Enabling client login using certificates

Without digital certificates, RACF® users of traditional client/server applications authenticate themselves to servers by presenting their user IDs and passwords. Successful authentication adds a security context, a control block called the accessor environment element (ACEE), to the user's address space. Subsequently, units of work initiated by the client are tagged with the client's identity, or security context. In this environment, the client's user ID and password provide identification and authentication.

In the z/OS® digital certificate environment, the secure handshake protocol depicted in Figure 1 accomplishes identification and authentication when the client presents its certificate as identification and its proof-of-possession as authentication. The client's ACEE is created when the application invokes the SAF callable service called initACEE (IRRSIA00) to determine the client's user ID based on information in the client's certificate.