- Authentication
- is the process by which a service accurately establishes the authenticity
of a user making a request.
- Identification
- is the process by which the identity of a user is established. Typically,
the term user ID is used to denote the user's identity; in Java™ parlance,
the term principal is used.
The two processes are related because, in many cases, the information
used to authenticate a user is also used for identification. For example,
in a scheme that uses a user ID and password, the user ID alone identifies
the user, while the combination of user ID and password authenticates the
user.
Authentication is provided by one of the following
mechanisms:
- Basic authentication
- SSL client certificate authentication
- Asserted identity authentication
See the
CICS® RACF® Security
Guide for more information.
For IIOP requests, you can identify
the user in the following ways:
The authentication and identification schemes are specified in the CORBASERVER
and TCPIPSERVICE resource definitions. Each CORBASERVER is associated with
one or more TCPIPSERVICE definitions; each TCPIPSERVICE supports a different
mechanism for authentication and identification:
- The ASSERTED attribute of the CORBASERVER names a TCPIPSERVICE
that supports inbound IIOP with asserted identity authentication.
- The BASIC attribute of the CORBASERVER names a TCPIPSERVICE that supports
inbound IIOP with basic authentication.
- The CLIENTCERT attribute of the CORBASERVER names a TCPIPSERVICE that
supports inbound IIOP with SSL client certificate authentication.
- The SSLUNAUTH attribute names a TCPIPSERVICE that supports inbound IIOP
with SSL encryption and no client authentication.
- The UNAUTH attribute names a TCPIPSERVICE that supports inbound IIOP with
no authentication.
Note: - To change the association between an installed CORBASERVER definition
and its TCPIPSERVICE definitions, you must discard and reinstall the CORBASERVER
definition.
- If you use SSL encryption, or SSL client certificate authentication, you
must configure your CICS system to support SSL. See the CICS RACF Security Guide.
An enterprise bean can use the getCallerPrincipal() method
to obtain information about the client which is contained in the certificate.
See Deriving distinguished names for more details.
The derived USERID is passed with the IIOP request to the request
processor, for authentication of the request execution. If the request processor
is executing in a different CICS region, the transmission of the USERID follows
CICS rules for CONNECTION authentication.