Associating a RACF user ID with a certificate

The client certificate can only be used to determine the user ID for the CICS® transaction if the certificate is associated with a RACF® user ID.

You can associate a certificate with a RACF user ID in two ways:
  • Users can register their certificates online through their web browser program. You enable clients to register their certificates themselves by specifying AUTHENTICATE(AUTOREGISTER) on the TCPIPSERVICE definition. Users connecting to CICS through such a TCPIPSERVICE must have a client certificate. If that certificate is already registered to a user ID, then that user ID is used; if not, the client is prompted for a user ID and password with HTTP basic authentication. If the client then enters a valid user ID and password, that user ID is registered to the certificate, and the client will not be prompted for a password again. The rules are summarized in Identifying HTTP users.

    Once a certificate has been registered in this way, it can be used for all inbound TCP/IP connections.

  • You can use the RACDCERT command. If you do not want to allow your clients to register their own certificates, you must register them with the RACDCERT command. Before executing RACDCERT, you must download the certificate that you want to process into an MVS™ sequential file with RECFM=VB that is accessible from TSO. The syntax of RACDCERT is: 
    RACDCERT ADD('datasetname') TRUST [ ID(userid) ]
    where datasetname is the name of the data set containing the client certificate, and userid is the user ID that is to be associated with the certificate. If the optional ID(userid) parameter is omitted, the certificate is associated with the user issuing the RACDCERT command.

You can add certificate information for your own user ID if you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY class. You can add certificate information for other user IDs if you have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY class or if you have RACF SPECIAL authority.

For further information on the RACDCERT command, including the format of data allowed in the downloaded certificate data set, see z/OS Security Server RACF Command Language Reference