- If the function_code indicates that a certificate is to be registered
or deregistered, initACEE will perform the following authority checks:
- To register a certificate with the current user ID, the caller
must be RACF® SPECIAL or have
at least READ authority to the IRR.DIGTCERT.ADD resource in the FACILITY
class.
- To deregister a certificate with the current user ID, the caller
must be RACF SPECIAL or have
at least READ authority to the IRR.DIGTCERT.DELETE resource in the
FACILITY class.
- To register a certificate as a CERTAUTH certificate, the caller
must be RACF SPECIAL or have
at least CONTROL authority to the IRR.DIGTCERT.ADD resource in the
FACILITY class.
- If the function_code indicates that an ACEE is to be created or
a certificate is to be queried and the service determines that the
user ID to use is specified in the hostIdMappings extension of the
input certificate, the caller's authority to the IRR.HOST.(host-name) resource
in the SERVAUTH class is checked. (The value for host-name is
specified in the hostIdMappings extension.) The resource must exist
and the caller must have READ authority to it, otherwise the extension
is ignored.
Note: To determine the caller, the current TCB is checked for an ACEE.
If one is found, the authority of that user is checked. If there
is no ACEE associated with the current TCB, the ACEE associated with
the address space is used to locate the user ID.