IMS Mobile - getting started
-
Upload
ibm-ims -
Category
Technology
-
view
135 -
download
2
Transcript of IMS Mobile - getting started
© 2015 IBM Corporation
IMS Mobile Solution
Getting Started
IBM Information Management System (IMS)
© 2015 IBM Corporation2
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation2
Outline
� A graphic view of the IMS mobile solution and the components involved
� Installation options:− Option 1. You already have WAS/z Liberty Profile V8.5.5.5 or later
− Option 2. You do not have WAS/z Liberty Profile
� Two security configuration scenarios:− Scenario 1. Basic authentication for a quick installation verification
− Scenario 2. RACF security
� Installation walkthroughs with the following scenarios:− Scenario 1. You already have WAS/z Liberty Profile
1a. You want to use basic authentication for a quick installation verification
1b. You want to use RACF security.
− Scenario 2. You do not have WAS/z Liberty Profile
2a. You want to use basic authentication for a quick installation verification
2b. You want to use RACF security.
© 2015 IBM Corporation3
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation3
IMS Mobile Solution: A graphical view
WebSphere
Application Server
for z/OS
Liberty ProfileJSON
HTTPTCP/IP
Mobile applications
IMS Mobile
Feature Pack
z/OS Connect IMS
Connect
O
T
M
A
IMS Transaction
Manager
IMS
application
DB2
IMS
DB
IMS
applicationIMS
application
� WebSphere Application Server for z/OS Liberty Profile (WAS/z Liberty): The application server
� z/OS Connect: A feature for WAS/z Liberty that serves as the gateway for discovering and invoking applications and data on z/OS from mobile, cloud, and web applications. In the context of IMS mobile solution, this is the IMS gateway.
� IMS Mobile Feature Pack: A service provider for WAS/z Liberty that handles:
− Data transformation (XML <-> byte array)
− Interaction with IMS Connect
− Service management through IMS Explorer for Development, which provides the user interface for service creation, testing, and management
Web browser / REST client
© 2015 IBM Corporation4
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation4
IMS Mobile Solution: Tooling for IMS mobile service creation,
testing, and management
WebSphere
Liberty ProfileJSON
HTTPTCP/IP
IMS Enterprise Suite Explorer
for Development
(IMS Explorer)
Mobile applications
IMS Mobile
Feature Pack
z/OS Connect IMS
Connect
O
T
M
A
IMS Transaction
Manager
IMS
application
DB2
IMS
DB
IMS
applicationIMS
application
• Eclipse-based tool on Windows for IMS mobile
service creation, testing, and management• A component in IMS Enterprise Suite V3.1 that
you can download
Web browser / REST client
© 2015 IBM Corporation5
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation5
Mobile service creation, testing, and deployment tool--
IMS Explorer for Development installation
IMS Explorer
Download IBM Explorer for z/OS and IBM Installation Manager from the IBM Explorer for z/OS website.
1.
Extract and run the Launchpad.exe file to install both IBM Installation Manager and IBM Explorer for z/OS.
2.
Add a repository to point to where the IMS Explorer .zip file is stored.
3.
Select IMS Explorer from the Install Packages window.
4.
Download IMS Explorer (a .zip file) from the IMS Enterprise Suite download website.
1.
Launch IBM Installation Manager.
2.
Click Check for Other Versions, Fixes, and Extension.
3.
Click Install in the main window.
4.
Do you already have IBM Installation Manager installed?
Yes No
For installation information, see:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.explorer31.doc/wb_installing_shellshare.htm
© 2015 IBM Corporation6
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation6
IMS Explorer: Getting started task launcher for IMS Mobile
• Click Start > All Programs > IBM Explorer for z/OS > IMS Enterprise Suite
Explorer for Development to launch IMS Explorer
• Getting started tasks are provided in the Task Launcher
© 2015 IBM Corporation7
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation7
Server runtime component installation options
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
� Download from the WAS/z Liberty Profile repository the following required
feature:
− IMS Mobile Feature Pack
Repository location: https://developer.ibm.com/wasdev/downloads/
Installation instructions are provided on the repository page.
Installation option 2: You do not have WAS/z Liberty Profile
� Order IMS Enterprise Suite V3.1.1 (5655-TDA) from Shopz at https://www-
304.ibm.com/software/shopzseries/ShopzSeries_public.wss.
− The IMS Mobile Feature Pack in IMS Enterprise Suite contains WAS/z
Liberty Profile and z/OS Connect as a supporting program.
