CLIENTAUTH

Use the CLIENTAUTH keyword and parameters to specify client authentication.

Tip: You must also configure the following values in the corresponding AT-TLS policy:
  • TTLSEnvironmentAction HandshakeRole ServerWithClientAuth
  • TTLSEnvironmentAction -> TTLSEnvironmentAdvancedParms
    • LOCAL1 - ClientAuthType Required
    • LOCAL2 - ClientAuthType SAFCHECK
Read syntax diagramSkip visual syntax diagram CLIENTAUTH LOCAL2LOCAL1LOCAL2

Parameters

LOCAL1
Specifies that the SSL handshake process authenticates the client certificate as well as the server certificate. This check verifies the client has received a certificate from a trusted certificate CA.
LOCAL2
Specifies that the SSL handshake process authenticates the client certificate and provides additional access control through the installation's SAF-compliant security product (for example, RACF®). The following conditions apply:
  • LOCAL2 verifies the client certificate has an associated user ID defined to the security product. The certificate must first be defined to the security product to obtain this validation. For more information about adding certificates to RACF, see the description of the RACDCERT command in the z/OS Security Server RACF Command Language Reference.
  • For security products that support the SERVAUTH class, installations can also obtain a more granular level of access control. If the installation has activated the SERVAUTH class and provided a profile for the DCAS in the SERVAUTH class, only users specified in the profile are allowed to connect to the port. The security product profile name is specified using the following format: 
    EZA.DCAS.sysname
    where sysname is the name of the MVS™ system image.
Tip: Client certificate refers to the DCAS Client:
  • TN3270 middle-tier server in the case of the IBM® Express Logon Feature (ELF)
  • Host on Demand (HoD) or HATS for WebExpress Logon
  • The client connecting to DCAS for other enhanced logon solutions