Identifying HTTP users

For the HTTP application protocol, you can identify the user in the following ways:
  • A user ID can be obtained from the Web client using HTTP basic authentication.
  • If the web browser sends a client certificate, you can use a user ID that is associated with the certificate.
    You can associate a certificate with a RACF® userid in two ways:
    • You can use RACF commands to associate a certificate with a user ID.
    • CICS® can automatically issue the RACF commands to associate a certificate with a user ID (which is obtained from the Web client using HTTP basic authentication).
    Associating a RACF user ID with a certificate tells you how to do this.
Start of changeIt is also possible for CICS to supply a user ID on behalf of the Web client:
  • In the USERID attribute of the URIMAP definition for a request. (Note that if surrogate user checking is enabled in the CICS region, CICS checks that the user ID used to install the URIMAP definition, is authorized as a surrogate of the user ID specified for the USERID attribute.)
  • In an analyzer program that is used in the processing path for an application-generated request.
  • As the CICS default user ID.
It is important to note that if you use a URIMAP definition or analyzer program to set a user ID that has not been supplied by a client, or allow the CICS default user ID to be used, there is no authentication of the client's identity. You should only do this when communicating with your own client system, which has already authenticated its users, and communicates with the server in a secure environment.End of change
Start of changeThe order of precedence of user IDs determined by these methods is:
  1. A user ID specified by the analyzer program, which can override a user ID obtained from the Web client or supplied by a URIMAP definition.
  2. A user ID obtained from the Web client using basic authentication, or a user ID associated with a client certificate. Start of changeIf authentication is required for the connection but the client does not provide an authenticated user ID, the request is rejected.End of change
  3. A user ID specified in the URIMAP definition for the request.
  4. The CICS default user ID, if no other can be determined.
End of change

The method used to identify the user is determined by the AUTHENTICATE and SSL attributes of the TCPIPSERVICE definition:

Table 1. How the user of an HTTP client is identified
AUTHENTICATE SSL How the user is identified
Start of changeNOEnd of change Start of changeNO or YESEnd of change Start of changeThe client does not supply a user ID. It can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID.End of change
Start of changeNOEnd of change Start of changeCLIENTAUTHEnd of change Start of change

If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program.

If the client sends a certificate that is not associated with a user ID, a user ID can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID.

If the client does not send a certificate, then the connection is rejected.

End of change
BASIC all values A user ID is obtained from the client, using HTTP basic authentication. This can be overridden by an analyzer program.
CERTIFICATE CLIENTAUTH

If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program.

If the client sends a certificate that is not associated with a user ID, or does not send a certificate, then the connection is rejected.

AUTOREGISTER CLIENTAUTH

If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program.

If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate.

If the client does not send a certificate, then the connection is rejected.

AUTOMATIC NO or YES A user ID is obtained from the client, using HTTP basic authentication. This can be overridden by an analyzer program.
AUTOMATIC CLIENTAUTH

If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program.

If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate.

If the client does not send a certificate, then the user ID is obtained from the client, using HTTP basic authentication.

Note:
  1. This table does not list combinations of values for the AUTHENTICATE and SSL attributes which are invalid, and cannot be specified in the TCPIPSERVICE definition.
  2. If HTTP basic authentication is used, CICS verifies the password. If the password is invalid, the connection is rejected.
  3. Start of changeWhen CICS document templates and HFS files are delivered directly from a URIMAP definition, as a static response, basic authentication does not operate. If you need to implement access controls based on a user ID, use an application to provide the resources as a dynamic response. For more information about CICS Web support architecture, see "Planning your CICS Web support architecture for CICS as an HTTP server" in the CICS Internet Guide. End of change