− For WAS/z Liberty Profile usage restrictions in this context, see the license information included in IMS Enterprise Suite for z/OS V3.1.1
© 2015 IBM Corporation8
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation8
Installation option 1:
You already have WAS/z Liberty Profile V8.5.5.5
or later
© 2015 IBM Corporation9
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation9
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
Go to WAS/z Liberty Profile repository at
https://developer.ibm.com/wasdev/downloads/
Configure IMS Mobile Feature Pack.
Search for the “IMS Mobile Feature Pack”
feature. Follow the instructions on the screen
to install.
3.
1.
2.
WAS/z Liberty ProfileWAS/z Liberty Profile
z/OS Connectz/OS Connect
IMS Mobile Feature PackIMS Mobile Feature Pack
server.xml:. . .. . .. . .
See installation roadmap at:http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option1.htm
(more detail…)
© 2015 IBM Corporation10
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation10
Installation steps for option 1: You already have WAS/z Liberty
Profile V8.5.5.5 or later
WAS/z Liberty ProfileWAS/z Liberty Profile
z/OS Connectz/OS Connect
IMS Mobile Feature PackIMS Mobile Feature Pack
server.xml:. . .<imsmobile_imsServiceManager
imsRegistryHome="./registry“imsTechnicalGroup="IMS_GROUP" imsTechnicalID="IMS_USER"/>
. . .
In server.xml, add the following entries:
• Registry home: Location for the IMS
gateway server registry.
• Technical ID: The technical ID is passed
to the IMS Mobile feature on the gateway
server if authentication is turned off, or
the authenticated user ID is greater than
8 bytes.
• Technical group: An 8-byte SAF group
name for IMS transactions.
Configure IMS Mobile Feature Pack.3.
See IMS Mobile Feature Pack security process flow at:
http://www-01.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_security.htmSee installation roadmap at:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option1.htm
© 2015 IBM Corporation11
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation11
a. Edit the BBGZANGL procedure as a started task to start the angel process.
b. Start the angel process by issuing:START BBGZANGL
c. If RACF is enabled in IMS Connect, specify the IMS technical password.
In server.xml:
a. Configure a basic registry with z/OS Connect access roles in server.xml.
b. If RACF is enabled in IMS Connect, specify the IMS technical password.
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
Configure IMS Mobile Feature Pack.3.
Security scenario 2.
SAF securitySecurity scenario 1.
Basic authentication(for initial installation verification)
WAS/z Liberty ProfileWAS/z Liberty Profile
z/OS Connectz/OS Connect
IMS Mobile Feature PackIMS Mobile Feature Pack
server.xml:. . .<imsmobile_imsServiceManager
imsRegistryHome="./registry“imsTechnicalGroup="IMS_GROUP" imsTechnicalID="IMS_USER"/>
. . .
(more detail on next slide)(go to slide #16)
Configure IMS Mobile Feature Pack for security.4.
See installation roadmap at:http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option1.htm
© 2015 IBM Corporation12
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation12
Configure IMS Mobile Feature Pack with basic authentication.4.
Configure a basic registry with z/OS Connect access
roles in server.xml.
Configure a basic registry with z/OS Connect access
roles in server.xml.
a.
See installation WebSphere Liberty security configuration topics at:http://www-01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_zconnect_security.htmlhttp://www-01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_basic_registry.html
Security scenario 1: Basic authentication
Basic Registry Configuration
Certification Configuration
User Authorization
Configuration
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
server.xml:. . .
<keyStore id=“keystore_id" password=“encrypted_pwd"/>
<basicRegistry id="basic1" realm="zosConnect">
<user name=“your_userName" password=“your_pwd" />
</basicRegistry>
<authorization-roles id="zos.connect.access.roles">
<security-role name="zosConnectAccess">
<user name=“user1"/>
<user name=“user2"/>
</security-role>
</authorization-roles>
© 2015 IBM Corporation13
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation13
Configure IMS Mobile Feature Pack with basic authentication.
If RACF is enabled in IMS Connect, specify the
IMS technical password.
If RACF is enabled in IMS Connect, specify the
IMS technical password.
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
4.
Configure a basic registry with z/OS Connect access roles in server.xml.Configure a basic registry with z/OS Connect access roles in server.xml.
server.xml:. . .
<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER“
imsTechnicalPassword="{xor}PjMzbiw7KjE="
/>. . .
