Approve user certificates
You may need to approve the certificate presented by a user before the user can use it to log on.
About this task
You have the option to configure certificate enrollment automatic approval, as described in Configure Certificate Authentication. If you configure certificate enrollment automatic approval, you may not need to approve user certificates as described in this section, depending on your configuration choice. See z/OS Security Server RACF Command Language Reference for information on the RACDCERT MAP command.
If you do not configure certificate enrollment automatic approval, you must approve the certificate presented by a user to be sure it is correct and approved for the specific user. The user cannot use the certificate to log on with Certificate Authentication until you complete this process. The user can enroll only one certificate for their account.
You can configure Certificate Authentication to notify an administrator by email when a user enrolls a certificate, as described in Configure Certificate Authentication.
ALU [Login ID] MFA(FACTOR(AZFCERT1) NOTAGS)
- Have the user clear the SSL state before they enroll the certificate. This is a best practice for all browsers, but it is required for Internet Explorer with Windows 10.
- Tell the user what URL on the server authentication port to use to authenticate, including the
policy name. (You configured the server authentication port in Configure IBM MFA web services started task.) The user can then bookmark this URL for
future use. For
example:
where port is the server authentication port and policy-name is the certificate authentication policy.https://servername:port/mfa/policy-name
Important: If the user were to instead bookmark the URL of the loaded mutual authentication port after the authentication begins, subsequent authentication attempts will likely fail.