1. Field of the Invention
The present invention relates to computer systems, and deals more particularly with methods, systems, computer program products, and methods of doing business wherein legacy application/data access is integrated with single sign-on in a modern distributed computing environment (such as the public Internet).
2. Description of the Related Art
One of the challenges that continues to confront information services (“IS”) professionals is the difficulty of integrating legacy mainframe host applications and data with modern computing environments and their modern user interfaces. In particular, it is necessary to extend the reach of many legacy applications such that they can be accessed through the Internet and in World Wide Web-enabled environments (for example, for business-to-business or “B2B” use and/or for business-to-consumer or “B2C” use). (The term “Web” is used hereinafter to refer to the World Wide Web as well as the Internet, for ease of reference.)
As is known in the art, most legacy host applications present their data through text-based user interfaces designed for use on specific, obsolete character-based terminals, whereas modern end-user devices almost universally support graphical user interfaces. The legacy applications were typically written with this character-based terminal presentation space as the only interface format in which the host data output is created, and in which host data input is expected. (“Presentation space” is a term used abstractly to refer to the collection of information that together comprises the information to be displayed on a user interface screen, as well as the control data that conveys how and where that information is to be presented.).
Typical character-based terminals are those from the IBM® Model 327x family (such as a Model 3277, 3279, etc.). (“IBM” is a registered trademark of International Business Machines Corporation.) The Model 3277 terminal, for example, was designed to display information in a matrix of characters, where the matrix consisted of 24 rows each having 80 columns. When programs were written expecting this display format, programmers would specify placement of information on the screen using specific row and column locations. Information formatted for this display is sent as a “data stream” to the mechanism in the display hardware that is responsible for actually displaying the screen contents. The phrase “data stream” refers to the fact that the data is sent as a linear string, or stream, of characters. This stream of characters contains both the actual textual information to be displayed on the screen, as well as information specifying where and how the text is to be displayed. “Where” consists of the row and column where the text is to begin, and “how” comprises a limited number of presentation attributes such as what color to use when displaying that text, the color of the background, etc.
Data processing systems, methods, and computer program products that use the 3270 data stream architecture have been widely used for decades. The 3270 data stream architecture has been so widely used that it has become a de facto standard format, and consequently, systems and applications using the 3270 data stream architecture are often referred to as “legacy” systems and “legacy” applications (or equivalently, “legacy host systems” and “legacy host applications”).
An example of a legacy host application is IBM's CICS® transaction server. An example of a legacy host system is a legacy database system, such as IBM's IMS® database system. (“CICS” and “IMS” are registered trademarks of IBM.) Hereinafter, the phrases “legacy host application”, “legacy application”, and “host application” are used interchangeably, are intended to refer equivalently to legacy host systems (or the data accessed through such applications or systems).
The IBM Model 525x family includes different types of character-based terminals. These terminals display data in a slightly different manner from the IBM 327x models, and consequently use a different data stream format. The “5250 data stream” also became a de facto standard format for displays having similar characteristics.
A third type of data stream format commonly used by legacy host applications is referred to simply as an “ASCII data stream” (or equivalently as a Virtual Terminal, or “VT”, data stream). While an ASCII data stream is not formatted for a specific model of display screen, a data stream in this format has certain predefined characteristics (for example, the manner in which a control character indicates the line spacing to be used).
The displays used with modern computer devices (including personal computers, handheld computing devices, network computers, and other types of computers, referred to hereinafter as “workstations” for ease of reference) support graphics and video, in addition to text characters, as is well known. These displays do not use a character-based row and column matrix approach to screen layout. Instead, an application program in this environment has access to thousands of tiny display elements, allowing the various types of information to be placed virtually anywhere on the display screen.
When a modern computer workstation is used to access a legacy host application running on a mainframe or a server, the output data created by that host application is often still formatted as one of the character-based data stream formats. It is therefore necessary to convert between the character-based data stream format sent from, and expected by, the legacy application (using the presentation space for transferring data) and a format that is usable by the modern user interface.