This password is used for RACF authentication. Only one IMS technical password can be specified per IMS gateway server instance. This password must be set up in RACF for the user ID or IDs that are associated with the mobile service requests.
b.
a.
Security scenario 1: Basic authentication
© 2015 IBM Corporation14
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation14
Technical ID and technical password
• Technical ID:
If SAF authentication turned off on WAS/z Liberty Profile, or if the authenticated user ID
from the mobile client is greater than 8 bytes, this technical ID is passed to IMS Connect
as the user ID. If the technical ID is left blank, the IMS Mobile feature uses the z/OS
Connect started job user ID
• Technical password:
The password is used for RACF
authentication if RACF is turned on
in IMS Connect.
Only one IMS technical password
can be specified per IMS gateway
server instance. This password must
be set up in RACF for the user IDs
(or the technical ID) that are
associated with the mobile service
requests.
server.xml:. . .
<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER“
imsTechnicalPassword="{xor}PjMzbiw7KjE="
/>. . .
© 2015 IBM Corporation15
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation15
Configure IMS Mobile Feature Pack with basic authentication.
WAS/z Liberty ProfileWAS/z Liberty Profile
Start the server by issuing:
START BBGZSRV
Start the server by issuing:
START BBGZSRV5.
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
GMOIG7777I: The IMS Mobile feature
initialized successfully.
(build_number): 201411181651.
CWWKF0011I: The server imsmobile is
ready to run a smarter planet.
CWWKT0016I: Web application available
(default_host):
http://my.host.com:10443/
4.
z/OS Connectz/OS Connect
IMS Mobile Feature PackIMS Mobile Feature Pack
Configure a basic registry with z/OS Connect access roles in server.xml.Configure a basic registry with z/OS Connect access roles in server.xml.
If RACF is enabled in IMS Connect, specify the
IMS technical password.
If RACF is enabled in IMS Connect, specify the
IMS technical password. b.
a.
Security scenario 1: Basic authentication
© 2015 IBM Corporation16
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation16
server.xml:
. . .<safRegistry id=“saf_reg_id"
realm="zosConnect"></safRegistry>
<safAuthorization id=“saf_id“ />
<safCredentials
profilePrefix=“saf_cred_prefix"/>
<keyStore id=“keyStore_id"
password=“keystore_pwd"/>>>>
...
See IMS Mobile Feature Pack security process flow at:http://www-01.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_security.htmFor more information about security configuration for z/OS Connect, see:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_zconnect_security.html
SAF Registry Configuration
Certification Configuration
Security scenario 2: SAF authentication and authorization
Configure IMS Mobile Feature Pack with SAF security. Configure IMS Mobile Feature Pack with SAF security. 4.
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
Edit the server.xml file to configure for SAF security if this is not yet configured.
Edit the server.xml file to configure for SAF security if this is not yet configured.
a.
© 2015 IBM Corporation17
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation17
Edit the server.xml file to configure for SAF security if this is not yet configured.Edit the server.xml file to configure for SAF security if this is not yet configured.
Configure IMS Mobile Feature Pack with SAF security. Configure IMS Mobile Feature Pack with SAF security.
In the STARTED profile for the angel process and SERVER profile, create an authenticated user; add an unauthenticated user for READ access.
In the STARTED profile for the angel process and SERVER profile, create an authenticated user; add an unauthenticated user for READ access.
c.
Set up the angel process.Set up the angel process.b.
An angel process grants the Liberty profile server access to z/OS authorized services for System Authorization Facility (SAF) authorization, Workload Manager (WLM), resource recovery services (RRS), and SVCDUMP.
Security scenario 2: SAF authentication and authorization
RACF registrations for angel process
RACF registrations for SAF authorization
RACF registrations for angel process
RACF registrations for SAF authorization
RDEFINE SERVER BBG.SECPFX.BBGZDFLT UACC(READ)
RDEFINE APPL BBGZDFLT UACC(NONE)
PERMIT BBGZDFLT ID(SGEN3) ACCESS(READ) CLASS(APPL)
RDEFINE EJBROLE
BBGZDFLT.zos.connect.access.roles.zosConnectAccess
UACC(NONE)
PERMIT
BBGZDFLT.zos.connect.access.roles.zosConnectAccess
CLASS(EJBROLE) ID(SGEN3) ACCESS(READ)
RDEF SERVER BBG.ANGEL UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
4.
a.
