When a user presents a digital certificate as identification and the initACEE callable service is called to associate the certificate with a user ID, initACEE first searches the DIGTCERT class using the certificate's serial number and issuer's distinguished name to see if the certificate was previously registered to RACF®. If no match is found in the DIGTCERT class, initACEE attempts to locate an appropriate certificate name filter by searching the DIGTNMAP class using a series of full and partial distinguished names until the most specific matching filter is found. If no match is found, and the certificate does not contain a hostIdMappings extension (see Using a hostIdMappings extension), the certificate cannot be used to identity the user to RACF.

subject's-full-name.issuer's-partial-name
subject's-partial-name.issuer's-partial-name

Each step of the search using a partial name might actually involve a series of searches for partial name values based on the full name. Each partial name value in the series is determined by removing the next most specific node in the name. For details on searching for a series of partial name values, see the next example using Timo's certificate.