Steps for administering HostIdMappings extensions
Perform the following steps to allow the web server to accept logins from clients who have been issued PKI Services certificates with HostIdMappings extensions:
- Determine if PKI Services is defined
as a highly trusted certificate authority on your system by listing
its certificate authority definition by using the RACDCERT CERTAUTH
LIST command. Example:
Check the Status information near the top of the output listing for the HIGHTRUST attribute.RACDCERT CERTAUTH LIST(LABEL('Local PKI CA'))
_______________________________________________________________
- If not already defined, add the HIGHTRUST attribute
to the certificate authority definition for PKI Services.Example:
RACDCERT CERTAUTH ALTER(LABEL('Local PKI CA')) HIGHTRUST
_______________________________________________________________
- Define a resource in the SERVAUTH class for each server (host)
name you want your web server to honor when accepting logins for certificates containing HostIdMappings extensions. The resource name follows the format: IRR.HOST.hostname.
The hostname is the value of the HostIdMappings extension entry pertaining
to the z/OS® host
system you are administering (without the subject ID portion). This
is usually a domain name, such as plpsc.pok.ibm.com.
The following example shows defining a resource. Example:
RDEFINE SERVAUTH IRR.HOST.PLPSC.POK.IBM.COM UACC(NONE)
_______________________________________________________________
- Permit your web server to access this resource with READ authority. Be
sure that the web server is defined as a RACF® user.Example:
PERMIT IRR.HOST.PLPSC.POK.IBM.COM CLASS(SERVAUTH) ID(WEBSRV) ACCESS(READ)
_______________________________________________________________
- Activate the SERVAUTH class, if not already active.Example:
If already active, refresh the SERVAUTH class.SETROPTS CLASSACT(SERVAUTH)
Example:SETROPTS CLASSACT(SERVAUTH) REFRESH
_______________________________________________________________
Note: On a z/OS system,
a HostIdMappings extension is not honored if the
target user ID was created after the start of the validity period
for the certificate containing the HostIdMappings extension.
Therefore, if you are creating user IDs specifically for certificates
with HostIdMappings extensions, make sure that you
create the user IDs before the certificate requests are submitted.
Alternately, when approving the certificate, you can modify the date
that the certificate becomes valid so that it is not earlier than
the date the user ID was created. For renewed certificates, all of
the original information is replicated in the new certificate, including
the date that the certificate becomes valid and any HostIdMappings. If
you want to change a HostIdMappings extension when approving
the renewed certificate, you must also modify the date that the certificate
becomes valid so that it is not earlier than the date the user ID
was created.
See z/OS Security Server RACF Command Language Reference for details about syntax and authorization that is required for using the RACDCERT command.