Set up a certificate name filter on z/OS

Use the RACDCERT command to define a certificate name filter (CNF), which maps a Distinguished Name to a user ID.

Perform the following steps to set up a CNF.

  1. Enable CNF functions using the following command. You require update authority on the class DIGTNMAP to do this.
    SETROPTS CLASSACT(DIGTNMAP) RACLIST(DIGTNMAP)
    
  2. Define the CNF. For example:
    RACDCERT ID(USER1) MAP WITHLABEL('filter1') TRUST
    SDNFILTER('O=IBM.C=UK') IDNFILTER('O=ExampleCA.L=Internet')
    
    where USER1 is the user ID to be used when:

    • The DN of the subject has an Organization of IBM and a Country of UK.
    • The DN of the issuer has an Organization of ExampleCA and a Locality of Internet.

  3. Refresh the CNF mappings:
    SETROPTS RACLIST(DIGTNMAP) REFRESH
    

Note:

  1. If the actual certificate is stored in the RACF database, the user ID under which it is installed is used in preference to the user ID associated with any CNF. If the certificate is not stored in the RACF database, the user ID associated with the most specific matching CNF is used. Matches of the subject DN are considered more specific than matches of the issuer DN.
  2. Changes to CNFs do not apply until you refresh the CNF mappings.
  3. A DN matches the DN filter in a CNF only if the DN filter is identical to the least significant portion of the DN. The least significant portion of the DN comprises the attributes that are usually listed at the right-most end of the DN, but which appear at the beginning of the certificate.

    For example, consider the SDNFILTER 'O=IBM.C=UK'. A subject DN of 'CN=QM1.O=IBM.C=UK' matches that filter, but a subject DN of 'CN=QM1.O=IBM.L=Hursley.C=UK' does not match that filter.

    The least significant portion of some certificates can contain fields that do not match the DN filter. Consider excluding these certificates by specifying a DN pattern in the SSLPEER pattern on the DEFINE CHANNEL command.

  4. If the most specific matching CNF is defined to RACF as NOTRUST, the entity uses the user ID under which the channel initiator is running.
  5. RACF uses the '.' character as a separator. IBM MQ uses either a comma or a semicolon.

We can define CNFs to ensure that the entity never sets the channel user ID to the default, which is the user ID under which the channel initiator is running. For each CA certificate in the key ring associated with the entity, define a CNF with an IDNFILTER that exactly matches the subject DN of that CA certificate. This ensures that all certificates that the entity might use match at least one of these CNFs. This is because all such certificates must either be connected to the key ring associated with the entity, or must be issued by a CA for which a certificate is connected to the key ring associated with the entity.

Refer to the SecureWay Security Server RACF Security Administrator's Guide for more information about the commands we use to manipulate CNFs.

Parent topic: Associating a user ID with a digital certificate on z/OS