User authentication using SSL client certificates
You can optionally use client certificates with SSL to allow the server to authenticate the client during the SSL handshake.
A client certificate can be used with or without another authentication mechanism such as a user ID and password. When a client certificate has been authenticated it can be made available on each ECI and web service request, and can be used by the Gateway daemon to authorize the request. This is achieved by mapping the certificate to an External Security Manager (ESM) user ID.
To enable the Gateway daemon to retrieve a user ID associated with a client certificate, client authentication must be enabled on the SSL or HTTPS protocol handler in the Gateway daemon using the clientauth=esmuserid property. To run the CICS® transaction under the ESM user ID which has been mapped to the client certificate, ensure that the CICS connection has been defined with Attachsec set to Identify.
- By using the RACF command RACDCERT. If you use this procedure, the client certificates are stored in the RACF database, and a user ID is associated with them. This is an excellent way to create a one-to-one mapping between client certificates and user IDs, but it does not scale well if large numbers of certificates must be mapped to a small number of user IDs. For more information, see Associating a client certificate with a RACF user ID.
- By using RACF certificate name filtering. If you use this procedure, rules are applied to allow multiple certificates to be assigned to a single user ID with one profile. For more information, see RACF certificate name filtering.
For more information on certificate mapping,
see the IBM® Redpaper™
J2C Security on IBM z/OS®.
Information