Security for Atom feeds
CICS® web support provides a suitable security protocol and authentication method to control web client access to Atom collections and if required, to Atom feeds. You can use CICS resource and command security to protect the resources that you use to deliver the Atom feed or collection.
RFC 5023 recommends that you use authentication to protect Atom collections. When you make Atom feed data available as an editable collection, a web client can insert new entries, modify existing entries, or delete entries. You must therefore ensure that you verify the identity of web clients and permit only trusted clients to have access to the collection, especially if you have included business data in your collection. Ordinary Atom feeds, which web clients cannot edit, are typically made available to any subscribers without security restrictions, although you might need to restrict access to Atom feeds if they include confidential business data or are intended only for certain users.
RFCs 4287 and 5023 discuss the use of digital signatures and encryption for Atom documents. CICS does not provide support for digital signatures and encryption of Atom documents, but, in compliance with RFC 4287, CICS does not reject an Atom document that contains a signature.
CICS web support has the following security functions that you can use to protect Atom feeds or collections from unauthorized access or updates:
- SSL or TLS security protocol
- RFC 5023 recommends the use of the Transport Layer Security (TLS) 1.0 as a minimum level of security protocol for collections. For a list of security protocols supported by CICS, see Support for security protocols.
- HTTP basic authentication
- RFC 5023 recommends the use of HTTP basic authentication as a minimum level of authentication for collections. HTTP basic authentication explains this mechanism.
- Client certificate authentication
- Client certificate authentication is a more secure method of authenticating a client, using a client certificate which is issued by a trusted third party (or Certificate Authority), and sent using SSL encryption. SSL authentication explains how this works.
When you set up these functions in CICS web support, you can apply them to an Atom feed or collection using attributes of the TCPIPSERVICE definition for the port where CICS receives web client requests for the Atom feed or collection. For information on setting up SSL support for CICS web support, see Configuring CICS to use SSL.