[CWI] User certificate registry=path to directory
Each registration file is named by the SHA-1 fingerprint of the certificate it represents, which is a string of hexadecimal digits that uniquely identifies a certificate. The contents are in ini-file format, and contain a single section, also named by the fingerprint. Within that section are one or more name=value pairs. The supported names and their corresponding values are:
| Name | Value | Comments |
|---|---|---|
| user | user ID associated with the certificate | Required. Provides the user ID to which the certificate is mapped. |
| cwi | "yes" or "no" | If present and set to "no", the mapping cannot be used by the CICS Web Interface feature. |
| dcas | "yes" or "no" | If present and set to "no", the mapping cannot be used by the Digital Certificate Authentication Service. Typically DCAS would be used for this purpose as part of TN3270 automatic signon through the ELF feature. |
The optional cwi and dcas settings let you restrict how a certificate mapping is used. These settings take effect the first time the mapping is used after the region has been started.
Some comment lines might also be included. These begin with a semicolon (";") character. The cascertreg utility inserts comments that state when the file was created, and (for cascertreg version 1.3 or later) the issuer and subject distinguished names of the certificate, for reference.
These files can be edited and deleted manually, and it is possible to create them if you have some understanding of certificates and access to a tool such as OpenSSL. Normally, however, the files are created either by Enterprise Server (using AUTOREGISTER, as described in a previous section) or with the cascertreg utility.
Deleting a certificate registration file forces the owner of that certificate to re-register the first time the certificate is used, after the region has been restarted. Currently, there is no way to instruct a running region to remove a registration it has already loaded from the directory.