See the Liberty profile on z/OS server administration topic at:
http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_admin_zos.htmlFor more information about authorizing access to administrative roles, see:
http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_tselugradro.html
© 2015 IBM Corporation18
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation18
Set up the angel process.Set up the angel process.
START the angel process:
a. Edit the BBGZANGL procedure to start the angel process if you have not done so already.
b. Start the angel process by issuing:
START BBGZANGL
See the Liberty profile on z/OS server administration topic at:
http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_admin_zos.html
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
Security scenario 2: SAF authentication and authorization
Configure IMS Mobile Feature Pack with SAF security. Configure IMS Mobile Feature Pack with SAF security.
In the STARTED profile for the angel process and SERVER profile, create with an authenticated user; add an unauthenticated user for READ access.In the STARTED profile for the angel process and SERVER profile, create with an authenticated user; add an unauthenticated user for READ access.
c.
b.
4.
Edit the server.xml file to configure for SAF security if this is not yet configured.Edit the server.xml file to configure for SAF security if this is not yet configured.a.
d.
© 2015 IBM Corporation19
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation19
Start the IMS gateway server by issuing:
START BBGZSRV5.
Installation option 1: You already have WAS/z Liberty Profile V8.5.5.5 or later
GMOIG7777I: The IMS Mobile feature
initialized successfully. (build_number):
201411181651.
CWWKF0011I: The server imsmobile is ready
to run a smarter planet.
CWWKT0016I: Web application available
(default_host): http://my.host.com:10443/
Security scenario 2: SAF authentication and authorization
Configure IMS Mobile Feature Pack with SAF security. Configure IMS Mobile Feature Pack with SAF security. 4.
© 2015 IBM Corporation20
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation20
Installation option 2:
You do not have WAS/z Liberty Profile
© 2015 IBM Corporation21
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation21
Install IBM Installation Manager for z/OS by following the steps in Program Directory for IBM Installation Manager for z/OS.Install IBM Installation Manager for z/OS by following the steps in Program Directory for IBM Installation Manager for z/OS.
Installation option 2: You do not have WAS/z Liberty Profile
Order IMS Enterprise Suite V3.1 (5655-TDA) from Shopz.Order IMS Enterprise Suite V3.1 (5655-TDA) from Shopz.
Prerequisites:
1.
2.
You will receive the following FMIDs that you need for the IMS mobile solution:• Base Services (FMID HAHF310)• IMS Mobile Feature Pack (FMID JAHF31A)• IBM Installation Manager for z/OS (FMID HGIN140)
• SMP/E process the FMID HGIN140.• Check for and apply the latest PTFs for Installation Manager for
z/OS to upgrade to V1.5.3 or later. • Follow the “Activating IBM Installation Manager for z/OS” section in
the IBM Installation Manager Program Directory and the instructions in the installation JCL jobs to complete the installation.
© 2015 IBM Corporation22
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation22
Installation option 2: You do not have WAS/z Liberty Profile
Edit and submit GMORECV#,
GMOALLOC, GMOZFS,
GMODDEF4…. GMOAPPLY,
GMOACCEP.
Create and mount the file
system for installing the run-time
code for IMS Mobile Feature
Pack.
Follow the installation instructions in the Program Directory (GI10-8964) to install IMS Mobile Feature Pack.
Follow the installation instructions in the Program Directory (GI10-8964) to install IMS Mobile Feature Pack.
Use SMP/E process to put all code onto the target system.Use SMP/E process to put all code onto the target system.
Edit GMOIMCFS to create and mount the file system. Edit GMOIMCFS to create and mount the file system.
1.
a.
b.
© 2015 IBM Corporation23
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation23
See installation roadmap at:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option2.htm
Follow the installation instructions in the Program Directory (GI10-8964).Follow the installation instructions in the Program Directory (GI10-8964).
Use SMP/E process to put all code onto the target system.Use SMP/E process to put all code onto the target system.
Edit GMOIMCFS to create and mount the file system. Edit GMOIMCFS to create and mount the file system.
Edit GMOIMINS to install IMS Mobile Feature Pack using IBM Installation Manager for z/OS. • Specify the installation directory and
repository location for use by IBM Installation Manager.
• Specify registry home, technical ID, and technical group for use by the IMS mobile solution.
• Submit the job to install.
Edit GMOIMINS to install IMS Mobile Feature Pack using IBM Installation Manager for z/OS. • Specify the installation directory and
repository location for use by IBM Installation Manager.
• Specify registry home, technical ID, and technical group for use by the IMS mobile solution.
• Submit the job to install.
