When you make an HTTP client request through CICS®, a server
or proxy might require you to perform basic authentication, proxy authentication,
or SSL client certificate authentication. Basic authentication and proxy authentication
are carried out by your user application. A client certificate can be supplied
using a URIMAP definition.
Your client application might be asked to authenticate itself in the following
ways:
- Basic authentication is initiated by a server, to obtain a user
ID and password from you. When you make a request to a server, the server
might send you a response with a 401 status code, and a WWW-Authenticate header.
The header names the realm for which basic authentication is required. To
receive the information you requested, you need to repeat your original request
and add an Authorization header, giving a user ID and password that allow
you access to the realm. This information must be in the format userid:password,
and it must be in base-64 encoding. When you make the same request on subsequent
occasions, you may try sending the Authorization header on your original request,
in which case the server may not issue the challenge. Bear in mind that your
password may expire, at which time the server will issue the challenge again.
- Proxy authentication is initiated by a proxy server. It operates
in the same way as basic authentication. For proxy authentication, the status
code for the response is 407, the challenge header from the proxy server is
Proxy-Authenticate, and your response header must be Proxy-Authorization.
You must provide your user ID and password information with the same format
and encoding as for basic authentication.
- SSL client certificate authentication uses a client certificate
which is issued by a trusted third party (or Certificate Authority). The CICS RACF® Security Guide explains
how this works. A server might or might not require you to provide this authentication
when you are making an HTTPS request. The CICS RACF Security
Guide tells you how to obtain a certificate and store it in a key
ring in the RACF database,
or equivalent external security manager. If a server does request a client
certificate, CICS supplies
the certificate label which is specified in the URIMAP definition that was
used on the WEB OPEN command for the connection. (If you use a URIMAP definition
but do not specify a certificate label, the default certificate defined in
the key ring for the CICS region user ID is used.)
Some servers might ask you to provide other types of authentication or
identification. If you are unable to provide acceptable authentication or
identification to a server, your request will be rejected. For basic authentication
or proxy authentication, the status code used when a server rejects your request
is the same as the status code for the challenge (401 for a server or 407
for a proxy). If you respond to a challenge but then receive a further response
with one of these status codes, the authorization information you used is
not valid.