Associating a client certificate with a RACF user ID

You can create a profile that associates a client certificate with a specified user ID. The profile can then be used for translating a certificate to a user ID, without the need for a password.

  1. Perform the actions described in Configuring for client certificate mapping.
  2. Copy the certificate to be processed into an MVS™ sequential file. The file must have a variable length, blocked records (RECFM=VB) and be accessible from TSO.
  3. Run the RACDCERT command in TSO. The syntax of RACDCERT is:
      RACDCERT ADD('datasetname') TRUST [ ID(userid) ]
    is the name of the data set containing the client certificate.
    is the user ID to be associated with the certificate. This parameter is optional. If omitted, the certificate is associated with the user issuing the RACDCERT command.

When you issue the RACDCERT command, RACF creates a profile in the DIGTCERT class. This profile associates the certificate with the user ID. You can then use the profile to translate a certificate to a user ID without giving a password.

For further information on the RACDCERT command, including the format of data allowed in the downloaded certificate data set, see IBM® z/OS® Security Server (RACF) Command Language Referencez/OS IBM z/OS Security Server (RACF) Command Language Reference.