Set Up Certificate Logon

Certificate logon enables the LDAP client to perform operations using an X.509 digital certificate as credentials instead of a clear-text user ID and password. LDAP client requests that do not contain a user ID and password (-D cn= and -w options) are valid when the following conditions are met:
  1. Slapd.conf options are configured.
  2. Digital certificates are registered for both client and server.
  3. Digital certificates are exchanged between client and server.
If these conditions are not met and the LDAP client user ID or password is not supplied, the LDAP server identifies the request as an anonymous bind and blocks it.
The following actions are performed during certificate logon:
  1. The CA LDAP Server derives the client user ID from the user ID associated with the client certificate in the external security manager (ESM).
  2. The server generates a PassTicket on behalf of the LDAP client. It calls the ESM PassTicket generation routine and supplies the following information:
    • Client user ID
    • Server application ID
    • Requester user ID
    • Requester password.
  3. The client user ID and PassTicket are used for client authentication.
The BINDDN “cn=<client certificate user ID>” is used for both the bind operation and subsequent operations.
The backend ESM performs certificate authentication.
Configure Slapd.conf Options
For certificate logon, the following server slapd.conf options must be set.
  • authlocation
    Certificate Logon is valid only when the slapd.conf authlocation option is set to OS390.
  • ptktappl
  • ptktReqrId
  • ptktReqrPwFile
  • TLSKeyringName
  • TLSVerifyClient
The following back-end option must be set for DB2:
  • dbptktappl
For information about ptktappl and dbptktapply, see options related to the applicable back end.
The ptktappl, ptktReqrId or ptktReqrPwFile options can be set locally and globally. When CA LDAP Server decides which configuration option to use, it evaluates them in the following order:
  1. Database options for the ESMs, if specified.
  2. Backend options for the ESMs, if specified.
  3. Global options, if specified.
  • If you specify ‘ptktReqrId PASSID’ in the global section, and ‘ptktReqrPwFile ./passid.pwd’ in the CA ACF2 back end section, then CA LDAP Server uses ‘ptktReqrId PASSID’ and ‘ptktReqrPwFile ./passid.pwd’ for all CA ACF2 sections.
  • When you define an option globally and also in a database section, the database value takes precedence.
  • When the option is defined in the back-end section (like ACF2) and one of the ACF2 database sections specifies a different value, all ACF2 instances use the back-end section value, except for the one ACF2 database instance that has specified a different value, which uses its own definition.
Register Digital Certificates for Client and Server
Both the client and the server must have registered digital certificates with the external security manager (ESM). These certificates must be present in the certificate store of the CA LDAP Server (see the TLSKeyringName option for how to define the certificate store).
LDAP client certificates must be personal certificates. This is because the user ID associated with the digital certificate in the ESM functions as the user ID for the client operation,
For detailed information about using CA ACF2 commands, see the CA ACF2 for z/OS documentation. For detailed information about using CA Top Secret commands, see the CA Top Secret for z/OS documentation. For detailed information about using IBM RACF, see the IBM
 z/OS Security Server RACF Security Administrator’s Guide
Exchange Digital Certificates Between Client and Server
For certificate logon, the client and server must be engaged in a TLS session and exchange certificates.
To start the TLS session, the client can use the STARTTLS command line option (-Z). By itself, STARTTLS does not cause an exchange of certificates. The server slapd.conf TLSVerifyClient option must be configured so that the client certificate is sent to the server.