Security for XCICS Web support

When XCICS is connected to the Internet, security measures are essential to prevent unauthorized access to XCICS applications and data, and also to prevent third parties obtaining private information that is sent over the Internet.

You should consider security throughout the development process for your XCICS Web support architecture, as part of the design of your XCICS Web support applications and utility programs, as well as when creating resource definitions for the relevant XCICS facilities. This section summarizes the measures that can be used to enhance the security of your XCICS Web support implementation.

The basic systems to protect your application against unauthorized accesses are:

Authentication and identification of clients enables a server to protect its resources from access by unauthorized users.

For XCICS as an HTTP server, authentication schemes are specified by the "auth" attribute of the TCPIPSERVICE definition. Identification is obtained in connection with the authentication process, or can be supplied by XCICS if authentication is not needed.

Obtaining authentication and identification from Web clients is a key step in protecting your XCICS system from access by unauthorized users.

Two authentication schemes are supported by XCICS for use with the HTTP protocol:

The basic authentication is an HTTP facility that enables a client to both authenticate and identify itself to a server by providing a user ID and password. This information is encoded using base-64 encoding, which is simple to decode. Because of this, using basic authentication as the sole means of authentication is only appropriate when there is no possibility of a password being intercepted. In most environments, basic authentication should be used in combination with SSL, so that SSL encryption is used to protect the user ID and password information.

The SSL client certificate authentication is a more secure method of authenticating a client, using a client certificate which is issued by a trusted third party (or Certificate Authority), and sent using SSL encryption.

The TCPIPSERVICE must be defined with "ssl=yes" and the web client must provide a certificate when connected. XCICS validate the user and assigns the USERID, matching the common name (CN) supplied in the certificate with the "username" attribute of the users definition in the SNT (Signon Table).

When you use basic authentication or client certificate authentication, XCICS handles the process of requesting authentication from the user, decoding the authentication information if necessary, checking the supplied authentication against the security manager's database, and rejecting the request if the authentication is not acceptable. An analyzer program or user-written application program is only called after the authentication has been verified and accepted.

The Secure Sockets Layer (SSL) can be used with HTTP to enable encryption, message authentication, and client and server authentication using certificates. The HTTPS scheme is HTTP with SSL. When you have configured XCICS to use SSL, its facilities are available for both XCICS as an HTTP server, and XCICS as an HTTP client.

When XCICS is an HTTP server, you can use SSL to protect an interaction with a Web client. To do this, specify appropriate security options on the TCPIPSERVICE definition for the port on which XCICS receives the client's requests.

When XCICS is an HTTP client, a server might require the use of SSL for some connections. If that is the case, you need to do some or all of the following:

•	Supply a list of cipher suites that you want to use for the connection. You can specify these in the URIMAP definition that you use on the WEB OPEN command for the connection.

•

Supply a client certificate. Client certificates are not a requirement for all SSL transactions, but a server might require one for particular transactions. If a server does request a client certificate, you can specify the label of a suitable certificate in the URIMAP definition that you use on the WEB OPEN command for the connection.

A server certificate must be installed for XCICS as na HTTP server. XCICS manages certificate and keys file in PEM format. Both key and certificate must be installed on the system running the region and their path must be defined in the XCICS configuration file, with the "set server_ssl_certificate" and "set server_ssl_key" directives.

set server_ssl_certificate=$HOME/etc/certificate.pem;
set server_ssl_key=$HOME/etc/key.pem;

The certificate should be emitted by a trusted authority. By the way, it is also possible to use auto-signed certificates for testing purposes:

# openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out demo.key 1024
0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..............++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for demo.key: ****
Verifying - Enter pass phrase for demo.key: ****

# openssl rsa -in demo.key -out demo.pem
Enter pass phrase for demo.key: ****
writing RSA key

# openssl req -new -key demo.key -out demo.csr
Enter pass phrase for demo.key: ****
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IT
State or Province Name (full name) [Berkshire]:Italy
Locality Name (eg, city) [Newbury]:Rome
Organization Name (eg, company) [My Company Ltd]:HTWC
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:www.htwc.com
Email Address []:webmaster@htwc.com

Please enter the following 'extra' attributes
to be sent with your certificate request

A challenge password []:
An optional company name []:
Signature ok
subject=/C=IT/ST=Italy/L=Rome/O=HTWC/OU=R&D/CN=www.htwc.com/emailAddress=webmaster@htwc.com

# openssl x509 -req -days 60 -in demo.csr -signkey demo.key -out demo.crt
Getting Private key
Enter pass phrase for demo.key: ****

# cp demo.key demo.key.crypt

# openssl rsa -in demo.key.crypt -out demo.key
Enter pass phrase for demo.key: ****

cp demo.crt $HOME/etc/certificate.pem
cp demo.key $HOME/etc/key.pem

Programs using the XCICS Web Support as Web Clients may require to connect an HTTPS server, which may request or require to provide a client certificate.

The client certificate used in a Web Client connection may be defined in the WEB OPEN command either with the CERTIFICATE parameter or by the URIMAP definition. In both cases, a certificate "label" is supplied to XCICS.

This label is the name (without extension) of both certificate and key files. These files must in PEM format, and must be located in the path defined with the "set client_ssl_certificate_path" and "set client_ssl_key_path" in the XCICS configuration file. Their name must conform to

set client_ssl_certificate_path=$HOME/etc/sslclient/certificate;
set client_ssl_key_path=$HOME/etc/sslclient/key;

# ls -l $HOME/etc/sslclient/certificate
total 4
-rw-r--r-- 1 fabrizio devel 887 Dec 20 16:01 CLICERT.pem
# ls -l $HOME/etc/sslclient/key
total 4
-rw-r--r-- 1 fabrizio devel 887 Dec 20 16:01 CLICERT.pem

EXEC CICS WEB OPEN SESSTOKEN(ST)
                  HTTPS
                  HOST(HOST-NAME)
                  HOSTLENGTH(HOST-LENGTH)
                  PORTNUMBER(PORT)
                  CODEPAGE('037')
                  HTTPVNUM(VNUM) HTTPRNUM(VREL)
                  CIPHERS(CYP) NUMCIPHERS(CLEN)
                  CERTIFICATE('CLICERT')
END-EXEC