RSE daemon supports users authenticating themselves with an X.509 certificate. Using encrypted communication is a prerequisite for this function, as it is an extension to the host authentication with a certificate used in the encryption handshake.
RSE daemon starts the client authentication process by validating the client certificate. Some key aspects that are checked are the dates the certificate is valid and the trust-worthiness of the Certificate Authority (CA) used to sign the certificate. Optionally, a (third party) Certificate Revocation List (CRL) can also be consulted.
After RSE daemon validates the certificate, it is processed for authentication. The certificate is passed on to your security product for authentication, unless rse.env directive enable.certificate.mapping is set to false, at which point RSE daemon will do the authentication.
If successful, the authentication process will determine the user ID to be used for this session, which is then tested by RSE daemon to ensure it is usable on the host system where RSE daemon is running.
The last check (which is done for every authentication mechanism, not just X.509 certificates) verifies that the user ID is allowed to use z/OS Explorer.
If you are familiar with the security classifications used by TCP/IP, the combination of these validation steps match the “Level 3 Client authentication” specifications (the highest available).