CICS as an HTTP server: authentication and identification

For CICS® as an HTTP server, authentication schemes are specified by the AUTHENTICATE attribute of the TCPIPSERVICE definition. Identification is obtained in connection with the authentication process, or can be supplied by CICS if authentication is not needed.

Obtaining authentication and identification from Web clients is a key step in protecting your CICS system from access by unauthorized users.

Note: Start of changeWhen CICS document templates and HFS files are delivered directly from a URIMAP definition, as a static response, basic authentication does not operate. If you need to implement access controls based on a user ID, use an application to provide the resources as a dynamic response.End of change

Authentication

Two authentication schemes are supported by CICS for use with the HTTP protocol:
  • Basic authentication is an HTTP facility that enables a client to both authenticate and identify itself to a server by providing a user ID and password. This information is encoded using base-64 encoding, which is simple to decode. Because of this, using basic authentication as the sole means of authentication is only appropriate when there is no possibility of a password being intercepted. In most environments, basic authentication should be used in combination with SSL, so that SSL encryption is used to protect the user ID and password information. HTTP basic authentication explains basic authentication in more detail.
  • SSL client certificate authentication is a more secure method of authenticating a client, using a client certificate which is issued by a trusted third party (or Certificate Authority), and sent using SSL encryption. The CICS RACF® Security Guide explains how this works. A client certificate does not contain a user ID that can be used for identification within CICS. To achieve identification, the client certificate can be associated with a user ID in RACF or an equivalent security manager, either before the certificate is used, or automatically (using basic authentication) when the client makes its request. The RACF user ID becomes the client's user ID each time the certificate is used. The CICS RACF Security Guide explains how to set this up.
Creating TCPIPSERVICE resource definitions for CICS Web support tells you how to set up a TCPIPSERVICE definition for CICS Web support which specifies one of these authentication schemes.

When you use basic authentication or client certificate authentication, CICS handles the process of requesting authentication from the user, decoding the authentication information if necessary, checking the supplied authentication against the security manager's database, and rejecting the request if the authentication is not acceptable. An analyzer program or user-written application program is only called after the authentication has been verified and accepted.

For basic authentication, if the password supplied by the user is found to have expired, CICS prompts the user for a new password and helps them to re-submit their request. The CICS-supplied utility program DFHWBPW is used to do this. You can customize the text on the Web pages that CICS displays to the user during this process. Password expiry management for HTTP basic authentication has the information you need to do this.

For client certificate authentication, CICS verifies the supplied certificate by checking it against the security manager's database, and (optionally) against any certificate revocation list that you have set up. A user-written application can examine information obtained by this process, if this is useful for determining how to process the request. Use the EXTRACT CERTIFICATE command to retrieve:
  • Components of the issuer's or the subject's distinguished name. The CICS RACF Security Guide explains distinguished names.
  • The RACF user ID associated with the certificate.

Identification

Identification takes place when you obtain a user ID for the Web client. The ID can be obtained from the Web client:
  • During basic authentication.
  • By the association of a user ID with a client certificate.
It is also possible for CICS to supply a user ID on behalf of the Web client:
  • In the URIMAP definition for a request.
  • In an analyzer program that is used in the processing path for an application-generated request.
  • As the CICS default user ID, if no other can be determined.
It is important to note that if you supply a user ID on behalf of the Web client, there is no authentication of the client's identity. You should only do this when communicating with your own client system, which has already authenticated its users, and communicates with the server in a secure environment. The CICS RACF Security Guide explains in more detail how the user ID is determined, depending on the settings for the TCPIPSERVICE definition.

When the client has been identified, the client's user ID can be authorized for access to CICS services like any other user ID, using RACF or an equivalent security manager. For an application-generated response, the user ID applies to the processing performed by the alias transaction, so it needs to have certain authorities in connection with that transaction. CICS system and resource security for CICS Web support explains what these are.