Authenticated identity propagation and translation within a multiple computing unit environment
First Claim
1. An authenticated identity propagation and translation method implemented via one or more computer programs executing at one or more computing components of a multi-component transaction processing environment, the method comprising:
- establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function;
responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component;
validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and
further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.
1 Assignment
0 Petitions
Accused Products
Abstract
An authenticated identity propagation and translation technique is provided based on a trust relationship between multiple user identification and authentication services resident on different computing components of a multi-component transaction processing computing environment including distributed and mainframe computing components. The technique includes, in one embodiment, forwarding, in association with transaction requests, identified and authenticated user identification and authentication information from a distributed component to a mainframe component, facilitating the selection of the appropriate mainframe user identity with which to execute the mainframe portion of the transaction, and creating the appropriate run-time security context.
-
Citations
20 Claims
-
1. An authenticated identity propagation and translation method implemented via one or more computer programs executing at one or more computing components of a multi-component transaction processing environment, the method comprising:
-
establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function; responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component; validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An authenticated identity propagation and translation system for a multi-component transaction processing environment, the system comprising:
-
means for establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function; means for constructing a distributed security information message at the distributed component responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and for appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component; means for validating the distributed security information message at the at least one mainframe component, and once validated, for mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and for creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and means for further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. At least one program storage device readable by a machine, tangibly embodying at least one program of instructions executable by the machine to perform an authenticated identity propagation and translation method for a multi-component transaction processing environment, the method comprising:
-
establishing an authenticated client-user identity at a distributed component of a multi-component transaction processing environment, the multi-component transaction processing environment further comprising at least one mainframe component, the distributed component and the at least one mainframe component employing security services with disparate user registries and different user identities for the client-user, and wherein the security services of the distributed component and the at least one mainframe component have a security trust relationship established therebetween and are coupled together via a secure networking function; responsive to an initiated transaction request by the authenticated client-user at the distributed component requiring processing of a further transaction request at the at least one mainframe component, constructing a distributed security information message at the distributed component, the distributed security information message comprising an identity of the distributed component as known at the at least one mainframe component, and the authenticated client-user identity as known at the distributed component, and appending the distributed security information message to the further transaction request for forwarding from the distributed component to the at least one mainframe component; validating the distributed security information message at the at least one mainframe component, and once validated, mapping at the at least one mainframe component the authenticated client-user identity of the client-user at the distributed component to a local mainframe identity employing the distributed security information message, and creating a local authenticated runtime security context representative of the local mainframe identity and the authenticated client-user identity for execution of the further transaction request at the at least one mainframe component; and further employing the distributed security message information at the at least one mainframe component when creating an audit record representative of execution of the further transaction request at the at least one mainframe component to associate the authenticated client-user identity at the distributed component therewith, wherein audit records of the at least one mainframe component can be employed in tracking execution of the further transaction request at the at least one mainframe component, and hence, tracking processing of the initiated transaction request of the client-user within the multi-component transaction processing environment.
-
Specification