1. Field of the Invention
The present invention relates to a computer system, and deals more particularly with a method, system, and computer program product for providing end-to-end user authentication using digital certificates for accessing host applications and data without requiring modification of existing host applications.
2. Description of the Related Art
One of the challenges facing information services (xe2x80x9cISxe2x80x9d) professionals today is the difficulty of providing secure access to legacy mainframe host data and applications from modern personal computer-based (xe2x80x9cPC-basedxe2x80x9d) applications. As more large companies move to provide business integration and self-service on the World Wide Web (hereinafter, xe2x80x9cWeb), there is most often data that is crucial to this movement, but which is based on (and is only accessible through) legacy mainframe host applications. These host applications and their data have, from their origin, been typically protected through the use of the program product commonly referred to as xe2x80x9cRACFxe2x80x9d (Resource Access Control Facility) or other similar mainframe-based security systems. (xe2x80x9cRACFxe2x80x9d is a registered trademark of the IBM Corporation.) These mainframe-based security systems typically require a user identification and password in order to gain access to the protected applications and data. Therefore, when a user tries to access data or legacy applications on a host mainframe from a client workstation over a network connection, they normally must provide a separate user identification and password to the host application to satisfy the security requirements of the host security system in addition to the user identification and password they use to access the modern environments (e.g. to access the Internet or Web). This double entry of identifying information is not only redundant but tedious for the user as well.
With the wide-spread use of SSL (Secure Sockets Layer) and certifiable digital certificates for providing security in today""s PC-based computing environments, there is a desire to use a client certificate as the basis for a xe2x80x9csingle system log onxe2x80x9d to all of a user""s Internet-based applications. This includes applications that provide access to legacy host applications and/or data such as IBM""s Host-On-Demand, Personal Communications, and Host Publisher products. Digital certificates are used to authenticate entities, as is well known in the art. U.S. Pat. No. 6,129,738 (Ser. No. 09/064,632, filed Dec. 10, 1998), which is titled xe2x80x9cCertificate Based Security in SNA Data Flowsxe2x80x9d, teaches a technique whereby digital certificates are transported in appropriate Systems Network Architecture (xe2x80x9cSNAxe2x80x9d) data flows between a client and a host for identifying the user to the host application, but this existing technique requires those host programs which authenticate the user to RACF (or other host access control facility) to be modified to use the certificate instead of the traditional userid and password. This requires an enterprise to upgrade each of its application subsystems in order to achieve the benefits. So for some enterprises, the previous approach may be impractical and unacceptable.
Accordingly, what is needed is a technique that provides a single system log on that allows a host-based, legacy security system to authenticate a client from the newer PC-based, distributed computing environments without requiring the client to supply an additional user name (or other user identifier) and password. This technique must allow current legacy applications to function without requiring any modification thereof.
An object of the present invention is to provide a technique for using a single system log on to access legacy host applications and data in a distributed networking environment.
Another object of the present invention is to provide this technique without requiring any modification to the existing legacy host applications.
Yet another object of the present invention is to provide this technique by using digital certificates to authenticate clients.
Other objects and advantages of the present invention will be set forth in part in the description and in the drawings which follow and, in part, will be obvious from the description or may be learned by practice of the invention.
To achieve the foregoing objects, and in accordance with the purpose of the invention as broadly described herein, the present invention provides a computer program product, system, and method for providing end-to-end user authentication for legacy host application access in a computing environment. This technique comprises: establishing a secure session from a client machine to a server machine using a digital certificate representing the client machine or a user thereof; storing the digital certificate at the server machine; establishing a session from the server machine to a host system using a legacy host communication protocol; passing the stored digital certificate from the server machine to a host access security system; using, by the host access security system, the passed digital certificate to locate access credentials for the user; accessing a stored password or a generated password substitute representing the located credentials; and using the stored password or the generated password substitute to transparently log the user on to a secure legacy host application executing at the host system.
The digital certificate may be an X.509 certificate. The communication protocol may be a 3270 emulation protocol. Or, it may be a 5250 emulation protocol or a Virtual Terminal protocol. The host access security system may be a Resource Access Control Facility (RACF) system.
The technique may further comprise: requesting by the legacy host application, responsive to establishing the session, log on information for the user, responding to the request for log on information by sending a log on message with placeholders from the client machine to the server machine, these placeholders representing a user identification and a password of the user; and substituting a user identifier associated with the located access credentials and the stored password or the generated passticket for the placeholders in the log on message.
In one aspect, the server machine may be a Web application server machine. In this case, the technique may further comprise: requesting by the legacy host application, responsive to establishing the session, log on information for the user; and responding to the request for log on information by supplying a user identifier associated with the located access credentials and the stored password or the generated passticket at the server machine.
The present invention will now be described with reference to the following drawings, in which like reference numbers denote the same element throughout.