Credential mapping for TLS certificate users

You specify the capabilities of a user who authenticates by using a TLS certificate by supplying credential mapping in an XML file.

In a credential mapping file, you specify the user as an InputCredential and the resources that they are authorized to use as an OutputCredential. The output credential can be a set of permissions as described in Access policies or it can be another user who has the permissions that you want to grant. For example, if your credential mapping file contains the following mapping, you can use 'administrator' as an OutputCredential to grant the same credentials:

<aaa:MapCredentials>
  <aaa:InputCredential>administrator</aaa:InputCredential>
  <aaa:OutputCredential>
    */*/*?Access=r+w+a+d+x
  </aaa:OutputCredential>
</aaa:MapCredentials>

The user name that you specify as the InputCredential depends on the way in which you have configured the user:

By default, the authenticated principal for a TLS user certificate is the distinguished name (DN) of the certificate subject in X.509 format. In this case, the InputCredential is the full certificate DN in its original case with whitespace preserved, but with a forward slash as the attribute delimiter instead of a comma, for example:
```
<aaa:MapCredentials>
  <aaa:InputCredential>^C=GB/O=IBM/OU=MQ Appliance/CN=Jojo Midtown$</aaa:InputCredential>
  <aaa:OutputCredential>administrator</aaa:OutputCredential>
</aaa:MapCredentials>
```
If you have selected an attribute of the DN, such as the common name (CN), to use as the authenticated principal, then this is used as the InputCredential in original case with whitespace preserved, for example:
```
<aaa:MapCredentials>
  <aaa:InputCredential>^Jojo Midtown$</aaa:InputCredential>
  <aaa:OutputCredential>administrator</aaa:OutputCredential>
</aaa:MapCredentials>
```
If you have mapped the user name specified in the certificate to an alternative user name (see Using an alternative user name (TLS certificate)) then that is the name that you specify as the InputCredential. For example:
```
<aaa:MapCredentials>
  <aaa:InputCredential>^jojo$</aaa:InputCredential>
  <aaa:OutputCredential>administrator</aaa:OutputCredential>
</aaa:MapCredentials>
```

Note: If you also use SSH certificate authentication, be aware that credential mapping rules for SSH certificates use the SSH username as the InputCredential. You should ensure that the credential mapping rules in your XML file for TLS user certificates do not conflict with the rules for SSH certificates.