Associating a user ID with a digital certificate on z/OS
IBM MQ can use a user ID associated with a RACF® certificate as a channel user ID. Associate a user ID with a certificate by installing it under that user ID, or using a Certificate Name Filter.
The method described in this topic is an alternative to the platform-independent method for associating a user ID with a digital certificate, which uses channel authentication records. For more information about channel authentication records, see Channel authentication records.
When an entity at one end of a TLS channel receives a certificate from a remote connection, the entity asks RACF if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running.
Associate a user ID with a certificate in either of the following ways:- Install that certificate into the RACF database under the user ID with which you want to associate it, as described in Add personal certificates to a key repository on z/OS.
- Use a Certificate Name Filter (CNF) to map the Distinguished Name of the subject or issuer of the certificate to the user ID, as described in Set up a certificate name filter on z/OS.