I am not an expert on your exact question but I have done a lot with SSL certificates and with SMF data from RACF and from TCP/IP. I think RACF is pretty far removed from your TCP/IP sign-on, because TN3270 sits in the middle. As far as RACF is concerned, your client didn't sign on, a virtual terminal owned by TN3270 signed on.
You would have to capture it from TCP/IP somehow and hand it off to your RACF exit. Not an entire answer, but I hope this helps. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Ambros Sent: Tuesday, December 04, 2012 11:25 AM To: [email protected] Subject: Correlating workstation userid to TN3270 logon using client certificates I apologize if this has been covered already, but I probably need to tell somebody if this can be done before I read up and put the pieces together. If I have an SSL-capable emulator, is it possible to validate the client certificate and extract the userid (this part, at least, I know can be done) and somehow persistently store it so that the RACF logon exits can locate it and verify that the userid entered at the application logon screen is the same userid that was presented in the client certificate? There are two factor authentication products that work at RACF logon but they have their drawbacks, we're musing about the possibility of fitting in with some of the distributed schemes for consistency's sake and closing the gap where one can get on a workstation with one set of credentials and then use another set that fell off the back of a truck to have a good old time in ways that may be distasteful to some. The distributed schemes involve seemingly robust what I have and what I know type processes and if we can then implement something reasonably inobtrusive on zOS we'd be in better shape. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
