Design example: Securing the JCICSX server using basic authentication

In this example, CICS® transaction security is used to authorize access to run JCICSX commands in CICS. The supplied URIMAP DFHJXSU that matches the JCICSX HTTP requests ensures all requests run under the CJXA transaction ID. This transaction is protected such that the authenticated client user ID must be authorized to run the transaction.

For more information about how to configure security for this scenario, see Configuration example: Securing the JCICSX server using basic authentication.

Note: This example uses only CICS transaction security because JCICSX remote development is used for testing and that command security and resource security is disabled for CJXA by default. If you want to test security, set SIT parameters CMDSEC=ALWAYS and RESSEC=ALWAYS. This impacts security settings of other transactions too. For more information, see Designing security for JCICSX applications.
Figure 1 shows an overview of the scenario.
Figure 1. Securing JCICSX with basic authentication
A diagram showing the scenario of securing JCICSX with basic authentication. Each step is explained in the following text.
  1. The JCICSX client sends an HTTPS request with the clientUserid and password in the HTTP Authorization header to the Liberty JVM server.
    Important: It is recommended that you use HTTPS to protect the request. Otherwise the basic authentication credentials will flow across the network in cleartext.
  2. To authenticate the request, the Liberty JVM server validates the clientUserid and password against the configured SAF user registry (RACF®) and sets the Java security subject to the clientUserid. More specifically, the authentication is delegated to Liberty's authentication process, which in turn uses the Liberty angel process to perform the authorized services. If successful, the Java security subject, and subsequently the CICS task user ID are set to the clientUserid.
  3. CICS transaction security is used to authorize the request. The URIMAP DFHJXSU matches the request URL and determines that it runs under the CJXA transaction. CICS checks that the clientUserid is authorized to run the transaction by calling RACF to verify that the clientUserid has READ authority to the CJXA transaction in RACF. As shown in the diagram, the clientUserid is connected to a group that has READ authority to a member list (memberListA) containing CJXA in the GCICSTRN class.
  4. The JCICSX HTTP requests run using the CJXA transaction under the security context of the clientUserid. Any JCICSX calls to CICS resources, such as a link to a CICS program, use the clientUserid as the CICS task user ID.