Associating a RACF user ID with a certificate
The client certificate can only be used to determine the user ID for the CICS® transaction if the certificate is associated with a RACF® user ID.
You can associate a certificate with a RACF user ID in two ways:
- Users can register their certificates online through their web
browser program. You enable clients to register their certificates
themselves by specifying AUTHENTICATE(AUTOREGISTER) on the TCPIPSERVICE
definition. Users connecting to CICS through such a TCPIPSERVICE must
have a client certificate. If that certificate is already registered
to a user ID, then that user ID is used; if not, the client is prompted
for a user ID and password with HTTP basic authentication. If the
client then enters a valid user ID and password, that user ID is registered
to the certificate, and the client will not be prompted for a password
again. The rules are summarized in Identifying HTTP users.
Once a certificate has been registered in this way, it can be used for all inbound TCP/IP connections.
- You can use the RACDCERT command. If you do not want to allow
your clients to register their own certificates, you must register
them with the RACDCERT command. Before executing RACDCERT, you must
download the certificate that you want to process into an MVS™ sequential
file with RECFM=VB that is accessible from TSO. The syntax of RACDCERT
is:
where datasetname is the name of the data set containing the client certificate, and userid is the user ID that is to be associated with the certificate. If the optional ID(userid) parameter is omitted, the certificate is associated with the user issuing the RACDCERT command.RACDCERT ADD('datasetname') TRUST [ ID(userid) ]
You can add certificate information for
your own user ID if you have READ access to the IRR.DIGTCERT.ADD
profile
in the FACILITY class. You can add certificate information for other
user IDs if you have UPDATE access to the IRR.DIGTCERT.ADD
profile
in the FACILITY class or if you have RACF SPECIAL authority.
For further information on the RACDCERT command, including the format of data allowed in the downloaded certificate data set, see z/OS Security Server RACF Command Language Reference