Support and requirements for identity propagation

CICS® provides support for identity propagation between a range of products. Make sure that you meet these requirements to allow participation in identity propagation.

Summary of identity propagation participation

Identity propagation is a form of asserted identity and as a result, participation requires a number of factors:
  • All parties involved must be able to process distributed identities
  • A trusted connection must connect all external parties
If a system does not participate in identity propagation, distributed identity information is ignored, and user ID information is used as before.

For propagation, the outbound request must be made from a participating task, that is; a task whose user ID has an associated distributed identity.

Support for identity propagation

CICS provides support for identity propagation in the following situations:
  • Inbound requests to CICS from WebSphere® Application Server using the CICS ECI resource adapters over an IPIC connection.
  • Using a WS-Security Header element in a web service request. Routed inbound web service requests do not support identity propagation.
  • Using IPIC and MRO connections between CICS systems. The distributed identity is used by CICS only if it is passed to the MRO or IPIC connection from a participating task.
  • Transactions issuing local or function shipped START commands. Exceptions to this support are the following situations, where the distributed identity is not propagated:
    • If a START command specifies a USERID or TERMID.
    • If a START command is shipped to a remote region across a LU61 or LU62 connection.
    • If a dynamically routed START command is delayed.
  • Using Liberty. For information on identity propagation mapping in Liberty, see Configuring security for a Liberty JVM server by using distributed identity mapping.

Sample network topologies for using identity propagation provides diagrams and examples to explain how user security information is passed using the supported requests and connections.

RACF requirements for identity propagation

You must configure your RACF® settings for the RACMAP and SETR RACLIST(IDIDMAP) commands before you update clients and CICS configuration definitions for identity propagation.

CICS requirements for identity propagation

CICS has a number of requirements to allow distributed identities to flow:
  • Security must be enabled, by specifying the SEC=YES system initialization parameter.
  • The external security manager, for example, RACF, must be configured to accept distributed identities.
  • All partner systems must be able to process distributed identities.
  • CICS supports distinguished names up to 246 bytes in length, and realm names up to 252 bytes in length.
  • IPIC connections are limited to supporting identity contexts (ICRX identity tokens), the total size of which must not exceed 2000 bytes.