Browse Prior Art Database

System and Method for mapping and auditing a distributed Identity in an Enterprise System

IP.com Disclosure Number: IPCOM000207639D
Publication Date: 2011-Jun-07
Document File: 2 page(s) / 257K

Publishing Venue

The IP.com Prior Art Database

Abstract

A business challenge today is how to flow the end user idenitity into the z/OS environment in order to be able to audit and track all changes related to the life of a given transaction. Corporations want to be able to track the end user's activity throughout all the various subsystems in z/OS. This information can be used to identify who has accessed what for a number of reasons including problem determination or security breaches.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

System and Method for mapping and auditing a distributed Identity in an Enterprise System

Businesses that are running their applications written in Java* on WebSphere**

powerful built-in auditing capability, which keeps track of all resource access, for users that are defined in some corporate LDAP Server instead of users that are defined in z/OS. The z/OS auditing capabilities are built into the System Management Facility (SMF) which has the ability to audi

t

resource access for users defined on z/OS. The challenge is when a user running in WebSphere does not have a z/OS identity, and instead has a Corporate LDAP Identity. Businesses want the ability to audit in z/OS*** not only the users that are running as a z/OS Identity, but they also want to be able to track users that are running on WebSphere Application Server using their corporate Identity.

For example, CN=Bob, O=myCompany is a user ID defined in the Corporate LDAP Server. Bob accesses some application running on WebSphere

Application Server for z/OS and logs into the application using his CN=Bob ID. Bob then clicks on a link in the application to update his personal

information and the business application makes a call to DB2**** to update a row in a table. When accessing DB2, the executing thread must have a valid z/OS Identity which all authenticated users will use. For example, all authenticated users may use the z/OS ID of DB2WEB.

After the row in DB2

is updated, DB2 and z/OS SMF Auditing Sub System will record that DB2WEB has updated the row, losing the fact that the request from CN=Bob updated the row. What is wanted to be captured is that DB2WEB acting for CN=Bob updated the row.

In order to accomplish this business challenge, WebSphere Application server v8 has implemented and extended the authenticated identity propagation technique in [1] . WebSphere provides a configuration option to enable the ability to audit the corporate LDAP client identity into the z/OS auditing facility called SMF.

The core idea of this invention is to expand on the authenticated identity propagation technique in [1] to provide a way for the client identity and the z/OS identity acting on behalf of the client identity to be recorded into the z/OS SMF auditing sub system. When the client logs on, the client is authentica...