Associating a user ID with a digital certificate on z/OS

IBM MQ can use a user ID associated with a RACF certificate as a channel user ID. Associate a user ID with a certificate by installing it under that user ID, or using a Certificate Name Filter.

The method described in this topic is an alternative to the platform-independent method for associating a user ID with a digital certificate, which uses channel authentication records. For more information about channel authentication records, see Channel authentication records.

When an entity at one end of a TLS channel receives a certificate from a remote connection, the entity asks RACF if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running.

• Install that certificate into the RACF database under the user ID with which we want to associate it, as described in Adding personal certificates to a key repository on z/OS.
• Use a Certificate Name Filter (CNF) to map the Distinguished Name of the subject or issuer of the certificate to the user ID, as described in Set up a certificate name filter on z/OS.

• Set up a certificate name filter on z/OS
  Use the RACDCERT command to define a certificate name filter (CNF), which maps a Distinguished Name to a user ID.

Parent topic: Work with SSL/TLS on z/OS