Approve user certificates

You may need to approve the certificate presented by a user before the user can use it to log on.

About this task

You have the option to configure certificate enrollment automatic approval, as described in Configure Certificate Authentication. If you configure certificate enrollment automatic approval, you may not need to approve user certificates as described in this section, depending on your configuration choice. See z/OS Security Server RACF Command Language Reference for information on the RACDCERT MAP command.

If you do not configure certificate enrollment automatic approval, you must approve the certificate presented by a user to be sure it is correct and approved for the specific user. The user cannot use the certificate to log on with Certificate Authentication until you complete this process. The user can enroll only one certificate for their account.

You can configure Certificate Authentication to notify an administrator by email when a user enrolls a certificate, as described in Configure Certificate Authentication.

Note: If at a later time you need to repeat this procedure to remove the current certificate and approve a different certificate for the user, first remove the existing AZFCERT1 tags:
ALU [Login ID] MFA(FACTOR(AZFCERT1) NOTAGS)
Special Considerations for Internet Explorer and Windows 10
Internet Explorer with Windows 10 introduces some limitations for how the SSL state is handled with certificate authentication. To minimize the disruption to the user, follow these steps:
  • Have the user clear the SSL state before they enroll the certificate. This is a best practice for all browsers, but it is required for Internet Explorer with Windows 10.
  • Tell the user what URL on the server authentication port to use to authenticate, including the policy name. (You configured the server authentication port in Configure IBM MFA web services started task.) The user can then bookmark this URL for future use. For example:
    https://servername:port/mfa/policy-name
    where port is the server authentication port and policy-name is the certificate authentication policy.
    Important: If the user were to instead bookmark the URL of the loaded mutual authentication port after the authentication begins, subsequent authentication attempts will likely fail.

Procedure

  1. This step is needed only if you have not configured certificate enrollment automatic approval. Use the LU command to check the AZFCERT1 factor status and certify the certificate information is correct for the user. Notice that the REGSTATE has changed to REVIEW.
    Note: The example shows a test PIV card used for demonstration purposes only.
    LU [Login ID] MFA
    FACTOR = AZFCERT1                                                           
      STATUS = ACTIVE                                                           
      FACTOR TAGS =                                                             
        REGSTATE:REVIEW                                                         
        SUBJECT:CN=Test Cardholder VII,C=US,O=Test Government,OU=Test Departm   
          ent
         ISSUER:CN=Test RSA 2048-bit CA for Test PIV Cards,C=US,O=Test Certifi  
          cates 2010,OU=Test CA                                                
         CERTHASH:94A8B7B184FE198FC0A89640ECD9145BFFAC6491
         SERIAL:02BF                                                                                          
  2. This step is needed only if you have not configured certificate enrollment automatic approval. If the certificate information is correct for the user, set the user REGSTATE to APPROVED for the AZFCERT1 factor. (Case is sensitive for APPROVED.)
     ALU [Login ID] MFA(FACTOR(AZFCERT1)
        TAGS(REGSTATE:APPROVED))
  3. Instruct the user to open the web server login page with the policy you want them to use. Tell them to bookmark this page for subsequent logins.
    https://server-name:port/mfa/policy-name
    where port is the server authentication port and policy-name is the certificate authentication policy.
    Note: Users of Internet Explorer and Windows 10 will be prompted for their certificate and PIN at this point.
  4. Instruct the user to click "Begin Certificate-based Authentication."
  5. The user must select the certificate they want to use to log in and click OK.
    For PIV/CAC cards, the user must then enter their valid PIN.
  6. On the "Cache Token Credential" page, instruct the user to copy the generated cache token credential and use it to log on to the z/OS® application.