I was trying to set up digital certificate authentication into RACF and was having problems. I had used a command
RACDCERT MAP ID(ADCDC ) - SDNFILTER('CN=colinpaicesECp256r1.O=cpwebuser.C=GB') - WITHLABEL('colinpaicesECp256r2')
but it was hard to find out why I could not connect. I started looking into this and got confused because the MQWEB liberty trace talked about userid in realms, but I did not have a realm.
I took a couple of days to write a program to use the RACF callable service to query the userid given a DN, but it kept reporting the certificate was not found.
Eventually I found that RACF has two ways of mapping a DN string to a userid
- RACDCERT MAP ID(ADCDC ) SDNFILTER(‘CN=colinpaicesECp256r1.O=cpwebuser.C=GB’) WITHLABEL(‘colinpaicesECp256r2’)
- RACMAP MAP ID(ADCDC ) USERDIDFILTER( NAME(‘CN=colinpaicesECp256r1.O=cpwebuser.C=GB’)) REGISTRY(NAME(‘ADCDPL’))
This is used so that when someone logs on using a certificate, the certificate DN is looked up in the RACDCERT MAP, and if found, the matching userid is returned.
This command is not very usable.
- You can map a DN string to a user.
- You can list the DN string associated with a userid
- You cannot query to see if a DN string exists, and which userid it is mapped to
- If you try to add it, and it already exists, it just reports that it exists, and does not tell you which userid it is mapped to. So you cannot easily delete it
- For an application to query the userid, you need to use the initACEE interface which is complex and requires your code to run authorised.
If the system is unable to map a certificate to a userid you get a message…
ICH408I USER(START1 ) GROUP(SYS1 ) NAME(####################)
DIGITAL CERTIFICATE IS NOT DEFINED. CERTIFICATE SERIAL NUMBER(0162)
This has been designed for enterprise identity propagation. You can have userid information in different realms, for example in RACF or in one oe more LDAPs.
- You can map a DN string to a userid
- You can list the DN strings associated with a userid
- You can query a DN string and get the associated userid
- You can use the r_usermap (IRRSIM00) callable service to map a DN string to a user. You need access to some RACF profiles.
They are not interchangable
You cannot define a mapping using RACDCERT MAP and use the r_usermap interface, or the other way around.