Identifying HTTP users
Identification is the process by which the identity of a user is established. This is how a user's identity is established for the HTTP application protocol.
About this task
- A user ID can be obtained from the web client using HTTP basic authentication.
- If the web browser sends a client certificate, you can use a user
ID that is associated with the certificate. You can associate a certificate with a RACF® user ID in two ways:
- You can use RACF commands to associate a certificate with a user ID.
- CICS® can automatically issue the RACF commands to associate a certificate with a user ID (which is obtained from the Web client using HTTP basic authentication).
- In an analyzer program that is used in the processing path for the request.
- In the USERID attribute of the URIMAP definition for a request.
- As the CICS default user ID.
- A user ID that you set using an analyzer program. This user ID can override a user ID obtained from the Web client or supplied by a URIMAP definition.
- A user ID that you obtained from the Web client using basic authentication, or a user ID associated with a client certificate sent by the Web client. If authentication is required for the connection but the client does not provide an authenticated user ID, the request is rejected.
- A user ID that you specified in the URIMAP definition for the request.
- The CICS default user ID, if no other can be determined.
When the HTTP response is to be provided by a URIMAP definition that specifies a CICS document template or z/OS UNIX file (a static response), the user ID used for the Web client is a user ID that you obtained from the Web client using basic authentication, or a user ID associated with a client certificate sent by the Web client. For static responses, it is not possible to supply a user ID on behalf of the Web client, nor to override an authenticated user ID obtained from a Web client.
For static responses, CICS only makes use of a supplied user ID if you specify resource security checking for the transaction. No default user ID is required for static responses. If the Web client does not supply a user ID, no resource security checking is carried out, even if resource security is active for the transaction.
The method used to identify the user is determined by the AUTHENTICATE and SSL attributes of the TCPIPSERVICE definition:
AUTHENTICATE | SSL | How the user is identified |
---|---|---|
NO | NO or YES | The client does not supply a user ID. It can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID, if applicable. |
NO | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, a user ID can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID, if applicable. |
BASIC | all values | If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the user ID is obtained from the client, using HTTP basic authentication and can be overridden by an analyzer program. |
CERTIFICATE | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, or does not send a certificate, then the connection is rejected. |
AUTOREGISTER | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the connection is rejected. |
AUTOMATIC | NO or YES | A user ID is obtained from the client, using HTTP basic authentication. This can be overridden by an analyzer program. |
AUTOMATIC | CLIENTAUTH | If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the user ID is obtained from the client, using HTTP basic authentication. |
- This table does not list combinations of values for the AUTHENTICATE and SSL attributes that are invalid, and that cannot be specified in the TCPIPSERVICE definition.
- If HTTP basic authentication is used, CICS verifies the password. If the password is invalid, the connection is rejected.