(Optional) Add X.509 client authentication support

RSE daemon supports users authenticating themselves with an X.509 certificate.
  • For AT-TLS configuration, RSE daemon requires access to a key ring holding the public certificate of the CA used to sign the client certificate. For more information about the parameter configuration requirement, see Control encrypted communication in ssl.properties.
  • For non AT-TLS configuration, using encrypted communication is a prerequisite for this function, because it is an extension to the host authentication with a certificate used in the encryption handshake.

This example defines the support for X.509 certificates with the hostIdMappings extension, as they require the most system updates. Refer to Client authentication using X.509 certificates for more information.

  1. Change the certificate that identifies the Certificate Authority (CA) used to sign the client certificate to a highly trusted CA certificate. Although the TRUST status is sufficient for certificate validation, a change to HIGHTRUST is done, because it is used for the certificate authentication part of the logon process. 
    RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
  2. Add the CA certificate to the key ring, keyring.racf, so that it is available to validate the client certificates. 
    RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') RING(keyring.racf))

    This concludes the security software setup for the CA certificate.

  3. Define a resource (format IRR.HOST.hostname) in the SERVAUTH class for the host name, CDFMVS08.RALEIGH.IBM.COM, defined in the HostIdMappings extension of your client certificate. 
    RDEFINE SERVAUTH  IRR.HOST.CDFMVS08.RALEIGH.IBM.COM  UACC(NONE)
  4. Grant the RSE started task user ID, STCRSE, access to this resource with READ authority. 
    PERMIT IRR.HOST.CDFMVS08.RALEIGH.IBM.COM CLASS(SERVAUTH) ACCESS(READ) ID(stcrse)
  5. Activate your changes to the SERVAUTH class. Use the first command if the SERVAUTH class is not active yet. Use the second one to refresh an active setup. 
    SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)
or
SETROPTS RACLIST(SERVAUTH) REFRESH

    This concludes the security software setup for the HostIdMappings extension.

  6. Restart the RSE started task to start accepting client logons using X.509 certificates.