Certificate Authority (CA) validation

Part of the certificate validation process includes checking that the certificate was signed by a Certificate Authority (CA) you trust. In order to do so, RSE daemon must have access to a certificate that identifies the CA.

When using an SAF key ring, you must add the CA certificate to your security database as a CERTAUTH certificate with the TRUST or HIGHTRUST attribute, as shown in this sample RACF® command:

RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL('label')

Note that most security products already have the certificates for well known CA’s available in their database with a NOTRUST status. Use the following sample RACF commands to list the existing CA certificates and mark one as trusted based on the label assigned to it.

RACDCERT CERTAUTH LIST
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST

Note: The HIGHTRUST status is required if you rely on RACF authenticating the user based upon the HostIdMappings extension in the certificate. Refer to Authentication by your security software for more information.

Once the CA certificate is added to your security database, it must be connected to the RSE key ring, as shown in this sample RACF command:

RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') RING(keyring.racf))

Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.

Attention: If you rely on RSE daemon instead of your security software to authenticate a user you must be cautious not to mix CAs with a TRUST and HIGHTRUST status in your SAF key ring. RSE daemon is not able to differentiate between the two, so certificates signed by a CA with TRUST status will be valid for user ID authentication purposes.