Server accepts the FMH-5 Attach from the Wappc32.dll, and checks the SNA Server internal PV signed-on cache to determine if the user has previously signed on to the host using persistent verification. If not, the FMH-5 Attach is provided to the host, with the "PV sign-on requested" bit set, and the user is added to the SNA Server PV signed-on list. If the user has previously signed on using persistent verification, the password is removed from the FMH-5 Attach, and the "PV already signed-on" bit is set, then the FMH-5 is sent to the host.
  • The host accepts the FMH-5 Attach, containing the PV indicator and security credential.
NOTE: For more information about persistent verification, see the following article in the Microsoft Knowledge Base:

198179 Enabling an APPC/CPIC Program to Use Persistent Verification


Modification Type:MajorLast Reviewed:11/10/2003
Keywords:kbbug kbfix kbQFE kbsna400sp3fix KB222947