Steps for administering HostIdMappings extensions

Perform the following steps to allow the web server to accept logins from clients who have been issued PKI Services certificates with HostIdMappings extensions:

  1. Determine if PKI Services is defined as a highly trusted certificate authority on your system by listing its certificate authority definition by using the RACDCERT CERTAUTH LIST command.
    Example:
    RACDCERT CERTAUTH LIST(LABEL('Local PKI CA'))
    Check the Status information near the top of the output listing for the HIGHTRUST attribute.

    _______________________________________________________________

  2. If not already defined, add the HIGHTRUST attribute to the certificate authority definition for PKI Services.
    Example:
    RACDCERT CERTAUTH ALTER(LABEL('Local PKI CA')) HIGHTRUST

    _______________________________________________________________

  3. Define a resource in the SERVAUTH class for each server (host) name you want your web server to honor when accepting logins for certificates containing HostIdMappings extensions. The resource name follows the format: IRR.HOST.hostname. The hostname is the value of the HostIdMappings extension entry pertaining to the z/OS® host system you are administering (without the subject ID portion). This is usually a domain name, such as plpsc.pok.ibm.com. The following example shows defining a resource.
    Example:
    RDEFINE SERVAUTH IRR.HOST.PLPSC.POK.IBM.COM UACC(NONE)

    _______________________________________________________________

  4. Permit your web server to access this resource with READ authority. Be sure that the web server is defined as a RACF® user.
    Example:
    PERMIT IRR.HOST.PLPSC.POK.IBM.COM CLASS(SERVAUTH) ID(WEBSRV) ACCESS(READ)

    _______________________________________________________________

  5. Activate the SERVAUTH class, if not already active.
    Example:
    SETROPTS CLASSACT(SERVAUTH)
    If already active, refresh the SERVAUTH class.
    Example:
    SETROPTS CLASSACT(SERVAUTH) REFRESH

    _______________________________________________________________

Note: On a z/OS system, a HostIdMappings extension is not honored if the target user ID was created after the start of the validity period for the certificate containing the HostIdMappings extension. Therefore, if you are creating user IDs specifically for certificates with HostIdMappings extensions, make sure that you create the user IDs before the certificate requests are submitted. Alternately, when approving the certificate, you can modify the date that the certificate becomes valid so that it is not earlier than the date the user ID was created. For renewed certificates, all of the original information is replicated in the new certificate, including the date that the certificate becomes valid and any HostIdMappings. If you want to change a HostIdMappings extension when approving the renewed certificate, you must also modify the date that the certificate becomes valid so that it is not earlier than the date the user ID was created.

See z/OS Security Server RACF Command Language Reference for details about syntax and authorization that is required for using the RACDCERT command.

Parent topic: Administering HostIdMappings extensions