RACF® performs several checks
to authenticate a certificate and return the associated user ID. Note
that other security products might do this differently. Refer to your
security product documentation for more information on the initACEE function
used to do the authentication (query mode).
- RACF checks if the certificate
is defined in the DIGTCERT class. If so, RACF returns the user ID that was
associated with this certificate when it was added to the RACF database.
Certificates
are defined to RACF using the
RACDCERT command,
as in the following example:
RACDCERT ID(userid) ADD(dsn) TRUST WITHLABEL('label')
- If the certificate is not defined, RACF checks
to see if there is a matching certificate name filter defined in the DIGTNMAP or DIGTCRIT classes.
If so, it returns the user ID associated with the most specific matching
filter.
Note: It is advised not to use name filters for certificates
used by z/OS
Explorer,
as these filters map all certificates to a single user ID. The result
is that all your z/OS
Explorer users
will log on with the same user ID.
- If there is no matching name filter, RACF locates the HostIdMappings certificate
extension and extracts the embedded user ID and host name pair. If
found and validated, RACF returns
the user ID defined within the HostIdMappings extension.
The user
ID and host name pair is valid if all these conditions are true:
- The CA certificate used to sign this certificate is marked as
HIGHTRUST in the DIGTCERT class.
- The user ID stored in the extension has a valid length (1 to 8
characters).
- The user ID assigned to RSE daemon has (at least) READ authority
to the IRR.HOST.hostname profile in the SERVAUTH class,
where hostname is the host name stored in the extension.
This is usually a domain name, such as CDFMVS08.RALEIGH.IBM.COM.
The definition of the HostIdMappings extension in ASN.1
syntax is:
id-ce-hostIdMappings OBJECT IDENTIFIER::= {1 3 18 0 2 18 1}
HostIdMappings::= SET OF HostIdMapping
HostIdMapping::= SEQUENCE{
hostName IMPLICIT[1] IA5String,
subjectId IMPLICIT[2] IA5String,
proofOfIdPossession IdProof OPTIONAL
}
IdProof::= SEQUENCE{
secret OCTET STRING,
encryptionAlgorithm OBJECT IDENTIFIER
}
Note: A HostIdMappings extension is not honored if
the target user ID was created after the start of the validity period
for the certificate containing the HostIdMappings extension. Therefore,
if you are creating user IDs specifically for certificates with HostIdMappings
extensions, make sure that you create the user IDs before the certificate
requests are submitted.
Refer to Security Server RACF Security Administrator’s
Guide (SA22-7683) for more information on X.509 certificates,
how they are managed by RACF,
and how to define certificate name filters. Refer to Security
Server RACF Command Language
Reference (SA22-7687) for more information on the RACDCERT command.