Support User Manuals

IBM SC34-6814-04 Server User Manual

Open as PDF

of 953

sslClientUserid

1–byte field showing the derivation of the user ID if SSLTYPE

CLIENTAUTH is specified in the TCPIPSERVICE definition, where:

0 user ID set from DFLTUSER

1 user ID set from SSL CERTIFICATE

* 2–byte reserved field

return_code

contains the return code.

reason_code

contains the reason code.

A user ID can be returned, but other fields are provided for information only.

For further information about the use of the IIOP security user-replaceable program,

see Using the IIOP user-replaceable security program, in the Java Applications in

CICS.

The sample programs

CICS supplies two sample security exit programs for IIOP—DFHXOPUS and

DFHEBURM. Both are in the SDFHSAMP library.

For further information about the use of the Secure Sockets Layer (SSL), see the

CICS RACF Security Guide.

DFHXOPUS

DFHXOPUS attempts to derive a user ID by examining the Secure Sockets Layer

(SSL) options defined for the TCPIPSERVICE.

DFHXOPUS accepts the RACF user ID associated with the SSL client certificate, if

there is one associated with the TCPIPSERVICE. If there is no RACF user ID

associated with a certificate:

v For SSL(CLIENTAUTH), DFHXOPUS uses the first eight characters of the

COMMONNAME extracted from the client certificate.

v For SSL(YES) or SSL(NO), DFHXOPUS uses the first eight characters of the

IIOP Principal, if there is one.

Note: Versions of the General Inter-ORB Protocol (GIOP) from 1.2 onwards do

not support the IIOP Principal field in request headers. So DFHXOPUS

will only ever return a user ID derived from the IIOP Principal when the

request is in GIOP 1.1, or earlier, format.

If a user ID has not been found using these procedures, DFHXOPUS returns the

default user ID defined by the CICS system initialization DFLTUSER parameter.

The security exit program returns the user ID in the userid field of the

communications area. If the user ID is less than 8 characters long, the exit program

pads the field with blanks. Because a user ID is being returned, the return_code

field is set to RCUSRID (X'01') .

Chapter 21. Writing a security exit program for IIOP 665

previous next