CLIENTAUTH
Use the CLIENTAUTH keyword and parameters to specify client authentication.
Tip: You must also configure the following values in the
corresponding AT-TLS policy:
- TTLSEnvironmentAction HandshakeRole ServerWithClientAuth
- TTLSEnvironmentAction -> TTLSEnvironmentAdvancedParms
- LOCAL1 - ClientAuthType Required
- LOCAL2 - ClientAuthType SAFCHECK
Parameters
- LOCAL1
- Specifies that the SSL handshake process authenticates the client certificate as well as the server certificate. This check verifies the client has received a certificate from a trusted certificate CA.
- LOCAL2
- Specifies that the SSL handshake process authenticates the client
certificate and provides additional access control through the installation's
SAF-compliant security product (for example, RACF®). The following conditions apply:
- LOCAL2 verifies the client certificate has an associated user ID defined to the security product. The certificate must first be defined to the security product to obtain this validation. For more information about adding certificates to RACF, see the description of the RACDCERT command in the z/OS Security Server RACF Command Language Reference.
- For security products that support the SERVAUTH class, installations
can also obtain a more granular level of access control. If the installation
has activated the SERVAUTH class and provided a profile for the DCAS
in the SERVAUTH class, only users specified in the profile are allowed
to connect to the port. The security product profile name is specified
using the following format:
where sysname is the name of the MVS™ system image.EZA.DCAS.sysname
Tip: Client certificate refers to the DCAS Client:
- TN3270 middle-tier server in the case of the IBM® Express Logon Feature (ELF)
- Host on Demand (HoD) or HATS for WebExpress Logon
- The client connecting to DCAS for other enhanced logon solutions