A range of products and network topologies support identity propagation.
The following IBM® products support identity propagation:
Identity propagation is supported when connecting to CICS using an IPIC connection. A client authenticated SSL connection is required unless CICS Transaction Gateway and CICS Transaction Server are on z/OS and on the same sysplex
For more information about the topologies that are supported by CICS Transaction Gateway, see Deployment topologies.
The following example shows identity propagation in a remote mode topology:
The user security information consists of a distinguished name and a realm name. The distinguished name uniquely identifies an entry within a user registry. The realm name represents a named collection of users and groups that can be used in a specific security context.
When the user has been authenticated in WebSphere Application Server, the security information is passed unchanged as a distributed identity to CICS. The distributed identity is mapped to a RACF user ID, which is used for authorization by CICS.