Identifying IIOP users

Start of changeFor the IIOP application protocol, if the client sends a client certificate, you can identify the user by a user ID that you have previously associated with the certificate. IIOP users cannot register certificates automatically. For more information, see Associating a RACF user ID with a certificate. End of change

In some situations, it is also possible for CICS to supply a user ID on behalf of the client. The ID can be supplied by a user-replaceable program specified in the URM attribute of the TCPIPSERVICE resource definition. For more information about the user-replaceable program, see Java™ Applications in CICS®. In situations where a user-replaceable program could be used but has not been specified, then the user ID can default to the CICS default user ID.

The method used to identify the user is determined by the AUTHENTICATE and SSL attributes of the TCPIPSERVICE definition:
Table 1. How the user of an IIOP client is identified
AUTHENTICATE SSL How the user is identified
NO NO or YES The user ID can be provided by the user-replaceable program specified in the URM attribute of the TCPIPSERVICE resource definition. Alternatively, it can be allowed to default to the CICS default user ID.
NO CLIENTAUTH

If the client sends a certificate that is associated with a user ID, then that user ID applies.

If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the user ID can be provided by the user-replaceable program or allowed to default to the CICS default user ID.

CERTIFICATE CLIENTAUTH

If the client sends a certificate that is associated with a user ID, then that user ID applies.

If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the connection is rejected.

The user-replaceable program cannot be used when the CERTIFICATE option is specified.

ASSERTED CLIENTAUTH

The client in this case is typically an intermediate server. If the client sends a certificate that is associated with a user ID, then it is trusted to identify and authenticate its own clients, and the user ID sent in the IIOP request applies.

If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the connection is rejected.

The user-replaceable program cannot be used when the ASSERTED option is specified.

Note: This table does not list combinations of values for the AUTHENTICATE and SSL attributes which are invalid, and cannot be specified in the TCPIPSERVICE definition.