Use this panel to signify you want the client identifier to be a particular user ID or that the client's user ID should match an entry in a particular group.
The User IDs for a client identifier are not the same thing as the user IDs entered at TN3270 clients when logging on to an application. Typically, when a client logs on to the appliction the end user will enter the application name, user ID, and password. However, the client's log on user ID is NOT what is used to match to the User IDs in client identifiers.
To understand what the User IDs of a client identifier represent, you must first understand that User ID client identifiers are only available for connections that use the client authentication function of SSL. Client authentication can be specified to use multiple levels of authentication.
Level 1 authentication is performed by system SSL. The client passes an X.509 certificate to the server. To pass authentication, the Certificate Authority that signed the client certificate must be considered trusted by the server.
Level 2 authentication provides level 1 authentication and additionally requires that the client certificate be registered with RACF (or other SAF compliant security product) and mapped to a user ID. The client certificate received during the SSL handshake is used to query the security product to verify that the certificate maps to a user ID known to the system prior to connection negotiation.
Level 2 authentication must be enabled to make use of the User ID client identifiers. It is the user ID returned from RACF during level 2 authentication that is used to find matches in these client identifiers. To enable this level of authentication you should select Use security server to verify client user ID on the Advanced SSL Settings panel.
Before you begin, you should decide whether you want the client to have a particular user ID or you want the client's user ID to match an entry in a particular group. Depending on that decision, do one of the following:
Steps
You have completed this panel when you have selected either radio button, and filled either the User ID field or the Group name.
Fields
Radio Buttons
Click The client must have the following user ID if you want to the client to always connect using this user ID.
Click The client's user ID must match an entry in this group if the client's user ID can be an entry in a group.
Push buttons
Click Add to add User IDs in this group.
Click Edit to modify User IDs in this group.
Click Remove to delete User IDs in this group.