Skip to Main Content
IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Categories Runtime
Created by Guest
Created on Jan 30, 2017

Original Client Certificate Userid in CICS Monitoring Record

When a HTTP request, running in CICS Liberty, is authenticated by a client certificate the CICS monitoring record does not contain the correct userid. That does not affect runtime operation of the user task, but the task will be associated with the CICS Default User instead of the original certificate userid.

When an HTTP request arrives in Liberty it drives some CICS code which will cause a new task to get attached. At that point in time Liberty has not yet associated a userid with the thread. This means that CICS does not know the userid, but still needs one to start the user task. In a basic authentication scenario CICS does its own processing of the HTTP Authorization header and extracts the original userid. This is why the user task is able to start with the correct userid when basic authentication is used. With basic authentication the correct userid is also available from CICS Monitoring Records (SMF110). That capability is not available when using a client certificate.

In the client certificate scenario the task starts and the monitoring data is created using the information at that point in time. This will only include the current userid, which is the cics default user. Once the task has been created, but before any user code runs, CICS gets notified by Liberty that the identity for the thread has now been set. CICS now switches the userid of the task to the one that Liberty has determined and performs the standard task attach security checking. The switching of the userid is not reflected in cics monitoring records, only the cics default user is logged. This RFE proposes to either directly attach tasks authenticated by client certificates with the original userid or to introduce a new monitoring field, which identifies the userid associated with the client certificate.

Idea priority Medium
  • Guest
    Reply
    |
    Jun 17, 2022
    Support for this is also provided in CICS TS 6.1 which is generally available from 17th June 2022.

    For more information see https://www.ibm.com/docs/en/cics-ts/6.1?topic=whats-new
  • Guest
    Reply
    |
    Apr 5, 2022
    Support for this is also provided in CICS TS 6.1 which is announced today April 5th and will GA June 17th 2022.

    See Announcement letter https://www.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/2/897/ENUS222-092/index.html&request_locale=en
    .
  • Guest
    Reply
    |
    Feb 23, 2022

    This RFE is satisfied by Apar PH42306 available on CICS TS 5.4, 5.5 and 5.6.
    For CICS Monitoring data field 089 (USERID) is changed for Liberty such that the user ID value now reflects the final user ID value used in secure Liberty transactions, instead of the initial user ID. Likewise for INQUIRE ASSOCIATION commands, the association data user ID value now reflects the final user ID value used in secure Liberty transactions, instead of the initial user ID.

  • Guest
    Reply
    |
    Dec 8, 2021

    This is something we would like to address. The RFE is being moved into 'Planned for Future release' status. Please note:
    IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.