SSL
enables the application to prompt the client user to select a certificate
from a list during the client authentication process in the SSL handshake.
This is accomplished with a registered callback routine that is
invoked from inside the gsk_secure_socket_init() function call.
This topic provides an overview of that code.
The client application code must provide these functions:
- Register a standard C linkage callback routine using the gsk_attribute_set_callback() function
call.
- Implement the callback routine that performs these functions:
- Get the list of available certificates using the gsk_attribute_get_data() function
call with the GSK_DATA_ID_SUPPORTED_KEYS option. This returns a list
of labels from the key data base file, SAF key ring, or z/OS® PKCS #11 token.
- Display the list of labels to the user.
- Prompt the user to select the label from the list
- Set the label to be used with a gsk_attribute_set_buffer() function
call with the GSK_KEYRING_LABEL option.
- Return to SSL with the return value set to indicate use client
authentication.
- If the user elects to not use any of the certificates in the list,
return with the value set to skip client authentication. A certificate
is not sent to the partner, but the SSL handshake completes. The server
decides whether to continue or close the connection.
- Optionally, the application can display certificate information
using the gsk_get_cert_by_label() function call.
- Optionally, the application can use the gsk_attribute_get_data() function
call with the GSK_DATA_ID_SERVER_ISSUERS option to display a list
of server signer certificates.