Example Rules

Edit online

The new CDAS gives the user more flexibility in mapping attributes contained within the certificate to the Verify Identity Access user identity.

The following list illustrates some of the mapping functionality supported by this CDAS.

  1. If issuer DN = X, and subject DN = Y, then Verify Identity Access DN also = Y.
  2. The certificate itself is stored as a userCertificate attribute on the inetOrgPerson entry, and a search is done for the Base64 encoded version of the certificate within the user registry.
  3. Take the issuer DN and the subject DN from the certificate, and combine them to look like this: 
    <certDN>subjectName</certDN><issuerDN>issuerName</issuerDN>
    Then look for an entry with this value for the attribute: 
    ibm-certificateSubjectAndIssuer
  4. If issuer DN = X, the subjectAltName is the same as the DN of the inetOrgPerson entry.
  5. If issuer DN = X, the serialNumber maps to the secCertSerialNumber attribute of the inetOrgPerson.
  6. If issuer DN = X, the cn from the subjectDN field will map to the cn of the inetOrgPerson entry.
  7. If issuer DN = X, the subjectDN maps to secCertDN in the inetOrgPerson entry.