Configuration and Administration

CICS Web Interface user certificate registrations are maintained as a collection of text files, one per registered certificate.
By default, these files are located in a directory named cwi-user-certs under the region's system directory (where log files are located), but you can change this by adding the following setting to the Configuration Information area of the General tab of the server's definition in Enterprise Server Administration.
User certificate registry=path to directory

Each registration file is named by the SHA-1 fingerprint of the certificate it represents, which is a string of hexadecimal digits that uniquely identifies a certificate. The contents are in ini-file format, and contain a single section, also named by the fingerprint. Within that section are one or more name=value pairs. The supported names and their corresponding values are:

Name Value Comments
user user ID associated with the certificate Required. Provides the user ID to which the certificate is mapped.
cwi "yes" or "no" If present and set to "no", the mapping cannot be used by the CICS Web Interface feature.
dcas "yes" or "no" If present and set to "no", the mapping cannot be used by the Digital Certificate Authentication Service. Typically DCAS would be used for this purpose as part of TN3270 automatic signon through the ELF feature.

The optional cwi and dcas settings let you restrict how a certificate mapping is used. These settings take effect the first time the mapping is used after the region has been started.

Some comment lines might also be included. These begin with a semicolon (";") character. The cascertreg utility inserts comments that state when the file was created, and (for cascertreg version 1.3 or later) the issuer and subject distinguished names of the certificate, for reference.

Note: If you use CWI with certificate registration, it is very important that only trusted administrators have write access to these files and the directory containing them. Anyone with write access to the files or directory can potentially impersonate any CICS user when running CWI-spawned transactions. Assign appropriate operating-system file permissions when creating the certificate registration directory.

These files can be edited and deleted manually, and it is possible to create them if you have some understanding of certificates and access to a tool such as OpenSSL. Normally, however, the files are created either by Enterprise Server (using AUTOREGISTER, as described in a previous section) or with the cascertreg utility.

Deleting a certificate registration file forces the owner of that certificate to re-register the first time the certificate is used, after the region has been restarted. Currently, there is no way to instruct a running region to remove a registration it has already loaded from the directory.