CMCI security features: How CMCI authenticates clients

When an HTTP system management client such as CICS Explorer® attempts to sign on, the CMCI verifies the user credentials. The user credentials can be a user ID and password, a PassTicket, an MFA token or a certificate. If the CMCI JVM server is enabled, it handles the authentication process. Authentication through a PassTicket or an MFA token is only available with the CMCI JVM server.

How the CMCI JVM server authenticates clients

Figure 1 illustrates the client authentication workflow based on CICS Explorer.

Figure 1. CMCI HTTP client authentication workflow
This figure shows the authentication process to verify a user who performs a log-in from CICS Explorer. The process is explained in the following paragraphs.
  1. When a user logs on from CICS Explorer, CICS Explorer passes the user credentials to the CMCI JVM server. The user credentials can be a user ID and password, a PassTicket, an MFA token or a certificate.
  2. The CMCI JVM server validates the user credentials by using SAF interfaces to the external security manager (ESM) and generates an LTPA token.
  3. The CMCI JVM server replies to CICS Explorer with the response and the LTPA token.

In subsequent requests, CICS Explorer will use the LTPA token to authenticate the user.

Note:
  • The LTPA token is a cookie; therefore, the HTTP client must accept cookies.
  • Although a JVM server is used for the transport and authentication of the CMCI, most of the processing still occurs in the CICS core; therefore, do not expect increased specialty engine offload from the CMCI JVM server.

LTPA timeout

An LTPA token has a fixed lifetime. It cannot be extended or renewed, even if a user is active in a session. Upon timeout, the user is logged out and must provide login credentials again to get a new token. The expiration time of the LTPA token is configurable. For instructions, see Configuring LTPA in Liberty.

Sharing LTPA tokens

With the single sign-on (SSO) configuration support in Liberty, you can set up Liberty to allow the sharing of LTPA tokens among multiple regions. HTTP client users can authenticate once and have access to other regions that share the same LTPA keys. For more information, see Customizing SSO configuration using LTPA cookies in Liberty.

How CMCI without the CMCI JVM server authenticates clients

If the CMCI JVM server is not used with the CMCI, the user is authenticated using a certificate or a basic authenticator in the HTTP header.

One-time-use tokens (such as MFA tokens and PassTickets) are not supported.

Find out more

Authentication overview gives you an overview of the authentication process in Liberty and describes LTPA and SSO in details.

Setting up CMCI gives you configuration instructions.