Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Using a hostIdMappings extension z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
Authorized applications, such as Web servers, can present a client's certificate containing a hostIdMappings extension and invoke the initACEE callable service (IRRSIA00) to request to have a security context (ACEE) created or have the client's user ID queried and returned. For the format of the hostIdMappings extension, see z/OS Security Server RACF Callable Services. In these cases, the application is seeking to complete a login
for a client whose certificate includes a hostIdMappings extension
that might specify the user ID to be used on a particular server (host).
Controlling an identity used for login purposes is a very important
security objective. Therefore, you should exercise administrative
control in the following areas by authorizing:
When an application calls the initACEE callable service for this purpose and passes a certificate that has a hostIdMappings extension, the caller must have at least READ authority for the IRR.HOST.host-name resource defined in the SERVAUTH class, and the certificate must have been issued by a certificate authority that is defined with the HIGHTRUST option. The initACEE callable service builds a security context (ACEE) for the user ID contained in hostIdMappings extension only if the certificate presented is not registered in the RACF® database, and there is no matching certificate name filter. |
Copyright IBM Corporation 1990, 2014
|