Certificate mapping

During a mutual TLS handshake, a client certificate must be provided by the client and verified by the server. After a successful TLS handshake, the client certificate can be used to authenticate the user.

There are multiple mechanisms used to determine the RACF® user ID that is associated with a client certificate: :
One-to-one association
If the client certificate has been generated or added in RACF, the client certificate is registered in RACF to a user ID. This registration creates a mapping between the client certificate and its registered RACF user ID.
Certificate name filtering
If the client certificate is not in RACF, a certificate name filter can be used to associate one or multiple certificates to a RACF user ID. A certificate name filter is based on rules that relate to part of the subject’s or the issuer’s distinguished names in the certificate.

Certificate name filtering uses the RACF classes DIGTNMAP and DIGTCRIT. The RACF commands RACDCERT MAP, RACDCERT LISTMAP, RACDCERT ALTMAP and RACDCERT DELMAP are used to manage resource profiles in the DIGTNMAP and DIGTCRIT classes. For more information, see Certificate filtering in the IBM® z/OS® product documentation.

For an example scenario that shows how a client certificate is mapped to a RACF user ID using certificate name filtering, see Design example: Securing the JCICSX server using TLS client authentication.

The hostIdMappings certificate extension
The hostIdMappings certificate extension is used to communicate the user's host identity for one or more host systems. The extension contains a sequence of host name and user ID value pairs. This certificate extension must be included in the certificate signing process. To use the hostIdMappings certificate extension and to identify the associated RACF user ID, the following authorization validations are performed:
  • The CICS® region user ID must have READ access to the resource IRR.HOST.host-name defined in the SERVAUTH class.
  • The certificate authority that signed the client certificate must have the HIGHTRUST option.
For more information, see The hostIdMappings certificate extensions and Using a hostIdMappings extension in the IBM z/OS product documentation.

For more information on certificate mapping, see Certificate mapping in the IBM z/OS product documentation.