You can optionally use client certificates with SSL to allow the server to authenticate the client during the SSL handshake.
A client certificate can be used with or without another authentication mechanism such as a user ID and password. When a client certificate has been authenticated it can be made available on each ECI request, and can be used by the Gateway daemon security exit to authorize the request. This is achieved by mapping the certificate to a RACF® user ID.
To obtain the client certificate, client authentication must be enabled on the SSL protocol handler in the Gateway daemon. To run the CICS® transaction under the RACF user ID which has been mapped to the client certificate, ensure that the CICS connection has been defined with Attachsec set to Identify.
For more information on certificate mapping,
see the IBM® RedpaperJ2C Security on z/OS®.