z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for administering HostIdMappings extensions

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to allow the Web server to accept logins from clients who have been issued PKI Services certificates with HostIdMappings extensions:

  1. Determine if PKI Services is defined as a highly trusted certificate authority on your system by listing its certificate authority definition by using the RACDCERT CERTAUTH LIST command.
    Example:
    RACDCERT CERTAUTH LIST(LABEL('Local PKI CA'))
    Check the Status information near the top of the output listing for the HIGHTRUST attribute.

    _______________________________________________________________

  2. If not already defined, add the HIGHTRUST attribute to the certificate authority definition for PKI Services.
    Example:
    RACDCERT CERTAUTH ALTER(LABEL('Local PKI CA')) HIGHTRUST

    _______________________________________________________________

  3. Define a resource in the SERVAUTH class for each server (host) name you want your Web server to honor when accepting logins for certificates containing HostIdMappings extensions. The resource name follows the format: IRR.HOST.hostname. The hostname is the value of the HostIdMappings extension entry pertaining to the z/OS host system you are administering (without the subject ID portion). This is usually a domain name, such as plpsc.pok.ibm.com. The following example shows defining a resource.
    Example:
    RDEFINE SERVAUTH IRR.HOST.PLPSC.POK.IBM.COM UACC(NONE)

    _______________________________________________________________

  4. Permit your Web server to access this resource with READ authority. Be sure the Web server is defined as a RACF® user.
    Example:
    PERMIT IRR.HOST.PLPSC.POK.IBM.COM CLASS(SERVAUTH) ID(WEBSRV) ACCESS(READ)

    _______________________________________________________________

  5. Activate the SERVAUTH class, if not already active.
    Example:
    SETROPTS CLASSACT(SERVAUTH)
    If already active, refresh the SERVAUTH class.
    Example:
    SETROPTS CLASSACT(SERVAUTH) REFRESH

    _______________________________________________________________

Note: On a z/OS system, a HostIdMappings extension is not honored if the target user ID was created after the start of the validity period for the certificate containing the HostIdMappings extension. Therefore, if you are creating user IDs specifically for certificates with HostIdMappings extensions, make sure that you create the user IDs before the certificate requests are submitted. Alternately, when approving the certificate, you can modify the date the certificate becomes valid so that it is not earlier than the date the user ID was created. For renewed certificates, all the original information is replicated in the new certificate, including the date the certificate becomes valid and any HostIdMappings. If you want to change a HostIdMappings extension when approving the renewed certificate, you must also modify the date the certificate becomes valid so that it is not earlier than the date the user ID was created.

See z/OS Security Server RACF Command Language Reference for details about syntax and authorization required for using the RACDCERT command.

Parent topic: Administering HostIdMappings extensions

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014