How it works: Authentication in CICS

CICS® handles the authentication process. It requests credentials from a user, decodes the authentication information if necessary, calls RACF® or a third-party authentication server to authenticate the supplied credentials, and rejects the request if the authentication fails. It supports different forms of authentication. Your options for authentication depend on the way that you access CICS; see Which authentication method can I use with which access method? for details.

CICS authenticates users in the following ways:

Basic authentication
Multi-factor authentication (MFA)
Client authentication
Third-party authentication

Basic authentication

This form of authentication uses credentials in the form of a user ID and password, a passphrase, or a PassTicket.

For more information, see How it works: Passwords and passphrases.

Multi-factor authentication (MFA)

This form of authentication uses credentials in the form of a user ID and an MFA token that is generated by an external device.

For more information, see How it works: Multi-factor authentication (MFA).

Client authentication

This form of authentication uses a TLS certificate to identify the client. Either CICS Liberty, CICS TLS support or Application Transparent Transport Layer Security (AT-TLS) can be used.

For more information, see How it works: X.509 certificates.

Third-party authentication

This form of authentication is an architecture that enables a user to authenticate with an authentication server to obtain a token. The authentication token is sent to CICS and CICS validates the token. The identity in the token can also be mapped to a RACF user ID. In some cases, this form can be used for Single Sign-on (SSO) solutions, which allow the client to have access to several servers. CICS supports the following third-party tokens and architectures:

The information about users that CICS needs for authentication is stored in a user registry. See User registries for the options that CICS supports.