z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Creating certificate name filters

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You create certificate name filters using the RACDCERT MAP command. Certificate name filters are used by RACF® (specifically, the initACEE callable service) to analyze the subject's and issuer's distinguished names in a given certificate to determine the user ID to associate with it. You can create filters based on the full issuer's distinguished names in order to administer all certificates by a given issuer as a single user ID. You can also create filters based on portions of the subject's distinguished name, and a variety of filters based on certain combinations of partial and full distinguished names. See Types of certificate name filters.

Example:

The RACDCERT MAP command shown in Figure 1 creates a certificate name filter based on the full issuer's distinguished name. This filter associates the user ID WEBUSER to any user presenting a certificate issued by VeriSign Class 1, who does not have an individual certificate registered with RACF on your system.
Figure 1. Sample RACDCERT MAP command for creating an issuer's name filter
RACDCERT ID(WEBUSER) MAP WITHLABEL('INTERNET OTHERS') TRUST
   IDNFILTER('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
SETROPTS RACLIST(DIGTNMAP) REFRESH

See z/OS Security Server RACF Command Language Reference for more information about the RACDCERT MAP command.

Parent topic: Certificate name filtering

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014