With a couple of tips from Phl's vbscript I was able to get the HostIDMappings to work. I was leaving the implicit tags off the IA5 strings. As Phil indicated, it does work with CICS Web Services even though no mention of that anywhere. But I could not get HostIDMapping to work with FTP Server. You would think the RACF interface would be the same for all applications. The GSK trace doesn't provide sufficient detail to see why. I will try running a RACF trace.
With RDz client, there is never any session request sent to the server, so the server setup is not an issue yet. I did do an openssl s_client connection to RDz RSED and it is obvious the host end is not going to do mutual authentication, as it is not requesting a client certificate. Anyone know any parameters for a z/OS java app to turn on mutual authentication? Maybe something like -Dcom.ibm.ssl.clientAuthentication=true? I have a ticket open with IBM, but no response in almost a week. -- Donald J. [email protected] On Tue, Mar 11, 2014, at 02:04 PM, Walt Farrell wrote: > On Tue, 11 Mar 2014 05:54:24 -0700, Donald J. <[email protected]> wrote: > > >I am currently using openssl to create certificates for use with CICS > >Web Services that work fine. I haven't read anywhere that > >CICS Web Services supports authentication using HostIDMapping. I > >associate the certificate with a userid using command: > >RACDCERT ID(USERID1) ADD('USERID1.CERT1.PEM') WITHLABEL('USERID1test') > >ICSF(*) TRUST > >If I try to use a certificate with a HostIDMapping extension and no > >certificate associated with the userid I get error message: > >"CWXN A client certificate that maps to a valid userid is required." > > But did you complete the other setup steps to enable the use of > HostIDMapping? See, for example, item 2 at > http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichzd1c0/2.12.4?SHELF=all13be9.bks&DT=20110608113637 > or http://preview.tinyurl.com/n63tfyf for details on the required > SERVAUTH authority that CICS would need to make use of a HostIDMapping > extension. > > (HostIDMapping, just like basic usage of Certificate Name Filtering, > should be transparent to the application once all setup steps are > completed.) > > -- > Walt > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN -- http://www.fastmail.fm - Does exactly what it says on the tin ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
