Developer for System z can do basic X.509 certificate authentication without relying on your security product. Authentication done by RSE daemon requires a user ID and host name to be defined in a certificate extension, and is only activated if the enable.certificate.mapping directive in rsed.envvars is set to FALSE.
This function is intended to be used if your security product does not support authenticating a user based upon a X.509 certificate, or if your certificate would fail the test(s) done by your security product (for example, it has a faulty identifier for the HostIdMappings extension and there is no name filter or definition in DIGTCERT).
The client will query the user for the extension identifier (OID) to use, which is by default the HostIdMappings OID, {1 3 18 0 2 18 1}.
RSE daemon will extract the user ID and host name from it using the format of the HostIdMappings extension. This format is described in Authentication by your security software.