Architecture

The following figure shows the WEL architecture using DCAS and RACF® as the example host credential mapper.

Figure 1. WEL architecture

1. The user submits a request to connect to a ZIETrans application through a Network Security Application (NSA).

   The NSA authenticates the user using either an X.509 certificate or a user ID and password. After authentication the NSA authorizes access to the requested application based on policy information associated with the user. The NSA then passes the user's network credentials (network ID) through the Web server to the WebSphere® Application Sever.

   IBM® Tivoli® Access Manager is an example of an NSA.

2. WebSphere Application Server routes the request to ZIETrans.
3. The ZIETrans runtime starts a Telnet connection to the host.
4. The ZIETrans macro handler runs the WEL logon macro. See How to create a WEL logon macro. WEL receives a Java™ function call from the macro requesting that host credentials (host user ID and password or passticket) be returned.
5. WEL calls the appropriate Network Security plug-in to retrieve the user's network ID from where it was saved by the NSA.

   You must configure to ZIETrans the Network Security plug-in that corresponds with the NSA being used. See Network Security plug-in.

6. The Network Security plug-in returns the user's network ID.
7. WEL calls the appropriate Credential Mapper plug-in to convert the user's network ID and host application ID to host credentials (host user ID and password or passticket).

   You must configure to ZIETrans the Credential Mapper plug-ins that correspond with the credential mappers being used. See Credential Mapper plug-ins.

8. The Credential Mapper plug-in calls a function (in this case, a JDBC-accessible database such as IBM DB2®) to map the user's network ID to a host user ID.

   The Credential Mapper plug-ins provided with ZIETrans are designed to use a JDBC-accessible database. Another possibility is to use an LDAP directory. However, if you use LDAP, you must create your own custom plug-in. For more information see the chapter, Creating plug-ins for Web Express Logon.

9. The Credential Mapper plug-in calls the back-end credential mapper (in this case DCAS and RACF) with the host user ID and host application ID and requests a passticket.
10. RACF generates and returns a passticket.
11. The Credential Mapper plug-in returns the host user ID and passticket to WEL.
12. WEL returns the host user ID and passticket to the macro.
13. The macro inserts the host user ID and passticket onto the host logon screen.
14. The host application verifies the host user ID and passticket and allows the connection.
15. The host application screen is presented to the user.