Defining SSL authentication security

Overview

To define SSL basic authentication security, you must first request or create a signed certificate for your BSA CI, and a certificate authority (CA) certificate from the issuer that signed your BSA CI certificate.

After you have received or created a signed certificate for your BSA CI and the associated CA certificate, you will need to the following:

  • Authorize the use of digital certificates in RACF
  • Store the BSA CI certificates and the BSA CI key rings

What to do on the client side

On the client side, you must create a key ring and attach to it the CA certificate from the certifying authority that issued the BSA CI's certificate. In the case of a z/OS client, you must use RACF to create a client key ring and then attach the CA certificate to the said key ring. For the client to authenticate the BSA CI, the BSA CI (more specifically, the controller user ID) must possess a signed certificate created by a certifying authority.

Server authentication

To prove its identity to the client, the BSA CI passes the signed certificate. The client must possess the CA certificate from the same certifying authority that issued the BSA CI's certificate. The client uses the CA certificate to verify that the BSA CI's certificate is authentic. Once verified, the client can be assured that messages come from that BSA CI, and not from anywhere else.

Client authentication

For the BSA CI to authenticate the client, note that there is no client certificate that the client forwards to prove its identity to the BSA CI. In the SSL basic authentication scheme (= runtime mode SSL), the BSA CI authenticates the client by demanding a user ID and password from the client.