sslClientUserid
1–byte field showing the derivation of the user ID if SSLTYPE
CLIENTAUTH is specified in the TCPIPSERVICE definition, where:
0 user ID set from DFLTUSER
1 user ID set from SSL CERTIFICATE
* 2–byte reserved field
return_code
contains the return code.
reason_code
contains the reason code.
A user ID can be returned, but other fields are provided for information only.
For further information about the use of the IIOP security user-replaceable program,
see Using the IIOP user-replaceable security program, in the Java Applications in
CICS.
The sample programs
CICS supplies two sample security exit programs for IIOP—DFHXOPUS and
DFHEBURM. Both are in the SDFHSAMP library.
For further information about the use of the Secure Sockets Layer (SSL), see the
CICS RACF Security Guide.
DFHXOPUS
DFHXOPUS attempts to derive a user ID by examining the Secure Sockets Layer
(SSL) options defined for the TCPIPSERVICE.
DFHXOPUS accepts the RACF user ID associated with the SSL client certificate, if
there is one associated with the TCPIPSERVICE. If there is no RACF user ID
associated with a certificate:
v For SSL(CLIENTAUTH), DFHXOPUS uses the first eight characters of the
COMMONNAME extracted from the client certificate.
v For SSL(YES) or SSL(NO), DFHXOPUS uses the first eight characters of the
IIOP Principal, if there is one.
Note: Versions of the General Inter-ORB Protocol (GIOP) from 1.2 onwards do
not support the IIOP Principal field in request headers. So DFHXOPUS
will only ever return a user ID derived from the IIOP Principal when the
request is in GIOP 1.1, or earlier, format.
If a user ID has not been found using these procedures, DFHXOPUS returns the
default user ID defined by the CICS system initialization DFLTUSER parameter.
The security exit program returns the user ID in the userid field of the
communications area. If the user ID is less than 8 characters long, the exit program
pads the field with blanks. Because a user ID is being returned, the return_code
field is set to RCUSRID (X'01') .
Chapter 21. Writing a security exit program for IIOP 665