For the IIOP application protocol, you can authenticate
the user using SSL client certificate authentication or asserted identity
authentication.
The authentication scheme is specified by the AUTHENTICATE
and SSL attributes of each TCPIPSERVICE:
Authentication method |
AUTHENTICATE |
SSL |
Associated CORBASERVER attribute |
IIOP with no authentication |
NO |
NO |
UNAUTH |
IIOP with no authentication |
NO |
YES |
SSLUNAUTH |
IIOP with SSL client certificate authentication |
CERTIFICATE |
CLIENTCERT |
CLIENTCERT |
IIOP with asserted identity authentication |
ASSERTED |
CLIENTCERT |
ASSERTED |
A
CORBASERVER can support more than one authentication
scheme:
- The UNAUTH attribute specifies the name of a TCPIPSERVICE that defines the characteristics of a port
which is used for inbound IIOP with no authentication.
Note: You must specify
a value for the UNAUTH attribute when you define a CORBASERVER, even if you
intend that all inbound requests to this CORBASERVER should be authenticated.
This is because the PORTNUMBER attribute of the TCPIPSERVICE is required in
order to construct IORs that are exported from this logical server.
- The SSLUNAUTH attribute specifies the name of a TCPIPSERVICE that defines
the characteristics of a port which is used for inbound IIOP with SSL but
no authentication.
- The CLIENTCERT attribute specifies the name of a TCPIPSERVICE that defines
the characteristics of the port which is used for inbound IIOP with SSL client
certificate authentication.
- The ASSERTED attribute specifies the name of a TCPIPSERVICE
that defines the characteristics of a port which is used for inbound IIOP
with asserted identity authentication.
The authentication protocols supported by an object
are made known to clients in the IOR for the object:
- When CICS is the server, the authentication protocols are specified in
CORBASERVER resources. When the Generic Factory Interoperable Object Reference
(GenFacIOR) of the CORBASERVER is published, the authentication protocols
supported by each object are made known to clients in the GenFacIOR.
- When CICS is the client, it examines the IOR for the server object to
determine which authentication protocols the object supports, and selects
the protocol to use. If more than one protocol is supported, CICS selects
the first supported protocol from:
- Asserted identity authentication
- SSL client certificate authentication
If neither protocol is supported, no authentication is used.