Part of the certificate validation process includes checking that
the certificate was signed by a Certificate Authority (CA) you trust.
In order to do so, RSE daemon must have access to a certificate that
identifies the CA.
When using an SAF key ring, you must add the CA certificate to
your security database as a CERTAUTH certificate with the TRUST or
HIGHTRUST attribute, as shown in this sample RACF® command:
RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL('label')
Note that most security products already have the certificates
for well known CA’s available in their database with a NOTRUST
status. Use the following sample RACF commands
to list the existing CA certificates and mark one as trusted based
on the label assigned to it.
RACDCERT CERTAUTH LIST
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
The HIGHTRUST status is required if you rely on RACF authenticating the user based upon the
HostIdMappings extension in the certificate. Refer to Authentication by your security software
for more information.
Once the CA certificate is added to your security database, it
must be connected to the RSE key ring, as shown in this sample RACF command:
RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust
Refer to Security Server RACF Command
Language Reference (SA22-7687) for more information on the RACDCERT command.
Attention: If you rely on RSE daemon
instead of your security software to authenticate a user you must
be cautious not to mix CAs with a TRUST and HIGHTRUST status in your
ring. RSE daemon is not able to differentiate between the two, so
certificates signed by a CA with TRUST status will be valid for user
ID authentication purposes.