Identity and Authentication
Identity and authentication principles govern how you use the CA SMP/E Internet Service Retrieval. SMP/E communicates with the remote CA Automated Order server using the HTTPS protocol. All communications with the server are performed using Secure Socket Layer (SSL). The client (SMP/E) and the server use X.509 certificates to secure communications when using SSL. When initializing an SSL connection with a server, the client requests the server's X.509 certificate to authenticate the server. The server's certificate identifies the server to the client and provides the server's public key.
SSL server authentication lets a client application confirm the identity of the server application. The client application, through SSL, uses standard public-key cryptography to verify that the server’s certificate and public key are valid. The client application also verifies that the certificate has been signed by a trusted certificate authority that is known to the client application. The client and the server then use the negotiated session keys and begin encrypted communications.
The trusted certificate authority is an important piece of the SSL server authentication scheme. The trusted certificate authority is an important piece of the SSL server authentication scheme. Certificate authorities are trusted organizations that verify information about servers. Certificate authorities then issue digital certificates that applications may accept as authentication of server identities when used in a secure handshaking protocol such as SSL. Trusting a certificate, which is issued by a certificate authority, is analogous to accepting a passport issued by a national passport agency as proof of identity. We trust that the agency has verified the identity of the passport owner. Similarly, applications may accept certificates that are signed by a certificate authority.
SMP/E processing focuses on these certificates:
- User certificateA certificate that is associated with a z/OS user ID. This certificate is used to authenticate the user’s identity. This certificate type may also be known as a Personal or Client certificate.
- Certificate-authority certificateA certificate that is associated with a certificate authority and is used to verify signatures in other certificates. This certificate type may also be known as a root certificate. GeoTrust is an example of a certificate authority that provides a certificate authority certificate.
- Download server certificateA certificate authority certificate that is required for the SSL handshake.
Detailed instructions to download all certificates reside in the applicable security system configuration article.