Authorized applications, such as servers, that invoke the initACEE callable service (IRRSIA00) can administer certificates associated with users and certificates associated with certificate authorities. You authorize these applications by administering the same FACILITY class resources checked by the RACDCERT command. See Controlling the use of the RACDCERT command.

Authorized applications, such as Web servers, can also present a client's certificate containing a hostIdMappings extension and invoke the initACEE callable service to request to have a security context (ACEE) created or have the client's user ID queried and returned. You authorize these applications by administering profiles in the SERVAUTH class.