The API connection certificate authentication feature allows clients to connect to a
Connect:Direct server by using only an SSL/TLS Certificate with a Common Name (CN) specified as a
user name.
If the intended client usage does not include submitting a process, the user name does not have
to be a real z/OS system user name and only needs to be defined in the Connect:Direct z/OS user
authorization file. If a process is to be submitted, then user specified in the Common Name (CN)
must be a real Z/OS system user or real z/OS system user id must be specified in the Security ID
parameter of user authorization record with Common Name (CN) as user id. You can configure this
feature using the user authorization file of a Connect:Direct node. The API certificate
authentication requires no user password to be presented.
Note: Although it is possible for a Connect:Direct Administrator to create a user name for
an API program that does not submit processes, identity management is simplified by
using a standard identity supported by an internal Certificate Authority. For example,
if the API program runs on UNIX and the internal CA issues certificates for UNIX system
users, the user name (and certificate Common Name) could be the UNIX system user name
under which the API program runs. Or, if the internal CA issues certificates for
systems, the user name (and certificate Common Name) could be the DNS name of the API
program's host system.
This feature improves password management in large deployments of Connect:Direct, as it removes
the extra administrative steps resulting from password usage.
Note: This feature is specific only to
API connections. These connections must also be AIJ-based. When you use the authentication feature,
ensure that the AIJ version is at least 1.1.00 Fix 000025. This version includes updates that allow
blank passwords to be used. This version contains updates that allow blank passwords for systems
that use AIJ. These AIJ version requirements also apply if you use the authentication feature in IBM
Control Center. API connection certificate authentication is not supported for the IUI/DMBATCH, or
the Connect:Direct native C/C++/C# non Java APIs.