1.
a.
b.
c.
Installation option 2: You do not have WAS/z Liberty Profile
• Registry home: Location for the IMS gateway server registry.
• Technical ID: The technical ID is passed to the IMS Mobile feature on the gateway server if the authenticated user ID is greater than 8 bytes.
• Technical group: An 8-byte SAF group name for IMS transactions.
server.xml:. . .
<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER"/>
. . .
GMOIMINS
© 2015 IBM Corporation24
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation24
IMS Mobile Feature PackIMS Mobile Feature Pack
WAS/z Liberty ProfileWAS/z Liberty Profile
z/OS Connectz/OS Connect
Modify server.xml to specify the server host name and port numbers.Modify server.xml to specify the server host name and port numbers.
2.
server.xml:. . .<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER"/>
. . .
<httpEndpoint host="*"
httpPort="10443"
httpsPort="9443"
id="defaultHttpEndpoint"/>
Edit GMOIMINS to install IMS Mobile Feature Pack using IBM
Installation Manager for z/OS.
• Specify the installation directory and repository location for use
by IBM Installation Manager.
• Specify registry home, technical ID, and technical group for use
by the IMS mobile solution.
• Submit the job to install.
Edit GMOIMINS to install IMS Mobile Feature Pack using IBM
Installation Manager for z/OS.
• Specify the installation directory and repository location for use
by IBM Installation Manager.
• Specify registry home, technical ID, and technical group for use
by the IMS mobile solution.
• Submit the job to install.
c.
Installation option 2: You do not have WAS/z Liberty Profile
GMOIMINS
See installation roadmap at:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option2.htm
Follow the installation instructions in the Program Directory (GI10-8964).Follow the installation instructions in the Program Directory (GI10-8964).
Use SMP/E process to put all code onto the target system.Use SMP/E process to put all code onto the target system.
Edit GMOIMCFS to create and mount the file system. Edit GMOIMCFS to create and mount the file system.
1.
a.
b.
© 2015 IBM Corporation25
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation25
IMS Mobile Feature PackIMS Mobile Feature Pack
WAS/z Liberty ProfileWAS/z Liberty Profile
z/OS Connectz/OS Connect
Modify server.xml to specify the server host name and port numbers.Modify server.xml to specify the server host name and port numbers.
2.
server.xml:. . .<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER"/>
. . .
<httpEndpoint host=“my.host.com"
httpPort="10443"
httpsPort="9443"
id="defaultHttpEndpoint"/>
Installation option 2: You do not have WAS/z Liberty Profile
a. In server.xml, configure SAF registry.
b. Set up the angel process by editing and running:
• GMOEXTAT job• GMOZANGL procedure
c. Configure SAF for the IMS gateway server.
In server.xml:
a. Configure a basic registry with z/OS Connect access roles in server.xml.
b. If RACF is enabled in IMS Connect, specify the IMS technical password.
Security scenario 2.
SAF security
Security scenario 1.
Basic authentication(for initial installation verification)
(more detail on next slide) (go to slide #30)
Edit the server.xml file to configure for security.Edit the server.xml file to configure for security.3.
See installation roadmap at:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option2.htm
© 2015 IBM Corporation26
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation26
Configure a basic registry with z/OS Connect access roles.Configure a basic registry with z/OS Connect access roles.
a.
server.xml:. . .
<keyStore id=“keystore_id" password=“encrypted_pwd"/>
<basicRegistry id="basic1" realm="zosConnect">
<user name=“your_userName" password=“your_pwd" />
</basicRegistry>
<authorization-roles id="zos.connect.access.roles">
<security-role name="zosConnectAccess">
<user name=“user1"/>
<user name=“user2"/>
</security-role>
</authorization-roles>
See installation WebSphere Liberty security configuration topics at:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_zconnect_security.html
http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_basic_registry.html
Basic Registry Configuration
Certification Configuration
User Authorization
Configuration
Installation option 2: You do not have WAS/z Liberty Profile
Edit the server.xml file to configure for basic authentication.Edit the server.xml file to configure for basic authentication.3.
Security scenario 1: Basic authentication
© 2015 IBM Corporation27
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation27
See IMS Mobile Feature Pack security process flow at:http://www-01.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_security.htmSee installation roadmap at:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option2.htm
If RACF security is enabled in IMS Connect, configure the IMS technical password.If RACF security is enabled in IMS Connect, configure the IMS technical password.
Installation option 2: You do not have WAS/z Liberty Profile
b.
server.xml:. . .
