For IIOP requests, you can authenticate and identify the the
user in the following ways:
- Using Secure Sockets Layer (SSL) client authentication. See the CICS® RACF® Security Guide for more
information.
- If SSL authentication does not provide a user ID, you can use the IIOP
user-replaceable security program to provide one. Specify the name of your
IIOP security program on the URM attribute of the TCPIPSERVICE definition
for the port. See Using the IIOP user-replaceable security program for more information.
- If neither of these mechanisms provides a user ID, the default user ID is used.
If you specify the name of a security program on the TCPIPSERVICE
definition, but omit the PROGRAM resource definition for it, CICS tries to
build a resource definition for it (autoinstall); if this fails, or your security
program does not return a USERID, CICS uses the user ID associated with
the SSL client certificate, if there is one. Otherwise, the default user ID is used.
The
following communications area is passed to the user-replaceable program. This
structure is based on the format of an IIOP message defined in
The Common
Object Request Broker: Architecture and Specification obtainable from
the OMG web site at:
http://www.omg.org/library
Offset
Hex
|
Type
|
Len
|
Name
|
(0)
|
STRUCTURE
|
80
|
sXOPUS
|
(0)
|
CHARACTER
|
4
|
standard_header
|
(4)
|
FULLWORD
|
4
|
pIIOPData
|
(8)
|
FULLWORD
|
4
|
lIIOPData
|
(C)
|
FULLWORD
|
4
|
pRequestBody
|
(10)
|
FULLWORD
|
4
|
lRequestBody
|
(14)
|
CHARACTER
|
4
|
corbaserver
|
(18)
|
FULLWORD
|
4
|
pBeanName
|
(1C)
|
FULLWORD
|
4
|
lBeanName
|
(20)
|
FULLWORD
|
4
|
BeanInterfaceType
|
(24)
|
FULLWORD
|
4
|
pModule
|
(28)
|
FULLWORD
|
4
|
lModule
|
(2C)
|
FULLWORD
|
4
|
pInterface
|
(30)
|
FULLWORD
|
4
|
lInterface
|
(34)
|
FULLWORD
|
4
|
pOperation
|
(38)
|
FULLWORD
|
4
|
lOperation
|
(3C)
|
CHARACTER
|
8
|
userid
|
(44)
|
FULLWORD
|
4
|
transid
|
(48)
|
FULLWORD
|
4
|
flag_bytes
|
(4C)
|
FULLWORD
|
4
|
return_code
|
(50)
|
FULLWORD
|
4
|
reason_code
|
- standard_header
- contains a standard header with the following format:
- function
- 1–byte field set to X'00'
- domain
- 2–character field containing II
- *
- 1–character reserved field
- pIIOPData
- contains the address of the first megabyte of the unconverted IIOP buffer.
- lIIOPData
- contains the length of the unconverted IIOP buffer.
- pRequestbody
- contains the address of the incoming IIOP request.
- lRequestbody
- contains the length of the incoming IIOP request.
- corbaserver
- contains the name of the CorbaServer associated with this request.
- pBeanName
- contains a pointer to the EBCDIC bean name.
- lBeanName
- contains the length of the bean name.
- BeanInterfaceType
- contains an enumerated value. X'00' indicates home; X'01' indicates remote.
- pModule
- contains a pointer to the EBCDIC Module name.
- lModule
- contains the length of the Module name.
- pInterface
- contains a pointer to the EBCDIC Interface name.
- lInterface
- contains the length of the Interface name.
- pOperation
- contains a pointer to the EBCDIC Operation name.
- lOperation
- contains the length of the Operation.
- userid
- contains the input and output user ID. The output user ID must be exactly
8 characters long. If it is shorter than 8 characters it must be padded with
blanks.
- transid
- contains the input TRANSID
- Flag_bytes
- contains the following indicators::
- littleEndian
- 1–byte field showing byte-order, where 1 indicates TRUE and 0 indicates
FALSE
- sslClientUserid
- 1–byte field showing the derivation of the USERID if SSLTYPE CLIENTAUTH
is specified in the TCPIPSERVICE definition, where:
- 0
- USERID set from DFLTUSER
- 1
- USERID set from SSL CERTIFICATE
- *
- 2–byte reserved field
- return_code
- contains the return code.
- reason_code
- contains the reason code.
RETNCODE is set to RCUSRID (X'01') if a USERID
is being returned. The user-replaceable program should return all other fields
unchanged, or unpredictable results will occur.
See the CICS Customization Guide for
information about installing user-replaceable programs.