Certificate Authority (CA) validation

Part of the certificate validation process beholds checking that the certificate was signed by a Certificate Authority (CA) you trust. In order to do so, RSE daemon must have access to a certificate that identifies the CA.

When using the gskkyman key database for your SSL connection, the CA certificate must be added to the key database.

When using a SAF key ring (which is the advised method), you must add the CA certificate to your security database as a CERTAUTH certificate with the TRUST or HIGHTRUST attribute, as shown in this sample RACF command.
RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL( label )
Note that most security products already have the certificates for well known CA's available in their database with a NOTRUST status. Use the following sample RACF commands to list the existing CA certificates and mark one as trusted based on the label assigned to it.
RACDCERT CERTAUTH LIST 
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
Note: The HIGHTRUST status is required if you rely on RACF authenticating the user based upon the HostIdMappings extension in the certificate. Refer to Authentication by your security software for more information.
Once the CA certificate is added to your security database, it must be connected to the RSE key ring, as shown in this sample RACF command:
RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') +
  RING(rdzssl.racf))

Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.

Attention: If you rely on RSE daemon instead of your security software to authenticate a user, you must be cautious not to mix CA's with a TRUST and HIGHTRUST status. RSE daemon is not able to differentiate between the two, so certificates signed by a CA with TRUST status will be valid for user ID authentication purposes. See Authentication by RSE daemon for more information on using RSE daemon for the authentication step.