When liberty on z receives a client certificate, how to get the associated userid when security registry is SAF(MVS RACF)?

Question

I am using zOS RACF as the security registry in liberty on z, SSL configured, requires client authentication. The handshake works well, but failed to get a userID from the certificate. From https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html

Step 6: Make sure any client certificates used for client authentication are mapped to a user identity in your registry.

For the basic registry, the user identity is the common name (CN) from the distinguished name (DN) of the certificate. For a Lightweight Directory Access Protocol (LDAP) registry, the DN from the client certificate must be in the LDAP registry.

Basic registry and LDAP are described, but what happen when I use RACF as my liberty security registry? From the test, it's not working, the userid can not be obtained.

Anybody knows is it supported and if so how to get the userid from cert?

Do your users have their client certificates mapped to their RACF identities with e.g. RACDCERT ... MAP(...) ... SDNFILTER(...)? You can verify with "RACDCERT ID(YOURUSER) listmap" — covener, Jun 13 '17 at 11:56
Thanks for this reminder! I will add the mapping and try again. — FENG Yan, Jun 14 '17 at 06:12

When liberty on z receives a client certificate, how to get the associated userid when security registry is SAF(MVS RACF)?

For the basic registry, the user identity is the common name (CN) from the distinguished name (DN) of the certificate. For a Lightweight Directory Access Protocol (LDAP) registry, the DN from the client certificate must be in the LDAP registry.

0 Answers0