In many systems, the user's authenticity is verified by checking a password
supplied by the user. In a system in which there is no possibility of a password
being intercepted, this level of authentication may be sufficient; however,
in an insecure network, it is possible that passwords can be intercepted,
and used to impersonate legitimate users of the system.
In an environment where your applications may be accessed by users across
the internet, and by users who are outside the control of your organization,
a more secure method of authentication is required.
On the other hand, there are situations where a limited level of authentication
is sufficient. If you have a client system that authenticates its users, and
communicates with a server in a secure environment, you may not need to authenticate
end users at the server, but rely entirely on the client's authentication
mechanisms.
CICS® supports
the following authentication schemes:
- Basic authentication
- The client's identity is authenticated by a password. This level of authentication
is appropriate in an environment where passwords cannot be intercepted and
used to impersonate an end user.
You can use basic authentication with
the HTTP and ECI application protocols.
- SSL client certificate authentication
- The client's identity is authenticated with a client certificate issued
by a trusted third party (or Certificate Authority). This level of authentication
is appropriate in an environment where information flowing in the network
could be intercepted, and used to impersonate an end user.
You can use
SSL client certificate authentication with the HTTP and IIOP application protocols.
- Asserted identity authentication
-
Asserted identity authentication can be used when an IIOP client communicates
with the target server through an intermediate server, and both servers use
the same security manager:
- The intermediate server's identity is authenticated by the target server
using SSL client certificate authentication.
- Through the security manager, the target server verifies that the intermediate
server can be trusted to authenticate its clients.
- When the intermediate server receives a request, it authenticates the
client using whatever authentication protocol is appropriate. If the client
is successfully authenticated, the intermediate server passes the request
to the target server
- Because the target server trusts the intermediate server to authenticate
the client, it makes no further checks of the client's authenticity before
processing the client's request.
You can use asserted identity authentication with the IIOP application
protocols. In CICS, a CorbaServer can be configured as an intermediate or
target server.