z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using an existing certificate as a model

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

An existing digital certificate can be used as a model for a certificate name filter, if it is available in a cataloged data set. Using the RACDCERT MAP command with the MAP(data-set-name) option, a stored certificate can be used to model the subject's name filter, the issuer's name filter, or both. The subject's distinguished name in the certificate is used beginning with the value specified with the SDNFILTER. The issuer's distinguished name in the certificate is used beginning with the value specified with the IDNFILTER.

For example, let's assume that Ines Soto's certificate is available in data set 'CERTADM.SOTO', and that it contains the following subject's and issuer's names:

CN=Ines Soto.OU=Admin.OU=New York.OU=US.O=World Sales Corp
 
OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet
The RACDCERT MAP commands shown in Figure 1 can be used to create certificate name filters using Ines Soto's certificate as a model. Note that only the starting point for each filter needs to be specified to indicate where the filter name should begin.
Figure 1. Sample RACDCERT MAP commands using a model certificate
RACDCERT ID(WEBUSER) MAP('CERTADM.SOTO') WITHLABEL('INTERNET OTHERS') 
   IDNFILTER('OU=') TRUST
RACDCERT ID(NYUSER)  MAP('CERTADM.SOTO') WITHLABEL('NY OTHERS') 
   SDNFILTER('OU=N') TRUST
RACDCERT ID(NYADMIN) MAP('CERTADM.SOTO') WITHLABEL('NY SALES REPS') 
   SDNFILTER('OU=') IDNFILTER('OU=') TRUST
SETROPTS RACLIST(DIGTNMAP) REFRESH
The RACDCERT MAP commands in Figure 2 can be used to create the same certificate name filters as those created by the RACDCERT MAP commands in Figure 1. Note that the RACDCERT commands in Figure 1 using the model certificate are shorter and might minimize typographic errors when defining long filter names.
Figure 2. Sample RACDCERT MAP commands not using a model certificate
RACDCERT ID(WEBUSER) MAP WITHLABEL('INTERNET OTHERS') TRUST
   IDNFILTER('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
RACDCERT ID(NYUSER)  MAP WITHLABEL('NY OTHERS') TRUST
   SDNFILTER('OU=New York.OU=US.O=World Sales Corp')
RACDCERT ID(NYADMIN) MAP WITHLABEL('NY ADMIN') TRUST
   SDNFILTER('OU=Admin.OU=New York.OU=US.O=World Sales Corp')
   IDNFILTER('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
SETROPTS RACLIST(DIGTNMAP) REFRESH
Parent topic: Certificate name filtering

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014