User Certificates for CICS Web Interface

If you want to use client certificates with CWI, you can issue personal certificates to your users, or issue system certificates for their computers, or use certificates from multiple sources.

In some applications, the certificate sent by a client program to identify a user must be a certificate that is actually issued in the user's name - sometimes called a personal certificate. The CICS Web Interface does not require that a user be identified by a personal certificate. With CWI, a client can supply any certificate that CICS accepts (following the rules listed below), and that certificate can be associated with a user ID.

When client certificates are used, Enterprise Server assumes that the region is configured with an external security manager. Note that if external security is not used, certificates can be registered (associated with a CICS user) even when invalid users/passwords are specified. The certificate remains associated with that user even if security is subsequently switched on, and from that point there is no further validation for that user/certificate combination.

Registrations can be deleted using the cascertreg utility.

Certificate acceptance

For CWI to accept a client certificate, the following must be true:
  • The certificate must have an issuing timestamp before the current time and date, and an expiration date later than the current time and date.
  • It must be unaltered, since it is a digitally-signed document.
  • It must be signed by a certification authority (CA) that is recognized by CICS, so that CICS can verify the certificate's signature.
  • It must be created using cryptographic algorithms recognized by CICS. Enterprise Developer uses a recent version of OpenSSL to process certificates and should recognize all algorithms that are in widespread use.
  • The client must know the private key associated with the certificate. This proves the client (and by assumption, the user) is authorized to use the certificate. In practice, this means the user provides a passphrase that decrypts the private key. With some client software, the user's private key is automatically decrypted when the user signs on to the operating system; in other cases, the user is prompted to provide a passphrase before the certificate can be used.

Client certificates can be purchased from a commercial CA such as Verisign. They can also be generated using a variety of tools, including the DemoCA utilities included with some Enterprise Developer products.