Previous Topic Next topic Print topic


User Certificates for CICS Web Services

If you want to use client certificates with CWI, you can issue personal certificates to your users, or issue system certificates for their computers, or use certificates from multiple sources.

This sort of certificate has a subject distinguished name like C=US, ST=Maryland, L=Rockville, O=Micro Focus, CN=John Doe.

In some applications, the certificate sent by a client program to identify a user must be a certificate that is actually issued in the user's name - sometimes called a personal certificate. However, the CICS Web Interface does not require that a user be identified by a personal certificate. With CWI, a client can supply any certificate that CICS will accept (following the rules listed below), and that certificate can be associated with a user ID. For example, some users might obtain personal certificates from public issuers such as Verisign.

When client certificates are used, Enterprise Server assumes that the region is configured with an external security manager. Note that if external security is not used, certificates can be registered (associated with a CICS user) even when invalid users/passwords are specified. The certificate will remain associated with that user even if security is subsequently switched on (and hence there will be no further validation for that user/certificate combination).

Registrations can be deleted by using the cascertreg utility

Certificate acceptance

For CWI to accept a client certificate, the following must be true:
  • The certificate must have an issuing timestamp before the current time and date, and an expiration date later than the current time and date.
  • It must be unaltered, since it's a digitally-signed document.
  • It must be signed by a certification authority (CA, also known as a root certificate) that is recognized by CICS, so that CICS can verify the certificate's signature.
  • It must be created using cryptographic algorithms recognized by CICS. Micro Focus uses a recent version of OpenSSL to process certificates and should recognize all algorithms that are in widespread use.
  • The client must know the private key associated with the certificate. This proves the client (and by assumption, the user) is authorized to use the certificate. In practice, this means the user will at some point provide a passphrase that decrypts the private key. With some client software, the user's private key is automatically decrypted when the user signs on to the operating system; in other cases, the user will be prompted to provide a passphrase before the certificate can be used.

Client certificates can be purchased from commercial CAs such as Verisign. They can also be generated using a variety of tools, including the DemoCA utilities included with some Micro Focus products.

Previous Topic Next topic Print topic