CICS as an HTTP client: authentication and identification

When you make an HTTP client request through CICS®, a server or proxy might require you to perform basic authentication, proxy authentication, or SSL client certificate authentication.

You can perform basic authentication using the AUTHENTICATE option of your WEB SEND or WEB CONVERSE command. Your user application carries out proxy authentication. You supply a client certificate using a URIMAP definition.

Your client application might be asked to authenticate itself in the following ways:
  • Basic authentication allows you to provide a user name and password for access to specific information. When you make a request to a server, the server might send you a response with a 401 status code, and a WWW-Authenticate header. The header names the realm for which basic authentication is required. To receive the information you requested, provide the user name and password, and CICS resends the request with an Authorization header, specifying your user name and password, to allow you access to the realm. CICS can also send an Authorization header directly to a server that is expecting it, thus eliminating the need for a 401 response. CICS converts the user name and password to ASCII and applies base-64 encoding, as required by the basic authentication protocol. So you can supply your credentials in normal characters through the WEB SEND or WEB CONVERSE command, or through the XWBAUTH user exit. See Providing credentials for basic authentication and HTTP basic authentication.
  • Proxy authentication is initiated by a proxy server. For proxy authentication, the status code for the response is 407, the challenge header from the proxy server is Proxy-Authenticate, and the response header is Proxy-Authorization. CICS does not support this protocol.
  • SSL client certificate authentication uses a client certificate, which is issued by a trusted third party (or Certificate Authority). A server might require you to provide this authentication when you are making an HTTPS request. Configuring CICS to use SSL tells you how to obtain a certificate and store it in a key ring in the RACF® database or equivalent external security manager. If a server does request a client certificate, CICS supplies the certificate label, which is specified in the URIMAP definition that was used on the WEB OPEN command for the connection. Alternatively, you can directly specify the certificate label as an option in the WEB OPEN command. If you use a URIMAP definition but do not specify a certificate label, the default certificate defined in the key ring for the CICS region user ID is used.

Some servers might ask you to provide other types of authentication or identification. If you cannot provide acceptable authentication or identification to a server, your request is rejected. For basic authentication or proxy authentication, the status code used when a server rejects your request is the same as the status code for the challenge (401 for a server or 407 for a proxy). If you respond to a challenge but then receive a further response with one of these status codes, the authorization information that you used is not valid.