Example

Michael's Music Company has two Web-based applications: an online royalties application, and an online inventory application. The company has contracted VeriSign to issue certificates to its users, one certificate for each user. When one of the company's users connects to the royalties application, the user's certificate should be assigned the ROYALID user ID. When one of the company's users connects to the inventory application, the user's certificate should be assigned the INVID user ID.

The RACDCERT MAP and RDEFINE commands shown in Figure 1 create a full issuer's name filter that maps these two user IDs based on the application being accessed by the user of the certificate. The RACDCERT command uses the MULTIID option to specify additional criteria contained in the DIGTCRIT class using the predefined variable &APPLID. The RDEFINE commands create two profiles in the DIGTCRIT class that associate each APPLID value with the user ID indicated by the APPLDATA value.

Figure 1. Sample RACDCERT MAP and RDEFINE commands for mapping multiple user IDs

RACDCERT MULTIID MAP WITHLABEL('All Michael's Music Employees') TRUST
         IDNFILTER('OU=Michael's Music General Subscriber.O=VeriSign,
                   Inc.L=Internet')
         CRITERIA(APPLID=&APPLID)
SETROPTS RACLIST(DIGTNMAP) REFRESH

RDEFINE  DIGTCRIT APPLID=EROYAL APPLDATA(ROYALID)
RDEFINE  DIGTCRIT APPLID=EINV APPLDATA(INVID)
SETROPTS RACLIST(DIGTCRIT) REFRESH

You can display mapping information for a MULTIID filter using the RACDCERT LISTMAP command with the LABEL option. For example:

RACDCERT MULTIID LISTMAP(LABEL('All Michael's Music Employees'))

Figure 2 shows sample output based on this RACDCERT LISTMAP command.

Figure 2. Sample output from the LISTMAP command for a MULTIID filter

Mapping information for MULTIID:
 Label: All Michael's Music Employees
 Status: TRUST
 Issuer's Name Filter:
      >OU=Michael's Music General Subscriber.O=VeriSign, Inc.L=Internet<
 Subject's Name Filter:
      ><
 Criteria:
      APPLID=&APPLID

For details about using the RACDCERT MAP command with the MULTIID option, RACDCERT LISTMAP, and the RDEFINE command, see z/OS Security Server RACF Command Language Reference.

If a user certificate is used for additional applications and should be associated with a user ID for these applications, you can create a generic DIGTCRIT profile named APPLID=* to cover all other applications. For example, the addition of the following DIGTCRIT profile to the MULTIID filter created in Figure 1 specifies that the ALLAPPS user ID should be associated with all certificates used to access all other applications.

SETROPTS GENERIC(DIGTCRIT)
RDEFINE DIGTCRIT APPLID=* APPLDATA(ALLAPPS)
SETROPTS RACLIST(DIGTCRIT) REFRESH

Note: If the caller of the initACEE callable service does not specify the APPLID variable, only the APPLID=* profile in the DIGTCRIT class will be used to determine the RACF® user ID.