Authentication by your security software

RACF® performs several checks to authenticate a certificate and return the associated user ID. Note that other security products might do this differently. Refer to your security product documentation for more information on the initACEE function used to do the authentication (query mode).

1. RACF checks if the certificate is defined in the DIGTCERT class. If so, RACF returns the user ID that was associated with this certificate when it was added to the RACF database.
   Certificates are defined to RACF using the RACDCERT command, as in the following example:

   RACDCERT ID(userid) ADD(dsn) TRUST WITHLABEL('label')

2. If the certificate is not defined, RACF checks to see if there is a matching certificate name filter defined in the DIGTNMAP or DIGTCRIT classes. If so, it returns the user ID associated with the most specific matching filter.
   Note: It is advised not to use name filters for certificates used by z/OS® Explorer, as these filters map all certificates to a single user ID. The result is that all your z/OS Explorer users will log on with the same user ID.
3. If there is no matching name filter, RACF locates the HostIdMappings certificate extension and extracts the embedded user ID and host name pair. If found and validated, RACF returns the user ID defined within the HostIdMappings extension.
   The user ID and host name pair is valid if all these conditions are true:

   • The CA certificate used to sign this certificate is marked as HIGHTRUST in the DIGTCERT class.
   • The user ID stored in the extension has a valid length (1 to 8 characters).
   • The user ID assigned to RSE daemon has (at least) READ authority to the IRR.HOST.hostname profile in the SERVAUTH class, where hostname is the host name stored in the extension. This is usually a domain name, such as CDFMVS08.RALEIGH.IBM.COM.
   The definition of the HostIdMappings extension in ASN.1 syntax is:

   id–ce–hostIdMappings OBJECT IDENTIFIER::= {1 3 18 0 2 18 1}
   HostIdMappings::= SET OF HostIdMapping
   HostIdMapping::= SEQUENCE{
      hostName        IMPLICIT[1] IA5String,
      subjectId       IMPLICIT[2] IA5String,
      proofOfIdPossession IdProof OPTIONAL
    }
    IdProof::= SEQUENCE{
      secret        OCTET STRING,
      encryptionAlgorithm OBJECT IDENTIFIER
    }

   Note: A HostIdMappings extension is not honored if the target user ID was created after the start of the validity period for the certificate containing the HostIdMappings extension. Therefore, if you are creating user IDs specifically for certificates with HostIdMappings extensions, make sure that you create the user IDs before the certificate requests are submitted.

   Refer to Security Server RACF Security Administrator’s Guide (SA22-7683) for more information on X.509 certificates, how they are managed by RACF, and how to define certificate name filters. Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.