Developing Kerberos applications

You can write a custom security handler to verify a Kerberos token, or you can write your own application to verify the token.

Before you begin

In the following steps, you can extract the RACF® user ID of the Kerberos principal, by using the ISUSERID opintion of the EXEC CICS VERIFY TOKEN command. To do this, you must first define an association between the user ID and the principal. Use the RACF RACLINK command to set up the association. For more information, see Defining User ID Associations in z/OS Security Server RACF Security Administrator's Guide.

Use one of the following techniques, according to your requirements:

• Write a security handler that uses the VERIFY TOKEN command, as described in Writing a custom security handler. If you want to run under the user ID of the Kerberos principal that is associated with the token, use the ISUSERID option of the VERIFY TOKEN command.
• Write your own front-end security program. Such a program might extract the Kerberos token from an HTTP header or an IBM® MQ message and then issue the VERIFY TOKEN command. If you want to run under the user ID of the Kerberos principal that is associated with the token, use the ISUSERID option of the VERIFY TOKEN command to obtain the user ID. The new request can then be started with that user ID.