Sharing a user certificate among multiple user IDs

It is possible for multiple users to share a single user certificate obtained from ShopzSeries. To do so, you must first create a key ring, enable the CA certificate, and add the user certificate to your RACF® data base as explained in the preceding topics. Assume that user ID USER1 is associated with the key ring and is the owner of the user certificate. In order to allow user ID USER2 to share the user certificate, you must give USER2 permission to read other users’ key rings and certificates. You can use the following RACF commands:

 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(USER2) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(USER2) ACCESS(UPDATE)

Permitting USER2 UPDATE access to the IRR.DIGTCERT.LISTRING FACILITY class is not a security exposure. It is true that USER2 will have the ability to read anyone’s key ring. However, that only allows the ability to extract and use the certificates from the key ring. It does not allow use of the private keys associated with those certificates. Therefore, USER2 cannot masquerade as another user ID.

After USER2 has the appropriate permission, in order for USER2 to use the certificate for the SMP/E RECEIVE ORDER command, you must ensure SMP/E finds the certificate in the correct key ring when running the command. To do this, USER2 must specify not only the key ring name, but also the user ID associated with the key ring, USER1, on the keyring attribute in the ORDERSERVER data set for the RECEIVE ORDER command as follows:

 keyring="USER1/keyringname"

See Defining the ORDERSERVER input for RECEIVE ORDER for further information about the keyring attribute and the ORDERSERVER data set.