Client certificate authentication

Client authentication provides additional verification and access control by checking client certificates at the server. This prevents a client from obtaining a connection without an installation approved certificate.

The server authenticates the client by receiving the client's certificate during the SSL handshake and verifying the certificate is valid. System SSL at the server decrypts the signature using the public key of the client certificate issuer found in the server key database file. The server then creates a new message digest using the certificate's Distinguished Names and public key and compares the new message digest with the decrypted one. If they match, the server can be assured the client is authentic.

There are multiple levels of client authentication possible:

  1. Level 1 authentication is performed by system SSL. The client passes an X.509 certificate to the server. To pass authentication, the Certificate Authority that signed the client certificate must be considered trusted by the server. Selecting Enable client certificate authentication provides level 1 authentication.

  2. Level 2 authentication provides level 1 authentication and additionally requires that the client certificate be registered with RACF (or other SAF compliant security product) and mapped to a user ID. The client certificate received during the SSL handshake is used to query the security product to verify that the certificate maps to a user ID known to the system prior to connection negotiation. Selecting Use security server to verify client user ID provides level 2 authentication.

  3. Level 3 authentication provides level 1 and 2 authentication. In addition, it provides the capability to restrict access to the server based on the user ID returned from RACF. If the SERVAUTH class of RACF is active and the server profile is defined, a connection is accepted only if the requestor's user ID associated with the client certificate is in the profile. Selecting Use security server to verify client user ID provides level 3 authentication if the SERVAUTH class of RACF is active.