<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER“
imsTechnicalPassword="{xor}PjMzbiw7KjE="
/>. . .
This password is used for RACF authentication. Only one IMS technical password can be specified per IMS gateway server instance. This password must be set up in RACF for the user ID or IDs that are associated with the mobile service requests.
Configure a basic registry with z/OS Connect access roles.Configure a basic registry with z/OS Connect access roles.a.
Edit the server.xml file to configure for basic authentication.Edit the server.xml file to configure for basic authentication.3.
Security scenario 1: Basic authentication
© 2015 IBM Corporation28
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation28
Technical ID and technical password
• Technical ID:
If SAF authentication is turned off on the IMS gateway server, or if the authenticated
user ID is greater than 8 bytes, the technical ID is passed to IMS Connect as the user
ID. If the technical ID is left blank, the user ID that started the IMS gateway server is
used.
• Technical password:
The password is used for RACF
authentication if RACF is turned on
in IMS Connect.
Only one IMS technical password
can be specified per IMS gateway
server instance. This password must
be set up in RACF for the user IDs
(or the technical ID) that are
associated with the mobile service requests.
server.xml:. . .
<imsmobile_imsServiceManager
imsRegistryHome="./registry“
imsTechnicalGroup="IMS_GROUP"
imsTechnicalID="IMS_USER“
imsTechnicalPassword="{xor}PjMzbiw7KjE="
/>. . .
© 2015 IBM Corporation29
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation29
Start the IMS gateway server by issuing:START GMOZSRVStart the IMS gateway server by issuing:START GMOZSRV
4.
See installation roadmap at:http://www-01.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_installroadmap_option1.htm
NC0000000 TESTMVS 14365 22:18:40.31 SGEN3 00000290 S GMOZSRV
N 0200000 TESTMVS 14365 22:18:40.35 STC07567 00000291 $HASP100 GMOZSRV ON STCINRDR
N 0020000 TESTMVS 14365 22:18:40.39 STC07567 00000290 IEF695I START GMOZSRV WITH JOBNAME GMOZSRV IS ASSIGNED TO USER
STC
S , GROUP SYSPROC
N 4000000 TESTMVS 14365 22:18:40.39 STC07567 00000090 $HASP373 GMOZSRV STARTED
N 0000000 TESTMVS 14365 22:18:40.39 STC07567 00000090 IEF403I GMOZSRV - STARTED - TIME=22.18.40
N 0020000 TESTMVS 14365 22:19:12.02 STC07567 00000090 GMOIG7777I: The IMS Mobile feature initialized successfully.
(build_numb
S er): 201411181651.
N 4000000 TESTMVS 14365 22:19:13.28 STC07567 00000090 +CWWKF0011I: The server imsmobile is ready to run a smarter planet.
Launching imsmobile (WebSphere Application Server 8.5.5.2, WAS FOR Z/OS 8.5.5.2/wlp-1.0.5.cl50220140403-1858) on IBM J9 VM,
version Launching pmz6470sr6fp1-20140108_01 (SR6 FP1) (en_US)
[AUDIT ] CWWKE0001I: The server imsmobile has been launched.
[AUDIT ] CWWKG0028A: Processing included configuration resource:
/usr/lpp/ims/imses/V3R1/rest_gw/imsmobile/usr/servers/imsmobile/ims-services.xml
[AUDIT ] CWWKZ0058I: Monitoring dropins for applications.
[AUDIT ] GMOIG7777I: The IMS Mobile feature initialized successfully. (build_number): 201411181651.
[AUDIT ] CWWKF0015I: The server has the following interim fixes installed: PI16677,PI18279,PI16652.
[AUDIT ] CWWKF0011I: The server imsmobile is ready to run a smarter planet.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://xxxxxx.xxxxxx.ibm.com:10443/
SYSLOG
JOBLOG (STDOUT)
Installation option 2: You do not have WAS/z Liberty Profile
Edit the server.xml file to configure for basic authentication.Edit the server.xml file to configure for basic authentication.3.
Security scenario 1: Basic authentication
© 2015 IBM Corporation30
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation30
server.xml:
. . .<safRegistry id=“saf_reg_id"
realm="zosConnect"></safRegistry>
<safAuthorization id=“saf_id“ />
<safCredentials
profilePrefix=“saf_cred_prefix"/>
<keyStore id=“keyStore_id"
password=“keystore_pwd"/>>>>
...
