Authenticating IIOP users

For the IIOP application protocol, you can authenticate the user using SSL client certificate authentication or asserted identity authentication.

The authentication scheme is specified by the AUTHENTICATE and SSL attributes of each TCPIPSERVICE:
Authentication method AUTHENTICATE SSL Associated CORBASERVER attribute
IIOP with no authentication NO NO UNAUTH
IIOP with no authentication NO YES SSLUNAUTH
IIOP with SSL client certificate authentication CERTIFICATE CLIENTCERT CLIENTCERT
IIOP with asserted identity authentication ASSERTED CLIENTCERT ASSERTED
A CORBASERVER can support more than one authentication scheme:
  • The UNAUTH attribute specifies the name of a TCPIPSERVICE that defines the characteristics of a port which is used for inbound IIOP with no authentication.
    Note: You must specify a value for the UNAUTH attribute when you define a CORBASERVER, even if you intend that all inbound requests to this CORBASERVER should be authenticated. This is because the PORTNUMBER attribute of the TCPIPSERVICE is required in order to construct IORs that are exported from this logical server.
  • The SSLUNAUTH attribute specifies the name of a TCPIPSERVICE that defines the characteristics of a port which is used for inbound IIOP with SSL but no authentication.
  • The CLIENTCERT attribute specifies the name of a TCPIPSERVICE that defines the characteristics of the port which is used for inbound IIOP with SSL client certificate authentication.
  • The ASSERTED attribute specifies the name of a TCPIPSERVICE that defines the characteristics of a port which is used for inbound IIOP with asserted identity authentication.
The authentication protocols supported by an object are made known to clients in the IOR for the object:
  • When CICS is the server, the authentication protocols are specified in CORBASERVER resources. When the Generic Factory Interoperable Object Reference (GenFacIOR) of the CORBASERVER is published, the authentication protocols supported by each object are made known to clients in the GenFacIOR.
  • When CICS is the client, it examines the IOR for the server object to determine which authentication protocols the object supports, and selects the protocol to use. If more than one protocol is supported, CICS selects the first supported protocol from:
    1. Asserted identity authentication
    2. SSL client certificate authentication
If neither protocol is supported, no authentication is used.