Kerberos

Kerberos is a network authentication protocol that is designed to provide strong authentication for client or server applications by using secret-key cryptography. The Kerberos network authentication protocol assumes that services and workstations communicate over an insecure network. A user authenticates to an authentication server. The user can then request service tickets, which can be used by that user on a specific application on a server.

To see which CICS access methods support Kerberos, see Which authentication method can I use with which access method?

Why use Kerberos?

Kerberos avoids the need for passwords to be flowed to authenticate to multiple servers over an insecure network. This feature can help reduce the need to manage multiple passwords. It allows clients and servers to do either one-way authentication (the server authenticates the client), or two-way (mutual) authentication, where the client also authenticates the server.

How Kerberos works

The Kerberos system consists of three components: a client, a server, and a trusted third party, which is also known as a Key Distribution Center (KDC). The KDC interacts with both a client and server to accept the client’s request, authenticate its identity, and issue tickets to the service. The domain that is served by a single KDC is referred to as a realm. A principal is used to identify each client and server in a realm. The principal name is uniquely assigned for all clients and servers by the Kerberos administrator. All principals must be known to the KDC.

Kerberos message flow — Figure 1. How Kerberos works

The first-phase exchange takes place between a client and the authentication server. In this phase, the authentication server authenticates the user (for example, by validating the user ID and password). After a successful login, the authentication server obtains the user's secret keys and returns a ticket-granting ticket (TGT) to the client.
On receiving the TGT, the client sends a request (containing the TGT) for a service ticket to the ticket-granting server (TGS). The TGS authenticates the TGT and then returns a service ticket to the client.
The service ticket allows the client to communicate with the server that is providing a service that the client wants to use. The server can verify the client without contacting the KDC by using the service ticket. An extension to the protocol is mutual authentication. When this is configured, additional information flows back to the client in this step to authenticate the server.

Support in CICS for Kerberos

CICS supports Kerberos through RACF. Support is based on Kerberos Version 5 as defined in RFC 4120 – The Kerberos Network Authentication Service (V5) and Generic Security Services (GSS). To use Kerberos with RACF, use the Network Authentication Service component of the z/OS Integrated Security Services base element. For more information, see z/OS Integrated Security Services Network Authentication Service Administration in the z/OS product documentation.

CICS can verify a Kerberos token by configuring a web service provider pipeline or by using the CICS API command, VERIFY TOKEN.

Stabilized feature: CICS web services support for pipeline configuration for WS-Security infrastructure is stabilized. See also Stabilization notices.

Kerberos verification by using a web service provider pipeline by using the CICS API command VERIFY TOKEN — Figure 2. CICS support for Kerberos