z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Scenario 1: Allow selected users to request certificates

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

This scenario is for allowing only selected local z/OS users to request PKI browser certificates for authenticating to z/OS®. Additionally, this scenario is for providing a customized TITLE value for the subject's distinguished name based on the user's role in the organization. Permission and the user's role in the organization is indicated by access to the BPX.SERVER resource in the FACILITY class and by the user's level of access to FACILITY class resources called PROJ.MEMBER and PROJ.PARTNER. The access values are as follows:
NONE
No access for either resource. The user is not permitted to request this type of certificate. The certificate request is denied.
READ to PROJ.MEMBER
The user is a team member and is permitted to request the certificate. The TITLE value is set to Team Member. Certificate requests for team members are automatically approved. (No administrator approval is required.)
UPDATE to PROJ.MEMBER
The user is the team's leader and is permitted to request the certificate. The TITLE value is set to Team Leader. A certificate request by the team leader is automatically approved. (No administrator approval is required.)
READ to PROJ.PARTNER
The user is considered to be a general partner of the team, not an active team member. The user is allowed to request certificates, but the requests require administrator approval before being issued. The TITLE value is set to Team Partner.
UPDATE to PROJ.PARTNER
The user is considered to be a trusted partner of the team, not an active team member. The user is allowed to request certificates, and unlike requests of the general partner, the certificate request are automatically approved. The TITLE value is set to Team Trusted Partner.
The preprocessing exit routine call for the GENCERT and REQCERT functions (subroutine preProcessGenReqCertExit) handles the logic described in the preceding. Here are the steps:
  • The request values are passed into the exit routine through argv in field-name=field-value pairs, and the subroutine looks for the Template= and UserId= in the input parameters.
  • When the exit routine code finds a Template= value containing PKI Browser Certificate For Authenticating To z/OS, the __check_resource_auth_np() system function examines the user ID. This determines the user's access to the preceding profiles.
    • If the user has no authority to either of these resources, return code 8 is set. This causes the request to be denied.
    • Otherwise the user's TITLE is set by writing the TITLE=title-value string to STDOUT.
    By default, administrator approval is not required for the PKI browser certificate for authenticating to z/OS.
    • When the user has only READ access to PROJ.PARTNER, the function must be changed to require administrator approval. This is done by setting return code 4.
    • For all other accesses the function does not need to be changed.
Parent topic: Scenarios for using the exit routine

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014