CICS as an HTTP server: authentication and identification

For CICS® as an HTTP server, you specify authentication schemes by the AUTHENTICATE attribute of the TCPIPSERVICE definition. Identification is obtained in connection with the authentication process, or it can be supplied by CICS if authentication is not needed.

Obtaining authentication and identification from web clients is a key step in protecting your CICS system from access by unauthorized users.

Use TCPIPSERVICE resource definitions to specify the security measures that are applied for CICS as an HTTP server. For each port that you use for CICS web support, the TCPIPSERVICE resource definition specifies these attributes:
  • Whether or not SSL is used for the port
  • The authentication scheme that is used for the port
  • The realm for basic authentication

Authentication

Two authentication schemes are supported by CICS for use with the HTTP protocol:
  • Basic authentication is part of HTTP that enables a client to authenticate and identify itself to a server by providing a user ID and password or password phrase. This information is encoded using base-64 encoding, which is simple to decode. Therefore, using basic authentication as the sole means of authentication is appropriate only when the password cannot be intercepted. In most environments, use basic authentication with SSL, so that SSL encryption protects the user ID and password information.
  • SSL client certificate authentication is a more secure method of authenticating a client, using a client certificate that is issued by a trusted third party (or Certificate Authority), and sent using SSL encryption. Refer to SSL authentication. A client certificate does not contain a user ID that can be used for identification in CICS. To achieve identification, you can associate the client certificate with a user ID in RACF® or an equivalent security manager, either before the certificate is used, or automatically (using basic authentication) when the client makes its request. The RACF user ID becomes the client user ID each time the certificate is used, as described in Associating a RACF user ID with a certificate.

Creating TCPIPSERVICE resource definitions for CICS web support tells you how to set up a TCPIPSERVICE definition for CICS web support that specifies one of these authentication schemes.

When you use basic authentication or client certificate authentication, CICS handles the process of requesting authentication from the user, decoding the authentication information if necessary, checking the supplied authentication against the security manager database, and rejecting the request if the authentication is not acceptable. An analyzer program or user-written application program is called only after the authentication is verified and accepted.

All the user IDs used by web clients must have a user profile in RACF or your equivalent external security manager. Refer to RACF Profiles.

Note: CICS uses password verification to verify a user ID during the processes described here. CICS enforces a full verification request once a day for each user ID that is used to log on to the CICS region. The full verification request using the RACROUTE REQUEST=VERIFY macro makes RACF record the date and time of last access for the user ID, and write user statistics.

For basic authentication, if the password or password phrase supplied by the user has expired, CICS prompts the user for a new password or password phrase and helps the user to resubmit the request. The CICS-supplied utility program DFHWBPW is used. You can customize the text on the web pages that CICS displays to the user during this process, as described in Password expiry management for HTTP basic authentication.

For client certificate authentication, CICS verifies the supplied certificate by checking it against the security manager database, and, optionally, against any certificate revocation list that you have set up. A user-written application can examine information obtained by this process, if this information is useful for determining how to process the request. Use the EXTRACT CERTIFICATE command to retrieve these items:
  • Components of the issuer's or the subject's distinguished name. SSL authentication explains distinguished names.
  • The RACF user ID associated with the certificate.

Identification

Identification takes place when you obtain a user ID for the web client. The ID is obtained from the web client:
  • During basic authentication
  • By the association of a user ID with a client certificate
For application-generated responses only, CICS can supply a user ID on behalf of the web client:
  • In an analyzer program that is used in the processing path for the application-generated response. (This ID can override a user ID obtained for the web client.)
  • In the URIMAP definition for the request. (This ID cannot override a user ID obtained for the web client.)
  • As the CICS default user ID, if no other can be determined.
Note that, if you supply a user ID on behalf of the web client, the identity of the client is not authenticated. Supply a user ID only when communicating with your own client system, which has already authenticated its users and communicates with the server in a secure environment. Identifying HTTP users explains in more detail how the user ID is determined, depending on the settings for the TCPIPSERVICE definition.

When the client has been identified, the client user ID can be authorized for access to CICS resources like any other user ID, using RACF or an equivalent external security manager. You can choose to apply resource-level security to any or all of the individual resources that the web client is accessing in CICS, such as web pages stored as CICS document templates, or z/OS UNIX files, or CICS commands used by the application that provides the response. CICS system and resource security for CICS web support explains how to secure these resources and how to remove resource level security if you do not want it.