Applications that need to examine the partner's certificate can issue the SIOCTTLSCTL IOCTL with request type TTLS_RETURN_CERTIFICATE to get the certificate at any time during a secure connection. Applications that are running under a policy with the HandshakeRole parameter set to CLIENT receive the server's certificate. Applications that are running under a policy with the HandshakeRole parameter set to ServerWithClientAuth receive the client's certificate if provided.
Applications configured as HandshakeRole ServerWithClientAuth that need to examine or use the user ID associated with the certificate in SAF can issue the SIOCTTLSCTL ioctl with request type TTLS_QUERY_ONLY or TTLS_RETURN_CERTIFICATE. If a partner certificate is available on the secure connection, AT-TLS uses a RACF® service to extract the associated user ID. If no client certificate is available, or no user ID has been associated, the ioctl returns zero as the associated user ID length.