z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Certificate name filtering

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

As more and more users access your system from the Web, you face an increasing administrative burden to securely manage their digital certificates. Certificate name filtering is a method for administering large numbers of user certificates, without storing each certificate in the RACF® database. Certificates managed using certificate name filtering:
  • Require no individual administration to be registered or to be replaced when they expire.
  • Occupy very little space in the RACF database.
  • Can be used to allow several users to share the same user ID in a secure manner.
  • Can be selectively mapped to different user IDs based on system and application criteria.
  • Are logged on use with audit records that include the associated user ID and the certificate's full subject's and issuer's name.

Certificate name filters are used to determine the operational user ID when RACF is called to create a security context for a client login using a certificate, such as during SSL client authentication. Certificate name filters cannot be used in protocols where the client certificate or the client private key is required. Therefore, certificate name filters are ideally suited for use with SSL client authentication which requires that only the client's root certificate, not the client certificate, be stored in the RACF database.

Note: Certificate name filters are unrelated to distributed identity filters. (See Distributed identity filters). An installation might choose to implement either certificate name filters or distributed identity filters, both types of filters, or neither.

Parent topic: RACF and digital certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014