==> CMS doesn’t provide any function to map a user certificate to a local identity (VM user ID).
I can’t see how that would be possible since a tcpip connection doesn’t require vm credentials. But if I could somehow get info from the authenticated user/client certificate then I could use that to look them up. example: their email address. From that I could provide my own mapping to vm userid if needed. On Mon, Jun 16, 2025 at 05:05 Alan Altmark <[email protected]> wrote: > Secure socket connections in CMS can be configured to request and validate > a user certificate. > > But that’s not Don’s issue. CMS doesn’t provide any function to map a > user certificate to a local identity (VM user ID). > > Regards, > Alan > > Alan Altmark > Senior z/VM Engineer and Consultant > IBM Infrastructure > Endicott, NY USA > > > On Jun 15, 2025, at 10:22 AM, Jack Woehr <[email protected]> wrote: > > The concept of "client certificate" is baked into the modern web. > > I guess you're saying VM doesn't support this natively? > > > >> On 6/15/25 01:05, Rob van der Heij wrote: > >> It is obviously possible to exchange a certificate once the SSL > connection > >> is ready, as part of some home-grown protocol. Your client would need > hold > >> that signed certificate and present it to the server. You might be able > to > >> reuse some logic from GETSHOPZ where we do digital signature > verification. > >> The client would have their signed credentials on file, but it's not > >> something like a password that could be used for other authentication. > The > >> server side would not need to validate a password but only decode the > >> certificate that you signed. > >> > >> Rob > >> > >>> On Sun, Jun 15, 2025, 01:49 Donald Russell <[email protected]> > wrote: > >>> Thanks Jack, > >>> No, I don’t want any sort of api/gateway/proxy thing. I was just > asking if > >>> some sort of certificate sign-in was practical. > >>>> On Sat, Jun 14, 2025 at 10:31 Jack Woehr <[email protected]> > wrote: > >>>> On 6/14/25 08:02, Donald Russell wrote: > >>>>> If I have a (z)cms pipe application using tcplisten, how can I make > >>> sure > >>>>> the in/outgoing traffic is encrypted? > >>>> Can you put the connection behind some kind of API gateway? > >>>> Jack Woehr # “A learning experience is one of those > things > >>>> IBM Champion 2021-2025 # that says, 'You know that thing you just > did? > >>>> http://www.softwoehr.com # Don't do that.'” ― Douglas Adams > > > > -- > > Jack Woehr # “A learning experience is one of those things > > IBM Champion 2021-2025 # that says, 'You know that thing you just did? > > http://www.softwoehr.com # Don't do that.'” ― Douglas Adams >
