For the IIOP application protocol, if the client
sends a client certificate, you can identify the user by a user ID that you
have previously associated with the certificate. IIOP users cannot register
certificates automatically. For more information, see Associating a RACF user ID with a certificate.
In some situations, it is also possible for CICS to supply a user ID on behalf of the client. The ID can be supplied by a user-replaceable program specified in the URM attribute of the TCPIPSERVICE resource definition. For more information about the user-replaceable program, see Java™ Applications in CICS®. In situations where a user-replaceable program could be used but has not been specified, then the user ID can default to the CICS default user ID.
AUTHENTICATE | SSL | How the user is identified |
---|---|---|
NO | NO or YES | The user ID can be provided by the user-replaceable program specified in the URM attribute of the TCPIPSERVICE resource definition. Alternatively, it can be allowed to default to the CICS default user ID. |
NO | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies. If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the user ID can be provided by the user-replaceable program or allowed to default to the CICS default user ID. |
CERTIFICATE | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies. If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the connection is rejected. The user-replaceable program cannot be used when the CERTIFICATE option is specified. |
ASSERTED | CLIENTAUTH | The client in this case is typically an intermediate server. If the client sends a certificate that is associated with a user ID, then it is trusted to identify and authenticate its own clients, and the user ID sent in the IIOP request applies. If the client does not send a certificate, or sends a certificate that is not associated with a user ID, then the connection is rejected. The user-replaceable program cannot be used when the ASSERTED option is specified. |
Note: This table does not list combinations
of values for the AUTHENTICATE and SSL attributes which are invalid, and cannot
be specified in the TCPIPSERVICE definition.
|