Part of the certificate validation process beholds checking that the certificate
was signed by a Certificate Authority (CA) you trust. In order to do so, RSE
daemon must have access to a certificate that identifies the CA.
When using the gskkyman key database for your SSL connection, the
CA certificate must be added to the key database.
When using a SAF key ring (which is the advised method), you must add the
CA certificate to your security database as a CERTAUTH certificate with the
TRUST or HIGHTRUST attribute, as shown in this sample RACF command.
RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL( label )
Note that most security products already have the certificates for well
known CA's available in their database with a NOTRUST status. Use the following
sample RACF commands to list the existing CA certificates and mark one as
trusted based on the label assigned to it.
RACDCERT CERTAUTH LIST
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST
Note: The HIGHTRUST status is required if you rely on RACF authenticating
the user based upon the HostIdMappings extension in the certificate. Refer
to
Authentication by your security software for more information.
Once the CA certificate is added to your security database, it must be
connected to the RSE key ring, as shown in this sample RACF command:
RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') +
RING(rdzssl.racf))
Refer to Security Server RACF Command Language Reference (SA22-7687)
for more information on the RACDCERT command.
Attention: If you rely on RSE daemon instead of your security
software to authenticate a user, you must be cautious not to
mix CA's with a TRUST and HIGHTRUST status. RSE daemon is not able to differentiate
between the two, so certificates signed by a CA with TRUST status will be
valid for user ID authentication purposes. See
Authentication by RSE daemon for
more information on using RSE daemon for the authentication step.