Using a hostIdMappings extension

Authorized applications, such as Web servers, can present a client's certificate containing a hostIdMappings extension and invoke the initACEE callable service (IRRSIA00) to request to have a security context (ACEE) created or have the client's user ID queried and returned. For the format of the hostIdMappings extension, see z/OS Security Server RACF Callable Services.

In these cases, the application is seeking to complete a login for a client whose certificate includes a hostIdMappings extension that might specify the user ID to be used on a particular server (host). Controlling an identity used for login purposes is a very important security objective. Therefore, you should exercise administrative control in the following areas by authorizing:

Which certificates with a hostIdMappings extension will be honored
Which servers will be authorized to accept logins using certificates that contain explicit user IDs and host names

When an application calls the initACEE callable service for this purpose and passes a certificate that has a hostIdMappings extension, the caller must have at least READ authority for the IRR.HOST.host-name resource defined in the SERVAUTH class, and the certificate must have been issued by a certificate authority that is defined with the HIGHTRUST option.

The initACEE callable service builds a security context (ACEE) for the user ID contained in hostIdMappings extension only if the certificate presented is not registered in the RACF® database, and there is no matching certificate name filter.