IBM Support

An alternative approach to Basic Authentication for CICS TS Web Services Security

Troubleshooting


Problem

You are using the CICS Transaction Server for z/OS (CICS TS) V3.1, or later, Web Services (WS) Security support for a basic authentication scenario, but the performance does not reach an acceptable level. This document offers an alternative approach to implementing basic authentication that performs closer to Secure Sockets Layer (SSL) performance levels.

Diagnosing The Problem

You have applied APAR PK22736 to a CICS TS V3.1 region (or are running a later release of CICS) with the intention of using the WS-Security support for basic authentication. However, when the solution was implemented, it was found that the performance was not acceptable. A typical performance figure when using WS-Security for basic authentication is likely to be about 8 times worse than when SSL is used for point to point security.

Resolving The Problem

Add a handler to the pipeline to provide basic authentication support.

If all that is required is basic authentication, then an alternative to using the full WS-Security functionality exists that will offer better performance.

Basic authentication, as the name implies, is the simplest form of security authentication. What is usually meant by this term is that an end user is required to present proof of identity by providing a userid and password that can then be verified with an external security manager, such as RACF. It is possible to implement this support by writing a header handler for a CICS pipeline.

A pipeline is implemented as a series of programs, known as handlers, that are invoked in a predefined sequence. If basic authentication is required, then it is possible to add a handler to the pipeline to provide this support. For information on how to configure a pipeline to have extra handlers, refer to the Supplying your own message handlers section in the CICS TS information center.

Such a handler needs to perform the following:

  1. Retrieve the DFHFUNCTION container, return if function is not ‘RECEIVE-REQUEST’.

  2. Retrieve the DFHHEADER container with an EXEC CICS GET CONTAINER command.

  3. Extract the values for Username and Password from the XML.

  4. Issue an EXEC CICS VERIFY PASSWORD command.

  5. If successful, update the DFHWS-USERID container with an EXEC CICS PUT CONTAINER command.

  6. Otherwise issue an EXEC CICS SOAPFAULT CREATE command.

  7. Return

The security handler should be the first handler in the pipeline, so that the security checks are performed as early as possible in the pipeline processing. If the security check fails, then the request is rejected and a failure message can be sent to the client.

The security between the client and the CICS region can be SSL, configured in the usual way using the TCPIPSERVICE definition. By using this configuration, a basic authentication protocol can be implemented that will perform almost as quickly as the pure SSL solution.

[{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Web Services","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"4.2;4.1;3.2;3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSGMGV","label":"CICS Transaction Server"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Performance","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"4.2;4.1;3.2;3.1","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

CICS/TS CICS TS CICS Transaction Server

Document Information

Modified date:
15 June 2018

UID

swg21239021

Page Feedback