Client authentication and authorization

Overview

The authentication and authorization modes used by the BSA CI depend on the selected runtime mode: NOSSL, SSL, or SSLAUTH.

Runtime modes SSL and NOSSL

In runtime modes SSL and NOSSL, authentication through BSA CI always takes place in the product STC by means of a RACF call. The installation of the logon security exit B02UXSIN determines how the RACF call works. For more information on B02UXSIN, see "BSA TCP/IP server logon exit (B02UXSIN)".

The exit must be activated in the product STC. To do this, specify UXSIN=B02UXSIN in the BnnSSIxx LST member of the product STC. For more information on the UXSIN parameter, see "SSI parameters".

Runtime mode SSLAUTH

In runtime mode SSLAUTH, there are two ways to check client authentication (logon to the Beta Systems product/z/OS) and authorization:

  • Mapping and authentication (logon) of the user ID as defined in the z/OS security system on the basis of the allocation of certificate to user ID in the security system.
  • Automatic mapping and authentication (logon) of the user ID defined in the certificate by means of certificate extension HostIdMapping (OID: 1 3 18 0 2 18 1) against the user ID defined in the z/OS security system. HostIdMapping is an IBM extension.