Registering User Certificates

A client certificate can be associated with a CICS user ID, or registered, in two ways.

First, an administrator can use the Micro Focus CICS Web Interface certificate registration utility, cascertreg, to register a certificate. All the administrator needs for this purpose is a copy of the certificate file (in PEM or DER format) or the certificate's SHA-1 'fingerprint'. This process is described in more detail in the section on the cascertreg command.

The other way to register certificates is to let CWI do it automatically. This is enabled by specifying the AUTOREGISTER or AUTOMATIC option when configuring an SSL-enabled CWI server (along with CLIENTAUTH, which is necessary to use client certificates in the first place).

With AUTOREGISTER/AUTOMATIC, when a client sends a client certificate, CWI validates it and then checks to see if it is registered. If it is, the user ID associated with it is used for the CWI transaction and no further input from the user is required. If the certificate is not registered, CWI prompts the user to sign in - using the standard HTTP mechanism, so with a browser, you typically see a username/password dialog. If the user supplies a valid CICS user ID and password, the certificate is registered for that user. For more information, consult the IBM CICS Internet Guide (SC34-8425).