The client certificate can be used to determine the user ID for the CICS® transaction only if the certificate is associated with a RACF® user ID.
Once a certificate has been registered in this way, it can be used for all inbound TCP/IP connections. For example, the same certificate can be used to authenticate and identify users of IIOP requests as well as HTTP requests.
RACDCERT ADD('datasetname') TRUST [ ID(userid) ] [ ICSF ]
where datasetname is the name of the dataset containing
the client certificate, and userid is the user
ID that is to be associated with the certificate. If the optional ID(userid) parameter
is omitted, the certificate is associated with the user issuing the RACDCERT
command.For certificates that are used with Web Service Security,
you must supply the ICSF operand, to specify that the
private key associated with the certificate should be stored in the Integrated
Cryptographic Service Facility (ICSF).
You can add certificate information for your own user ID if you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY class. You can add certificate information for other user IDs if you have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY class or if you have RACF SPECIAL authority.
For further information on the RACDCERT command, including the format of data allowed in the downloaded certificate dataset, see z/OS Security Server RACF Command Language Reference