Authentication of IIOP requests

Authentication
is the process by which a service accurately establishes the authenticity of a user making a request.
Identification
is the process by which the identity of a user is established. Typically, the term user ID is used to denote the user's identity; in Java™ parlance, the term principal is used.
The two processes are related because, in many cases, the information used to authenticate a user is also used for identification. For example, in a scheme that uses a user ID and password, the user ID alone identifies the user, while the combination of user ID and password authenticates the user.
Authentication is provided by one of the following mechanisms:
  • Basic authentication
  • SSL client certificate authentication
  • Asserted identity authentication
See the CICS® RACF® Security Guide for more information.
For IIOP requests, you can identify the user in the following ways:
  • Using SSL client authentication—see the CICS RACF Security Guide for more information.
  • If SSL client authentication does not provide a user ID, you can write a user-replaceable IIOP security program to provide one. Specify the name of your security program on the URM attribute of the TCPIPSERVICE definition for the port. See Using the IIOP user-replaceable security program for more information.
  • The client can supply a user ID directly. Typically this is done as part of the authentication process.

    You can identify users in this way when you use basic authentication with the HTTP and ECI application protocols

  • If none of these mechanisms provides a user ID, the CICS default user ID is used.
The authentication and identification schemes are specified in the CORBASERVER and TCPIPSERVICE resource definitions. Each CORBASERVER is associated with one or more TCPIPSERVICE definitions; each TCPIPSERVICE supports a different mechanism for authentication and identification:
  • The ASSERTED attribute of the CORBASERVER names a TCPIPSERVICE that supports inbound IIOP with asserted identity authentication.
  • The BASIC attribute of the CORBASERVER names a TCPIPSERVICE that supports inbound IIOP with basic authentication.
  • The CLIENTCERT attribute of the CORBASERVER names a TCPIPSERVICE that supports inbound IIOP with SSL client certificate authentication.
  • The SSLUNAUTH attribute names a TCPIPSERVICE that supports inbound IIOP with SSL encryption and no client authentication.
  • The UNAUTH attribute names a TCPIPSERVICE that supports inbound IIOP with no authentication.
Note:
  1. To change the association between an installed CORBASERVER definition and its TCPIPSERVICE definitions, you must discard and reinstall the CORBASERVER definition.
  2. If you use SSL encryption, or SSL client certificate authentication, you must configure your CICS system to support SSL. See the CICS RACF Security Guide.

An enterprise bean can use the getCallerPrincipal() method to obtain information about the client which is contained in the certificate. See Deriving distinguished names for more details.

The derived USERID is passed with the IIOP request to the request processor, for authentication of the request execution. If the request processor is executing in a different CICS region, the transmission of the USERID follows CICS rules for CONNECTION authentication.