The CICS supplied sample user-replaceable program, DFHXOPUS, accepts
the RACF® USERID associated with the client certificate, if there is one.
If there is no RACF USERID associated with
a certificate:
- For SSL(CLIENTAUTH), DFHXOPUS uses the first eight characters of the COMMONNAME
extracted from the client certificate.
- For SSL(YES) or SSL(NO), DFHXOPUS uses the first eight characters of the
IIOP Principal, if there is one.
Note: Versions of the General Inter-ORB
Protocol (GIOP) from 1.2 onwards do not support the IIOP Principal field in
request headers. So DFHXOPUS will only ever return a user ID derived from
the IIOP Principal when the request is in GIOP 1.1, or earlier, format.
If a USERID has not been found using these procedures, DFHXOPUS returns
the USERID specified in the CICS system initialization
DFLTUSER system initialization parameter.
The security exit program returns the user ID in the userid field
of the communications area. If the user ID is less than 8 characters long,
the exit program pads the field with blanks. Because a user ID is being returned,
the return_code field is set to RCUSRID (X'01') .
If you write your own security exit program, it should return all fields
other than userid and return_code unchanged, or unpredictable
results may occur.