Question & Answer
Question
I have configured a Liberty JVM server using the ldapReigstry or basicRegistry elements. Is it possible to set up the cicsts:link-1.0 feature so that I can do an EXEC CICS LINK to a Java program in this environment?
I'm also wondering if it's possible to use the cicsts:distributedIdentity-1.0 feature.
Answer
When the cicsts:security-1.0 and cicsts:link-1.0 features are configured, CICS will flow the user ID of the CICS task into Liberty when a LINK or START is performed that targets a Java program. As part of this process, a check is made to see if the user ID of the CICS task is present in the user registry configured in Liberty. Therefore it's best to use the SAF registry if possible, as the CICS user ID will always be present there.
However, it is possible use other registries if you have them configured in your environment, perhaps for existing web applications. If the user ID of the CICS task is not present in the registry, the Java code will run under the unauthenicated user ID (WSGUEST by default).
If you're using an LDAP registry, you probably can't add the CICS user ID, so running under the unauthenticated user ID is the only option. This is fine as long as the Java code does not rely on any specific user ID or role. Unfortunately, it's not possible to perform a reverse-mapping between the CICS user ID and a distributed ID that exists in the LDAP directory. The cicsts:distributedIdentity feature will have no affect in this scenario.
If you're using a basic registry (perhaps for convenience during development), you could add the CICS user ID to the registry. Then the user ID will also be used in the Java application and any security checks will succeed.
Product Synonym
CICS/TS CICSTS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
23 November 2016
UID
dwa1322236