For CICS® as
an HTTP server, authentication schemes are specified by the AUTHENTICATE attribute
of the TCPIPSERVICE definition. Identification is obtained in connection with
the authentication process, or can be supplied by CICS if authentication is not needed.
Obtaining authentication and identification from Web clients is a key step
in protecting your CICS system from access by unauthorized users.
Note: 
When CICS document templates
and HFS files are delivered directly from a URIMAP definition, as a static
response, basic authentication does not operate. If you need to implement
access controls based on a user ID, use an application to provide the resources
as a dynamic response.

Authentication
Two authentication schemes are supported
by CICS for
use with the HTTP protocol:
- Basic authentication is an HTTP facility that enables a client
to both authenticate and identify itself to a server by providing a user ID
and password. This information is encoded using base-64 encoding, which is
simple to decode. Because of this, using basic authentication as the sole
means of authentication is only appropriate when there is no possibility of
a password being intercepted. In most environments, basic authentication should
be used in combination with SSL, so that SSL encryption is used to protect
the user ID and password information. HTTP basic authentication explains
basic authentication in more detail.
- SSL client certificate authentication is a more secure method of
authenticating a client, using a client certificate which is issued by a trusted
third party (or Certificate Authority), and sent using SSL encryption. The CICS RACF® Security Guide explains
how this works. A client certificate does not contain a user ID that can be
used for identification within CICS. To achieve identification, the client
certificate can be associated with a user ID in RACF or an equivalent security manager,
either before the certificate is used, or automatically (using basic authentication)
when the client makes its request. The RACF user ID becomes the client's user
ID each time the certificate is used. The CICS RACF Security
Guide explains how to set this up.
Creating TCPIPSERVICE resource definitions for CICS Web support tells you how to set up a TCPIPSERVICE
definition for CICS Web
support which specifies one of these authentication schemes.
When
you use basic authentication or client certificate authentication, CICS handles
the process of requesting authentication from the user, decoding the authentication
information if necessary, checking the supplied authentication against the
security manager's database, and rejecting the request if the authentication
is not acceptable. An analyzer program or user-written application program
is only called after the authentication has been verified and accepted.
For
basic authentication, if the password supplied by the user is found to have
expired, CICS prompts
the user for a new password and helps them to re-submit their request. The
CICS-supplied utility program DFHWBPW is used to do this. You can customize
the text on the Web pages that CICS displays to the user during this process. Password expiry management for HTTP basic authentication has the information
you need to do this.
For client certificate authentication, CICS verifies
the supplied certificate by checking it against the security manager's database,
and (optionally) against any certificate revocation list that you have set
up. A user-written application can examine information obtained by this process,
if this is useful for determining how to process the request. Use the EXTRACT
CERTIFICATE command to retrieve:
- Components of the issuer's or the subject's distinguished name. The CICS RACF Security Guide explains
distinguished names.
- The RACF user
ID associated with the certificate.
Identification
Identification takes place when you
obtain a user ID for the Web client. The ID can be obtained from the Web client:
- During basic authentication.
- By the association of a user ID with a client certificate.
It is also possible for CICS to supply a user ID on behalf of the Web client:
- In the URIMAP definition for a request.
- In an analyzer program that is used in the processing path for an application-generated
request.
- As the CICS default
user ID, if no other can be determined.
It is important to note that if you supply a user ID on behalf of the
Web client, there is no authentication of the client's identity. You should
only do this when communicating with your own client system, which has already
authenticated its users, and communicates with the server in a secure environment.
The CICS RACF Security Guide explains
in more detail how the user ID is determined, depending on the settings for
the TCPIPSERVICE definition.
When the client has been identified, the
client's user ID can be authorized for access to CICS services like any other user ID, using RACF or
an equivalent security manager. For an application-generated response, the
user ID applies to the processing performed by the alias transaction, so it
needs to have certain authorities in connection with that transaction. CICS system and resource security for CICS Web support explains what these are.