The Trust client interface

The Trust client interface enables you to interact with a Security Token Service (STS) directly, rather than using the security handler. In this way, you have the flexibility to provide more advanced processing of tokens than the processing offered by the security handler.

The Trust client interface is an enhancement to the CICS-supplied program DFHPIRT. This program is usually used to start a pipeline when a web service requester application has not been deployed using the CICS web services assistant. But it can also act as the Trust client interface to the STS.

You can invoke the Trust client interface by linking to DFHPIRT from a message handler or header processing program, passing a channel called DFHWSTC-V1 and a set of security containers. Using these containers, you have the flexibility to request either a validate or issue action from the STS, select which token type to exchange, and pass the appropriate token from the message header. DFHPIRT dynamically creates a pipeline, composes a web service request from the security containers, and sends it to the STS.

DFHPIRT waits for the response from the STS and passes this back in the DFHWS-RESTOKEN container to the message handler. If the STS encounters an error, it returns a SOAP fault. DFHPIRT puts the fault in the DFHWS-STSFAULT container and returns to the linking program in the pipeline.

You can use the Trust client interface without enabling the security handler in your service provider and service requester pipelines, or you can use the Trust client interface in addition to the security handler.