Configurations that support identity propagation
A range of products and network topologies support identity propagation.
Products that support identity propagation
The following IBM® products support identity propagation:
- All versions of CICS Transaction Server that is supported by CICS Transaction Gateway, For more information, see the CICS Transaction Server for IBM z/OS information center
- All IBM z/OS Version that is supported by CICS Transaction Gateway
- IBM RACF® Security Server for IBM z/OS. For more information, see Introduction to CICS Security with RACF CICS Transaction Server for IBM z/OS information center in the CICS Transaction Server for IBM z/OS documentation
Network topology for using identity propagation
Identity propagation is supported when connecting to CICS® using an IPIC connection. A client authenticated SSL connection is required unless CICS Transaction Gateway and CICS Transaction Server are on IBM z/OS® and on the same sysplex
For more information about the topologies that are supported by CICS Transaction Gateway, see Deployment topologies.
The following example shows identity propagation in a remote mode topology:
The user security information consists of a distinguished name and a realm name. The distinguished name uniquely identifies an entry within a user registry. The realm name represents a named collection of users and groups that can be used in a specific security context.
When the user has been authenticated in IBM WebSphere® Application Server, the security information is passed unchanged as a distributed identity to CICS. The distributed identity is mapped to a RACF® user ID, which is used for authorization by CICS.