Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
How RACF processes certificate name filters z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
When a user presents a digital certificate as identification and the initACEE callable service is called to associate the certificate with a user ID, initACEE first searches the DIGTCERT class using the certificate's serial number and issuer's distinguished name to see if the certificate was previously registered to RACF®. If no match is found in the DIGTCERT class, initACEE attempts to locate an appropriate certificate name filter by searching the DIGTNMAP class using a series of full and partial distinguished names until the most specific matching filter is found. If no match is found, and the certificate does not contain a hostIdMappings extension (see Using a hostIdMappings extension), the certificate cannot be used to identity the user to RACF. The following values are used in sequence to search for a matching
certificate name filter:
As soon as a matching certificate name filter is found, the user
ID associated with the filter is used to identify the user of the
certificate. Note that searching is not done for the following values:
Each step of the search using a partial name might actually involve a series of searches for partial name values based on the full name. Each partial name value in the series is determined by removing the next most specific node in the name. For details on searching for a series of partial name values, see the next example using Timo's certificate. |
Copyright IBM Corporation 1990, 2014
|