Associating a Certificate with a Userid

Document ID : KB000047940
Last Modified Date : 14/02/2018
Show Technical Document Details


The CICS/RACF manual documents how a certificate is associated to a user id:

Associating a RACF user ID with a certificate

You can associate a certificate with a RACF user ID in two ways:

  1. Users can register their certificates online through their browser program. You enable clients to register their certificates themselves by specifying AUTHENTICATE(AUTOREGISTER) on the TCPIPSERVICE definition.

    Users connecting to CICS through such a TCPIPSERVICE must have a client certificate. If that certificate is already registered to a user ID, then that user ID is used; if not, the client is prompted for a user ID and password with HTTP basic authentication. If the client then enters a valid user ID and password, that user ID is registered to the certificate, and the client will not be prompted for a password again. The rules are summarized in "Identifying HTTP users" on page 244.

    Once a certificate has been registered in this way, it can be used for all inbound TCP/IP connections. For example, the same certificate can be used to authenticate and identify users of IIOP requests as well as HTTP requests.

  2. You can use the RACDCERT command. If you do not want to allow your clients to register their own certificates, you must register them with the RACDCERT command. Before executing RACDCERT, you must download the certificate that you want to process into an MVS sequential file with RECFM=VB that is accessible from TSO.

    The syntax of RACDCERT is:

    RACDCERT ADD('datasetname') TRUST [ ID(userid) ] where datasetname is the name of the data set containing the client certificate, and userid is the user ID that is to be associated with the certificate. If the optional ID (userid) parameter is omitted, the certificate is associated with the user issuing the RACDCERT command.

    What is the equivalent under CA Top Secret for number 2?


The RACF RADCERT command converted, is equivalent to a:

TSS ADD(xxxxx) DIGICERT(digicert) DCDSN('datasetname') TRUST

xxxxx - is the owning acid
digicert - is the user defined DIGICERT name.
dataset - is the dataset that contains the certificate.

Please refer to the CA Top Secret Cookbook for more details on adding certificate to CA Top Secret.