This
scenario is for allowing only selected local
z/OS users to
request PKI browser certificates for authenticating to z/OS®. Additionally, this scenario is for providing
a customized TITLE value for the subject's distinguished name based
on the user's role in the organization. Permission and the user's
role in the organization is indicated by access to the BPX.SERVER
resource in the FACILITY class and by the user's level of access to
FACILITY class resources called PROJ.MEMBER and PROJ.PARTNER. The
access values are as follows:
- NONE
- No access for either resource. The user is not permitted to request
this type of certificate. The certificate request is denied.
- READ to PROJ.MEMBER
- The user is a team member and is permitted to request the certificate.
The TITLE value is set to Team Member. Certificate
requests for team members are automatically approved. (No administrator
approval is required.)
- UPDATE to PROJ.MEMBER
- The user is the team's leader and is permitted to request the
certificate. The TITLE value is set to Team Leader.
A certificate request by the team leader is automatically approved.
(No administrator approval is required.)
- READ to PROJ.PARTNER
- The user is considered to be a general partner of the team, not
an active team member. The user is allowed to request certificates,
but the requests require administrator approval before being issued.
The TITLE value is set to Team Partner.
- UPDATE to PROJ.PARTNER
- The user is considered to be a trusted partner of the team, not
an active team member. The user is allowed to request certificates,
and unlike requests of the general partner, the certificate request
are automatically approved. The TITLE value is set to Team
Trusted Partner.
The preprocessing
exit
routine call for the GENCERT and REQCERT functions (subroutine
preProcessGenReqCertExit)
handles the logic described in the preceding. Here are the steps:
- The request values are passed into the exit routine through argv in field-name=field-value pairs,
and the subroutine looks for the Template= and UserId= in
the input parameters.
- When the exit routine code finds a Template= value
containing PKI Browser Certificate For Authenticating To z/OS,
the __check_resource_auth_np() system function examines
the user ID. This determines the user's access to the preceding profiles.
- If the user has no authority to either of these resources, return
code 8 is set. This causes the request to be denied.
- Otherwise the user's TITLE is set by writing the TITLE=title-value string
to STDOUT.
By default, administrator approval is not required for the PKI
browser certificate for authenticating to z/OS.- When the user has only READ access to PROJ.PARTNER, the function
must be changed to require administrator approval. This is done by
setting return code 4.
- For all other accesses the function does not need to be changed.