Design example: Asserting an identity to the CICS web service provider

1. The client sends a request to the web service requester application.
2. The web service requester application authenticates the client with a third-party authentication server.
3. The web service requester application sends a SOAP/HTTPS request to CICS containing a UsernameToken in a SOAP header. The UsernameToken contains the RACF® ID of the client. Note that this scenario requires that the client authenticates with a RACF ID, or the third-party authentication server maps the client’s distributed identity to a RACF user ID.
4. CICS responds with its TLS server certificate and asks for the client’s certificate. The web service requester application then validates the CICS server certificate and sends its TLS client certificate. The request is sent over HTTPS. Therefore, encryption and integrity are enabled at the transport level.
5. CICS validates the client certificate and maps the client certificate to a RACF user ID (authenticatedUserid).
6. The web attach transaction runs with the user ID mapped from TLS client certificate (authenticatedUserid).
7. The web service provider pipeline includes the CICS-supplied security handler that is configured for identity assertion with blind trust and an authentication mode of basic. CICS puts the asserted user ID in the DFHWS-USERID container.
8. The pipeline alias transaction runs under the asserted user ID (assertedUserid) and all further resource security checks for this request (for example, program and database security) are then performed against the asserted user ID.

Use TLS client authentication to establish trust for an identity assertion scenario like the one described here. Additional trust can be configured by using surrogate security, where the user ID mapped from TLS client certificate must have the correct authority to start work on behalf of the asserted identity.