For more information about security configuration for z/OS Connect, see:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.zseries.doc/ae/twlp_zconnect_security.html
SAF Registry Configuration
Certification Configuration
Installation option 2: You do not have WAS/z Liberty Profile
Security scenario 2: SAF authentication and authorization
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.3.
© 2015 IBM Corporation31
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation31
Create the STARTED profile for the angel process and SERVER profile with an authenticated user; add an unauthenticated user for READ access.
Create the STARTED profile for the angel process and SERVER profile with an authenticated user; add an unauthenticated user for READ access.
Installation option 2: You do not have WAS/z Liberty Profile
a.
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.3.
Set up an angel process.Set up an angel process.4.
An angel process grants the Liberty profile server access to z/OS authorized services for System Authorization Facility (SAF) authorization, Workload Manager (WLM), resource recovery services (RRS), and SVCDUMP.
Security scenario 2: SAF authentication and authorization
RACF registrations for angel process
RACF registrations for SAF authorization
RDEFINE SERVER BBG.SECPFX.GMOZDFLT UACC(READ)
RDEFINE APPL GMOZDFLT UACC(NONE)
PERMIT GMOZDFLT ID(SGEN3) ACCESS(READ) CLASS(APPL)
RDEFINE EJBROLE
GMOZDFLT.zos.connect.access.roles.zosConnectAccess
UACC(NONE)
PERMIT
GMOZDFLT.zos.connect.access.roles.zosConnectAccess
CLASS(EJBROLE) ID(SGEN3) ACCESS(READ)
RDEF SERVER BBG.ANGEL UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
For a sample JCL to create the STARTED and SERVER profiles with an authenticated user for the angel process, see:http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_saf_config.htmFor more background information about authorizing access to administrative roles, see:
http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_tselugradro.html
© 2015 IBM Corporation32
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation32
For more information about SAF configuration for IMS mobile solution, see:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_saf_config.htmFor more information about extended attributes, see:http://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxa500/xattr.htm
Installation option 2: You do not have WAS/z Liberty Profile
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.3.
Set up an angel process.Set up an angel process.4.
Security scenario 2: SAF authentication and authorization
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
a.
Edit and run the GMOEXTAT job to add the extended attribute (p) for files before starting the angel process.
Edit and run the GMOEXTAT job to add the extended attribute (p) for files before starting the angel process.
b.
//**************************************************************/
//* PROC NAME: GMOEXTAT */
//* GMOZSRV VERSION: 3.1.1.0 */
//* */
//* DESCRIPTION: THIS SAMPLE JCL ADDS THE ATTRIBUTE P TO */
//* FILES AS A REQUIREMENT TO BRING UP ANGLE */
//* SERVER */
//* */
//* NOTES: */
//* 1) CHANGE THE JOB CARD TO MEET YOUR SYSTEM'S REQUIREMENTS. */
//* 2) CHANGE -PathPrefix1- TO THE LOCATION WHERE IMS MOBILE */
//* IS INSTALLED(IT ENDS WITH rest_gw) */
//* 3) CHANGE -PathPrefix2- TO THE LOCATION WHERE JAVA IS */
//* INSTALLED(IT ENDS WITH SR7) */
//* 4) USER MUST HAVE AT LEAST READ ACCESS TO THE FOLLOWING */
//* CLASS FACILITY: */
//* BPX.FILEATTR.APF */
//* BPX.FILEATTR.PROGCTL */
//* 5) USER MUST HAVE WRITE PERMISSION TO THE DIRECTORY WHERE */
//* OUTPUT IS WRITTEN(IT IS /tmp IN THIS CASE) */
//* */
//**************************************************************/
© 2015 IBM Corporation33
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation33
Edit the GMOZANGL procedure for the angel process. Edit the GMOZANGL procedure for the angel process.
c.
For more information about enabling z/OS authorized services on Liberty profile on z/OS, see:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_config_security_zos.html
Installation option 2: You do not have WAS/z Liberty Profile
Set up an angel process.Set up an angel process.4.
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.3.
Security scenario 2: SAF authentication and authorization
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
b.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
a.
