Configuration and Administration

CICS Web Interface user certificate registrations are maintained as a collection of text files, one per registered certificate.
By default, these files are located in a directory named cwi-user-certs under the region's system directory (where log files are located), but you can change this by adding the following setting to the Configuration Information area of the General tab of the server's definition in Enterprise Server Administration.
[CWI]
User certificate registry=path to directory

Each registration file is named by the SHA-1 fingerprint of the certificate it represents, which is a string of hexadecimal digits that uniquely identifies a certificate. The contents are in ini-file format, and contain a single section, also named by the fingerprint, together with a line assigning a user ID to the 'user' token. There may also be some comments regarding the creation of the registration.

Note: If you use CWI with certificate registration, it is very important that only trusted administrators have write access to these files and the directory containing them. Anyone with write access to the files or directory can potentially impersonate any CICS user when running CWI-spawned transactions. Assign appropriate operating-system file permissions when creating the certificate registration directory.

These files can be edited and deleted manually, and it is possible to create them if you have some understanding of certificates and access to a tool such as OpenSSL. Normally, however, the files are created either by Enterprise Server (using AUTOREGISTER, as described in a previous section) or with the cascertreg utility.

Deleting a certificate registration file will force the owner of that certificate to re-register the first time the certificate is used, after the region has been restarted. Currently, there is no way to instruct a running region to remove a registration it has already loaded from the directory.