I apologize if this has been covered already, but I probably need to tell somebody if this can be done before I read up and put the pieces together.
If I have an SSL-capable emulator, is it possible to validate the client certificate and extract the userid (this part, at least, I know can be done) and somehow persistently store it so that the RACF logon exits can locate it and verify that the userid entered at the application logon screen is the same userid that was presented in the client certificate? There are two factor authentication products that work at RACF logon but they have their drawbacks, we're musing about the possibility of fitting in with some of the distributed schemes for consistency's sake and closing the gap where one can get on a workstation with one set of credentials and then use another set that fell off the back of a truck to have a good old time in ways that may be distasteful to some. The distributed schemes involve seemingly robust what I have and what I know type processes and if we can then implement something reasonably inobtrusive on zOS we'd be in better shape. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:[email protected] with 'No Promotional E-mails' in the SUBJECT line. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
