Administering profiles in the SERVAUTH class

You authorize servers to accept logins for clients whose certificates contain a hostIdMappings extension by administering profiles in the SERVAUTH class. Be sure that each server you want to authorize is defined as a RACF® user, if not already defined. Servers might run as jobs or started procedures. For example: 
ADDGROUP WEBSRVGP
ADDUSER  WEBSRV1 GROUP(WEBSRVGP) NOPASSWORD
ADDUSER  WEBSRV2 GROUP(WEBSRVGP) NOPASSWORD
Note: You should assign protected user IDs for servers using the NOPASSWORD option. See Assigning RACF user IDs to started procedures.
Define resources in the SERVAUTH class using the following format: 
IRR.HOST.host-name
Permit servers to access this resource with at least READ authority. This will allow them to accept logins for the host name specified in the resource name. For example, to allow the servers in the WEBSRVGP to accept logins for the host system called MVSDSN1, execute the following commands:
RDEFINE  SERVAUTH IRR.HOST.MVSDSN1 UACC(NONE)
PERMIT   IRR.HOST.MVSDSN1 CLASS(SERVAUTH) ID(WEBSRVGP) ACCESS(READ)
SETROPTS CLASSACT(SERVAUTH)
In this example, if a server running under the authority of user ID WEBSRV1 presents a client certificate issued by a certificate authority with HIGHTRUST status and the certificate contains a hostIdMappings extension that includes a user ID mapping for host name MVSDSN1, a security context (ACEE) will be created for the user ID mapped to MVSDSN1, as indicated in the hostIdMappings extension.
Parent topic: Using a hostIdMappings extension