To define SSL basic authentication security, you must first request or create a signed certificate for your BSA CI, and a certificate authority (CA) certificate from the issuer that signed your BSA CI certificate.
After you have received or created a signed certificate for your BSA CI and the associated CA certificate, you will need to the following:
On the client side, you must create a key ring and attach to it the CA certificate from the certifying authority that issued the BSA CI's certificate. In the case of a z/OS client, you must use RACF to create a client key ring and then attach the CA certificate to the said key ring. For the client to authenticate the BSA CI, the BSA CI (more specifically, the controller user ID) must possess a signed certificate created by a certifying authority.
To prove its identity to the client, the BSA CI passes the signed certificate. The client must possess the CA certificate from the same certifying authority that issued the BSA CI's certificate. The client uses the CA certificate to verify that the BSA CI's certificate is authentic. Once verified, the client can be assured that messages come from that BSA CI, and not from anywhere else.
For the BSA CI to authenticate the client, note that there is no client certificate that the client forwards to prove its identity to the BSA CI. In the SSL basic authentication scheme (= runtime mode SSL), the BSA CI authenticates the client by demanding a user ID and password from the client.