SSL client authentication can optionally be configured if you have already configured SSL server authentication
You perform some of these tasks on the z/OS platform by issuing RACDCERT (RACF digital certificate) commands. The RACDCERT commands enable you to create and maintain digital certificates, and to create the keyrings which act as repositories for digital certificates. You also use ikeyman.
ikeyman is provided as part of the Java Runtime Environment.
C:\CICSTG>ftp server
Connected to server.company.com
User : ctguser
Password : xxx
CTGUSER is logged on. Working directory is "/u/ctguser".
ftp> asc
Representation type is Ascii NonPrint
ftp> literal site recfm=vb
200 SITE command was accepted
ftp> cd 'CTGUSER'
"CTGUSER." is the working directory name prefix.
ftp> put client.personal.cert.arm
Storing data set CTGUSER.CLIENT.PERSONAL.CERT.ARM
ftp> quit
RACDCERT ID (CTGUSER) ADD('CTGUSER.CLIENT.PERSONAL.CERT.ARM') WITHLABEL('MY CLIENT CERT') TRUST
The following message is displayed: The new profile for DIGTCERT will not be in effect until a SETROPTS REFRESH has been issued.
Certificate Authority not defined to RACF. Certificate added with TRUST status.
setr raclist(digtcert) refresh
RACDCERT ID (CTGUSER) CONNECT(LABEL ('MY CLIENT CERT') RING(CTGKEYRING) USAGE (CERTAUTH))
Ring:
>CTGKEYRING<
Certificate Label Name Cert Owner USAGE DEFAULT
---------------------------------- ----------- ----- -------
CTG CA CERT CERTAUTH CERTAUTH NO
CTG PERSONAL CERT ID(CTGUSER) PERSONAL YES
MY CLIENT CERT ID(CTGUSER) CERTAUTH NO