Example
Michael's Music Company has two Web-based applications: an online
royalties application, and an online inventory application. The company
has contracted VeriSign to issue certificates to its users, one certificate
for each user. When one of the company's users connects to the royalties
application, the user's certificate should be assigned the ROYALID
user
ID. When one of the company's users connects to the inventory application,
the user's certificate should be assigned the INVID
user
ID.
The RACDCERT MAP and RDEFINE commands shown in Figure 1 create a full
issuer's name filter that maps these two user IDs based on the application being accessed by the
user of the certificate. The RACDCERT command uses the MULTIID option to specify additional criteria
contained in the DIGTCRIT class using the predefined variable
&APPLID
. The
RDEFINE commands create two profiles in the DIGTCRIT class that associate each APPLID value with the
user ID indicated by the APPLDATA value.
You can display mapping information for a MULTIID filter using
the RACDCERT LISTMAP command with the LABEL option. For example:
RACDCERT MULTIID LISTMAP(LABEL('All Michael's Music Employees'))
Figure 2 shows sample output based on this RACDCERT LISTMAP command.
For details about using the RACDCERT MAP command with the MULTIID option, RACDCERT LISTMAP, and the RDEFINE command, see z/OS Security Server RACF Command Language Reference.
If a user certificate is used for additional applications and should
be associated with a user ID for these applications, you can create
a generic DIGTCRIT profile named
APPLID=*
to cover
all other applications. For example, the addition of the following
DIGTCRIT profile to the MULTIID filter created in Figure 1 specifies that
the ALLAPPS
user ID should be associated with all
certificates used to access all other applications.SETROPTS GENERIC(DIGTCRIT)
RDEFINE DIGTCRIT APPLID=* APPLDATA(ALLAPPS)
SETROPTS RACLIST(DIGTCRIT) REFRESH
Note: If the caller
of the
initACEE
callable service does not specify
the APPLID variable, only the APPLID=*
profile in
the DIGTCRIT class will be used to determine the RACF® user ID.