On Fri, 13 Jun 2025 17:19:46 +0100, Colin Paice <[email protected]> wrote:
>I've found I can map a certificate to any userid eg
>RACDCERT MAP ID(START1) -
> WITHLABEL('ZZ') -
> SDNFILTER('CN=zzcolinpaice.O=cpwebuser.C=GB')
>
>
>Which seems to allow me to do a certificate logon and become any userid.
> This includes using protected userid.
>Are there any controls I can use to restrict this? I'm working with Zowe
>which allows me to use z/OS facilities from Linux/Windows.
Perhaps more appropriate for RACF-L than IBM-MAIN...
But according to the RACF Command Language Reference you need SPECIAL or UPDATE
authority to the IRR.DIGTCERT.MAP resource in the FACILITY class to map to
anyone other than yourself. So it's reasonably well protected, except from your
RACF administrators, of course.
--
Walt
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
