z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Details for processing subject's and issuer's name filters

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Timo presents a digital certificate that is not registered with RACF®. The following represents the sequence of processing that RACF, specifically the initACEE callable service, will complete in order to process full and partial subject's names.
  1. The sequence shown in How RACF processes certificate name filters is followed, until the full subject's name and issuer's name is used to check for a matching profile in the DIGTNMAP class, to determine if there is an applicable certificate name filter.

    Result: No DIGTNMAP profile is found to match:

    CN=Timo Kokkonen.OU=Sales.OU=Los Angeles.OU=US.O=World Sales Corp | OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  2. A partial subject's name is formed by removing the most specific node (the CN node) and used to check for a matching profile in the DIGTNMAP class.

    Result: No DIGTNMAP profile is found to match:

    OU=Sales.OU=Los Angeles.OU=US.O=World Sales Corp | OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  3. The next partial subject's name is formed by removing the next most specific node (OU=Sales) and used to check for a matching profile in the DIGTNMAP class.

    Result: No DIGTNMAP profile is found to match:

    OU=Los Angeles.OU=US.O=World Sales Corp | OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  4. The next partial subject's name is formed by removing the next most specific node (OU=Los Angeles) and used to check for a matching profile in the DIGTNMAP class.

    Result: No DIGTNMAP profile is found to match:

    OU=US.O=World Sales Corp | OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  5. The last partial subject's name is formed by removing the next most specific node (OU=US) and used to check for a matching profile in the DIGTNMAP class.

    Result: No DIGTNMAP profile is found to match:

    O=World Sales Corp | OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  6. The full issuer's name is then used to check for a matching profile in the DIGTNMAP class.

    Result: A DIGTNMAP profile is found to match:

    OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet

  7. Processing by initACEE continues using the user ID WEBUSER for the Timo's certificate.
Parent topic: Subject's and issuer's name filter

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014