//**************************************************************/
//* */
//* PROC NAME: GMOZANGL */
//* GMOZSRV VERSION: 3.1.1.0 */
//* */
//* DESCRIPTION: THIS PROC STARTS THE LIBERTY ANGLE PROCESS */
//* */
//* NOTE: */
//* */
//* CHANGE ROOT TO THE WLP DIRECTORY THAT IS LOCATED IN */
//* THE IMS MOBILE INSTALLATION DIRECTORY */
//* */
//* YOU NEED TO RUN THE SAMPLE JCL GMOEXTAT BEFORE STARTING */
//* THIS PROC */
//* */
//**************************************************************/
//GMOZANGL PROC PARMS='',COLD=N
//*------------------------------------------------------------------
// SET ROOT='/usr/lpp/ims/imses/V3R1/rest_gw/wlp'
//*------------------------------------------------------------------
//* Start the Liberty angel process
//*------------------------------------------------------------------
//STEP1 EXEC PGM=BPXBATA2,REGION=0M,
// PARM='PGM &ROOT./lib/native/zos/s390x/bbgzangl COLD=&COLD &PARMS'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//* ================================================================ */
© 2015 IBM Corporation34
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation34
Edit the GMOZANGL procedure for the angel process. Edit the GMOZANGL procedure for the angel process. c.
For more information about enabling z/OS authorized services on Liberty profile on z/OS, see:http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_config_security_zos.html
For more background information about WAS/z security, see: http://www.ibm.com/support/knowledgecenter/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/welc_security.html
Installation option 2: You do not have WAS/z Liberty Profile
Set up an angel process.Set up an angel process.4.
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.3.
Security scenario 2: SAF authentication and authorization
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
b.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
a.
Start the angel process by issuing:
START GMOZANGLStart the angel process by issuing:
START GMOZANGL
d.
© 2015 IBM Corporation35
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation35
For more information about SAF configuration for the IMS mobile solution, see:
http://www.ibm.com/support/knowledgecenter/SS9NWR_3.1.0/com.ibm.ims.mobile31.doc/mobile_saf_config.htm
Start the IMS gateway server by issuing:
START GMOZSRVStart the IMS gateway server by issuing:
START GMOZSRV5.
GMOIG7777I: The IMS Mobile feature
initialized successfully.
(build_number): 201411181651.
CWWKF0011I: The server imsmobile is
ready to run a smarter planet.
CWWKT0016I: Web application available
(default_host):
http://my.host.com:10443/
Security scenario 2: SAF authentication and authorization
Installation option 2: You do not have WAS/z Liberty Profile
Set up an angel process.Set up an angel process.
Edit the server.xml file to configure for SAF security.Edit the server.xml file to configure for SAF security.
4.
3.
Edit the GMOZANGL procedure for the angel process. Edit the GMOZANGL procedure for the angel process. c.
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
Edit and run the GMOEXTAT job to add the extended
attribute (p) for files before starting the angel process.
b.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
Create the STARTED profile for the angel process and
SERVER profile with an authenticated user; add an
unauthenticated user for READ access.
a.
Start the angel process by issuing:START GMOZANGLStart the angel process by issuing:START GMOZANGL
d.
© 2015 IBM Corporation36
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation36
Verifying installation
Use the HTTP PUT method to invoke the IMSPingService service:
https://hostname:port/zosConnect/services/IMSPingService?action=
invoke
{
message: "The ping request for the IMS gateway server was
successful."
}
© 2015 IBM Corporation37
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation37
Communicating to IMS
To test the communication with IMS:
1. Turn off IMS Connect RACF security (RACF=N).
IMS Mobile is considered a trusted client to IMS Connect because authentication and
authorization are handled by WAS/z Liberty Profile and z/OS Connect.
2. Use the HTTP PUT method to invoke the IMSPingService service and specify the host
name, port number, and the IMS data store name:
https://hostname:port/zosConnect/services/IMSPingService?action=
invoke&HOSTNAME=my.ims.host.com&PORT=9999&DATASTORE=IMS1
{
message: "The ping request for the IMS gateway server was successful."
pingTestResults: "Ping request for HOSTNAME: my.ims.host.com, PORT:
9999, DATASTORE: IMS1 was successful"
}
© 2015 IBM Corporation38
IBM Information Management System (IMS)
Getting started with the IMS mobile solution © 2015 IBM Corporation38
What’s next?
� Creating, testing, and publishing IMS mobile services
− Use IMS Explorer for Development
� Accessing and managing services
− Use the supported HTTP actions to:
• Start, stop, and invoke a service
• Obtain service status, statistics, JSON schema, and configuration information
• Check for available services
• Obtain IMS mobile service provider statistics
For an end-to-end tutorial that turns the IMS phonebook application into a Contacts mobile
application, see IMS Exchange: http://ibm.co/1vuJHNH