This problem has been recognized for a number of years, and consequently, a number of products and techniques have been developed. It became clear early on that rewriting the legacy applications was not a viable approach in many situations, for a number of reasons (including lack of the required programming skills, the considerable time and expense that would be involved, lack of access to the legacy source code, etc.). Thus, most modern workstations communicate with legacy host applications by relying on other products to perform transformations of the data streams.
In particular, one of the more common ways for integrating legacy host applications with modern computing environments is to use software emulation or an emulator product to allow communication between the distributed computing environment and the host application. Emulators perform transformations on data streams so that communication can occur; these techniques are well known in the art, and will not be described in detail herein. For purposes of discussion herein, is it assumed that an emulator product implementing the Telnet 3270 (“TN3270”) emulation protocol may be used. The TN3270 protocol is used to provide emulation of the 3270 data stream, as is well known to those familiar with the art. (Note that the TN3270 protocol is used by way of illustration only: the novel techniques of the present invention are not limited to scenarios using the TN3270 protocol or to use of TN3270 emulators.)
Many host applications and their data have, from their origin, been protected through the use of a host access control facility or host access agent, or other similar mainframe-based security systems (referred to generally herein as “host access agents”). A widely-used host access agent is the program product commonly referred to as “Resource Access Control Facility”, or “RACF®”. (“RACF” is a registered trademark of IBM.) These mainframe-based host access agents typically require users to provide a user identifier (“user ID”) and password in order to gain access to the protected host applications and data. The user ID and password are normally used to authenticate the user and determine what access privileges are authorized for that user; this process is sometimes referred to as determining the user's “credentials”.
When a user wants to access data or legacy applications on a host mainframe from a client workstation over a network connection in a modern computing environment, the user normally must provide a separate user ID and password to the host application to satisfy the security requirements of the host access agent, in addition to the user ID and password the user supplies for accessing the modern environments (e.g., to access the Internet or Web). This double entry of identifying information causes user frustration, and is time-consuming and inefficient. Storing multiple sets of user ID and password information for users, and making sure that changes are synchronized and propagated to each set when necessary, also places a heavy administrative burden on an enterprise.
It is preferable to provide users (whether human or programmatic) with seamless authentication and authorization for using multiple applications within a single user session, where this seamless user identification requires the user to identify himself only once per user session. This is commonly referred to as “single sign-on”. In addition to eliminating the need for users to provide identifying information multiple times, single sign-on will enable minimizing the number of different user IDs and passwords a user must create and remember, and will reduce the administrative burden of maintaining security (e.g., by reducing the number of requests for an administrator to reset a forgotten password) for password-protected applications and data.
Ideally, single sign-on should allow a user to access all of his Internet-based applications, as well as applications that provide access to legacy host applications and/or data. Examples of applications that allow the user to access legacy host applications include IBM's Host-On-Demand, Personal Communications, and Host Publisher products; the way in which users identify themselves to these products should be consistent with how they do so with other Web applications. Enterprises have recently started providing host access through products such as these, whereby emulators are accessible from a Web location (rather than requiring each workstation user to install emulator software on his own workstation). Enterprises are also deploying technology that provides single sign-on capability for Web-based applications, whereby a user identifies himself when signing on to a Web site, and this identification seamlessly carries through to other Web-based applications using a session-based security token created during an initial secure sign-on. For example, the Secure Sockets Layer protocol, or “SSL”, may be used when the client workstation establishes a secure connection to a Web server. The user's identifying information may be obtained from a security token created during this exchange, and may then be used to seamlessly and transparently identify the user to other Web-based applications. This technology is found in commercially-available products such as Tivoli® Access Manager, from IBM, and Netegrity SiteMinder®, a product of Netegrity, Inc. (“Tivoli” is a registered trademark of Tivoli Systems, Inc., and “SiteMinder” is a registered trademark of Netegrity, Inc.)
It is desirable to use this same session-based security token to grant secure access to legacy host applications, thereby realizing advantages of single sign-on for all applications a user might access within a single session. However, host access agents such as RACF do not understand Web security tokens. Accordingly, what is needed are techniques for integrating legacy host application access with single sign-on in distributed computing environments, and in particular, in environments where the initial sign-on uses a Web security token.