Configuring IPIC connections for identity propagation

You define an IPCONN resource in a receiving CICS® region to enable processing of incoming distributed identity information and you define an IPCONN resource in a sending region to specify whether a distributed identity is transmitted outside a sysplex.

Before you begin

You must configure your RACF® RACMAP settings before you configure your IPIC connections, even if you have IDPROP(OPTIONAL) set in your IPCONN resource definition. Otherwise, you receive the RACF ICH408I message for every unmapped request that is sent to RACF.

About this task

Identity propagation over an IPIC connection relies on trusted connections between CICS regions or between CICS and CICS Transaction Gateway; for example, if CICS and CICS Transaction Gateway are not in the same sysplex, the connection must be over an SSL connection. Identity propagation over an IPIC connection needs a security manager that supports identity propagation. An ICRX identity token identifies the distributed identity of a user, and can be sent to CICS as part of a message.

If CICS receives an ICRX in a message that is sent over an IPIC connection, USERAUTH(IDENTIFY) must be defined for the IPCONN resource in the receiving CICS region to allow processing of the ICRX. If USERAUTH(IDENTIFY) is defined, CICS attempts to map the ICRX to an external security manager (ESM) user ID, for example, a RACF user ID. If the mapping is successful, the ESM user ID is used as the security context for the task that is attached to process the incoming message. If the ICRX cannot be mapped to an ESM user ID, because it is not defined to the external security manager, the message is processed as if it did not contain an ICRX. Local and remote START commands over an IPIC connection do not support identity propagation.

Procedure

  1. Specify USERAUTH(IDENTIFY) in the IPCONN resource definition of the receiving CICS system.
    The IDENTIFY attribute specifies that incoming requests must include a user identifier, which can be provided in the form of an ICRX, but that client authentication is being managed by the security manager that is sending the request. If you are using CICS Transaction Gateway, you must specify USERAUTH(IDENTIFY) to allow CICS Transaction Gateway to pass the distributed identity to CICS. For more information about identity propagation with CICS Transaction Gateway, see the CICS Transaction Gateway information center.
  2. Specify IDPROP(REQUIRED) in the IPCONN resource definition of the sending CICS system.
    The REQUIRED attribute specifies that a distributed identity is required for requests that use this connection, instead of a user ID. The attribute has no meaning if the connection is contained in a single sysplex or if either or both regions cannot support identity propagation. If the connection is between systems in the same sysplex, the connection operates as if IDPROP(OPTIONAL) is specified and ignores any other setting. The receiving CICS system must have USERAUTH(IDENTIFY) specified in the IPCONN resource to be able to process the distributed identity information.

Results

The distributed identity of a user can now be received in requests from a trusted security manager, for example, CICS Transaction Gateway, that are sent over an IPIC connection.