You can optionally use client certificates with SSL to allow the server to authenticate the client during the SSL handshake.
A client certificate can be used with or without another authentication mechanism such as a user ID and password. When a client certificate has been authenticated it can be made available on each ECI and web service request, and can be used by the Gateway daemon to authorize the request. This is achieved by mapping the certificate to an External Security Manager (ESM) user ID.
To enable the Gateway daemon to retrieve a user ID associated with a client certificate, client authentication must be enabled on the SSL or HTTPS protocol handler in the Gateway daemon using the clientauth=esmuserid property. To run the CICS® transaction under the ESM user ID which has been mapped to the client certificate, ensure that the CICS connection has been defined with Attachsec set to Identify.
For more information on certificate mapping, see the IBM® Redpaper™J2C Security on z/OS®.