Identifying HTTP users

Identification is the process by which the identity of a user is established. This is how a user's identity is established for the HTTP application protocol.

About this task

For the HTTP application protocol, you can identify the user in the following ways:

A user ID can be obtained from the web client using HTTP basic authentication.
If the web browser sends a client certificate, you can use a user ID that is associated with the certificate.
You can associate a certificate with a RACF® user ID in two ways:
- You can use RACF commands to associate a certificate with a user ID.
- CICS® can automatically issue the RACF commands to associate a certificate with a user ID (which is obtained from the Web client using HTTP basic authentication).
Associating a RACF user ID with a certificate tells you how to do this.

For application-generated responses only, it is also possible for CICS to supply a user ID on behalf of the web client:

In an analyzer program that is used in the processing path for the request.
In the USERID attribute of the URIMAP definition for a request.
As the CICS default user ID.

If you use a URIMAP definition or analyzer program to set a user ID that has not been supplied by a client, or allow the CICS default user ID to be used, there is no authentication of the client's identity. Only do this when communicating with your own client system, which has already authenticated its users, and communicates with the server in a secure environment.

When the HTTP response is to be provided by an application (an application-generated response), the order of precedence of user IDs is:

A user ID that you set using an analyzer program. This user ID can override a user ID obtained from the Web client or supplied by a URIMAP definition.
A user ID that you obtained from the Web client using basic authentication, or a user ID associated with a client certificate sent by the Web client. If authentication is required for the connection but the client does not provide an authenticated user ID, the request is rejected.
A user ID that you specified in the URIMAP definition for the request.
The CICS default user ID, if no other can be determined.

When the HTTP response is to be provided by a URIMAP definition that specifies a CICS document template or z/OS UNIX file (a static response), the user ID used for the Web client is a user ID that you obtained from the Web client using basic authentication, or a user ID associated with a client certificate sent by the Web client. For static responses, it is not possible to supply a user ID on behalf of the Web client, nor to override an authenticated user ID obtained from a Web client.

For static responses, CICS only makes use of a supplied user ID if you specify resource security checking for the transaction. No default user ID is required for static responses. If the Web client does not supply a user ID, no resource security checking is carried out, even if resource security is active for the transaction.

Note: CICS uses password verification to verify a user ID during the processes described here. By default, password verification does not cause RACF to record that the user ID has been used for a sign-on. If you require this information for audit purposes, or if your system is set up to revoke unused user IDs, specify the system initialization parameter SECVFYFREQ=USRDELAY for the CICS region. When you set this system initialization parameter, CICS enforces a full verification request at least once a day for each user ID that is used to log on to the CICS region. The full verification request makes RACF record the date and time of last access for the user ID, and write user statistics.

The method used to identify the user is determined by the AUTHENTICATE and SSL attributes of the TCPIPSERVICE definition:

Table 1. How the user of an HTTP client is identified
AUTHENTICATE	SSL	How the user is identified
NO	NO or YES	The client does not supply a user ID. It can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID, if applicable.
NO	CLIENTAUTH	If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, a user ID can be supplied by an analyzer program or URIMAP definition, or allowed to default to the CICS default user ID, if applicable.
BASIC	all values	If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the user ID is obtained from the client, using HTTP basic authentication and can be overridden by an analyzer program.
CERTIFICATE	CLIENTAUTH	If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, or does not send a certificate, then the connection is rejected.
AUTOREGISTER	CLIENTAUTH	If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the connection is rejected.
AUTOMATIC	NO or YES	A user ID is obtained from the client, using HTTP basic authentication. This can be overridden by an analyzer program.
AUTOMATIC	CLIENTAUTH	If the client sends a certificate that is associated with a user ID, then that user ID applies, unless it is overridden by an analyzer program. If the client sends a certificate that is not associated with a user ID, then the user ID is obtained from the client, using HTTP basic authentication, and the user ID is registered to the certificate. If the client does not send a certificate, then the user ID is obtained from the client, using HTTP basic authentication.

Note:

This table does not list combinations of values for the AUTHENTICATE and SSL attributes that are invalid, and that cannot be specified in the TCPIPSERVICE definition.
If HTTP basic authentication is used, CICS verifies the password. If the password is invalid, the connection is rejected.