Authentication

In many systems, the user's authenticity is verified by checking a password supplied by the user. In a system in which there is no possibility of a password being intercepted, this level of authentication may be sufficient; however, in an insecure network, it is possible that passwords can be intercepted, and used to impersonate legitimate users of the system.

In an environment where your applications may be accessed by users across the internet, and by users who are outside the control of your organization, a more secure method of authentication is required.

On the other hand, there are situations where a limited level of authentication is sufficient. If you have a client system that authenticates its users, and communicates with a server in a secure environment, you may not need to authenticate end users at the server, but rely entirely on the client's authentication mechanisms.

CICS® supports the following authentication schemes:
Basic authentication
The client's identity is authenticated by a password. This level of authentication is appropriate in an environment where passwords cannot be intercepted and used to impersonate an end user.

You can use basic authentication with the HTTP and ECI application protocols.

SSL client certificate authentication
The client's identity is authenticated with a client certificate issued by a trusted third party (or Certificate Authority). This level of authentication is appropriate in an environment where information flowing in the network could be intercepted, and used to impersonate an end user.

You can use SSL client certificate authentication with the HTTP and IIOP application protocols.

Asserted identity authentication
Asserted identity authentication can be used when an IIOP client communicates with the target server through an intermediate server, and both servers use the same security manager:
  1. The intermediate server's identity is authenticated by the target server using SSL client certificate authentication.
  2. Through the security manager, the target server verifies that the intermediate server can be trusted to authenticate its clients.
  3. When the intermediate server receives a request, it authenticates the client using whatever authentication protocol is appropriate. If the client is successfully authenticated, the intermediate server passes the request to the target server
  4. Because the target server trusts the intermediate server to authenticate the client, it makes no further checks of the client's authenticity before processing the client's request.

You can use asserted identity authentication with the IIOP application protocols. In CICS, a CorbaServer can be configured as an intermediate or target server.