Obtaining a CICS user ID

For IIOP requests, you can authenticate and identify the the user in the following ways:
  1. Using Secure Sockets Layer (SSL) client authentication. See the CICS® RACF® Security Guide for more information.
  2. If SSL authentication does not provide a user ID, you can use the IIOP user-replaceable security program to provide one. Specify the name of your IIOP security program on the URM attribute of the TCPIPSERVICE definition for the port. See Using the IIOP user-replaceable security program for more information.
  3. If neither of these mechanisms provides a user ID, the default user ID is used.

If you specify the name of a security program on the TCPIPSERVICE definition, but omit the PROGRAM resource definition for it, CICS tries to build a resource definition for it (autoinstall); if this fails, or your security program does not return a USERID, CICS uses the user ID associated with the SSL client certificate, if there is one. Otherwise, the default user ID is used.

The following communications area is passed to the user-replaceable program. This structure is based on the format of an IIOP message defined in The Common Object Request Broker: Architecture and Specification obtainable from the OMG web site at:
http://www.omg.org/library

Offset
Hex

Type

Len

Name

(0)

STRUCTURE

80

sXOPUS

(0)

CHARACTER

4

standard_header

(4)

FULLWORD

4

pIIOPData

(8)

FULLWORD

4

lIIOPData

(C)

FULLWORD

4

pRequestBody

(10)

FULLWORD

4

lRequestBody

(14)

CHARACTER

4

corbaserver

(18)

FULLWORD

4

pBeanName

(1C)

FULLWORD

4

lBeanName

(20)

FULLWORD

4

BeanInterfaceType

(24)

FULLWORD

4

pModule

(28)

FULLWORD

4

lModule

(2C)

FULLWORD

4

pInterface

(30)

FULLWORD

4

lInterface

(34)

FULLWORD

4

pOperation

(38)

FULLWORD

4

lOperation

(3C)

CHARACTER

8

userid

(44)

FULLWORD

4

transid

(48)

FULLWORD

4

flag_bytes

(4C)

FULLWORD

4

return_code

(50)

FULLWORD

4

reason_code

standard_header
contains a standard header with the following format:
function
1–byte field set to X'00'
domain
2–character field containing II
*
1–character reserved field
pIIOPData
contains the address of the first megabyte of the unconverted IIOP buffer.
lIIOPData
contains the length of the unconverted IIOP buffer.
pRequestbody
contains the address of the incoming IIOP request.
lRequestbody
contains the length of the incoming IIOP request.
corbaserver
contains the name of the CorbaServer associated with this request.
pBeanName
contains a pointer to the EBCDIC bean name.
lBeanName
contains the length of the bean name.
BeanInterfaceType
contains an enumerated value. X'00' indicates home; X'01' indicates remote.
pModule
contains a pointer to the EBCDIC Module name.
lModule
contains the length of the Module name.
pInterface
contains a pointer to the EBCDIC Interface name.
lInterface
contains the length of the Interface name.
pOperation
contains a pointer to the EBCDIC Operation name.
lOperation
contains the length of the Operation.
userid
contains the input and output user ID. The output user ID must be exactly 8 characters long. If it is shorter than 8 characters it must be padded with blanks.
transid
contains the input TRANSID
Flag_bytes
contains the following indicators::
littleEndian
1–byte field showing byte-order, where 1 indicates TRUE and 0 indicates FALSE
sslClientUserid
1–byte field showing the derivation of the USERID if SSLTYPE CLIENTAUTH is specified in the TCPIPSERVICE definition, where:
0
USERID set from DFLTUSER
1
USERID set from SSL CERTIFICATE
*
2–byte reserved field
return_code
contains the return code.
reason_code
contains the reason code.

RETNCODE is set to RCUSRID (X'01') if a USERID is being returned. The user-replaceable program should return all other fields unchanged, or unpredictable results will occur.

See the CICS Customization Guide for information about installing user-replaceable programs.