Defining a private user registry type in EIM

When you create an Enterprise Identity Mapping (EIM) registry definition you can specify one of a number of predefined user registry types to represent an actual user registry that exists on a system within the enterprise.

The predefined registry definition types cover most operating system user registries, you may need to create a registry definition for which EIM does not include a predefined registry type. You have two options in this situation. You can either use an existing registry definition which matches the characteristics of your user registry or you can define a private user registry type.

To define a user registry type that EIM is not predefined to recognize, you must use an object identity (OID) to specify the registry type in the form of ObjectIdentifier-normalization, where ObjectIdentifier is a dotted-decimal object identifier, such as 1.2.3.4.5.6.7, and normalization is either the value caseExact or the value caseIgnore. For example, the object identifier (OID) for IBM® i is 1.3.18.0.2.33.2-caseIgnore.

You should obtain any OIDs that you need from legitimate OID registration authorities to ensure that you create and use unique OIDs. Unique OIDs help you avoid potential conflicts with OIDs created by other organizations or applications.

There are two ways of obtaining OIDs:

  • Register the objects with an authority. This method is a good choice when you need a small number of fixed OIDs to represent information. For example, these OIDs might represent certificate policies for users in your enterprise.
  • Obtain an arc assignment from a registration authority and assign your own OIDs as needed. This method, which is a dotted-decimal object-identifier range assignment, is a good choice if you need a large number of OIDs, or if your OID assignments are subject to change. The arc assignment consists of the beginning dotted-decimal numbers from which you must base your ObjectIdentifier. For example, the arc assignment could be 1.2.3.4.5.. You could then create OIDs by adding to this basic arc. For example, you could create OIDs in the form 1.2.3.4.5.x.x.x).

You can learn more about registering your OIDs with a registration authority by reviewing these Internet resources:

  • American National Standards Institute (ANSI) is the registration authority for the United States for organization names under the global registration process established by International Standards Organization (ISO) and International Telecommunication Union (ITU). A fact sheet in Microsoft Word format about applying for a Registered Application Provider Identifier (RID) is located at the ANSI Public Document Library Web site http://publicaa.ansi.org/sites/apdl/default.aspxLink outside Information Center. You can find the fact sheet by selecting Other Services > Registration Programs. The ANSI OID arc for organizations is 2.16.840.1. ANSI charges a fee for OID arc assignments. It takes approximately two weeks to receive the assigned OID arc from ANSI. ANSI will assign a number (NEWNUM) to create a new OID arc; for example: 2.16.840.1.NEWNUM.
  • In most countries or regions, the national standards association maintains an OID registry. As with the ANSI arc, these are generally arcs assigned under the OID 2.16. It may take some investigation to find the OID authority for a particular country or region.
  • The Internet Assigned Numbers Authority (IANA) assigns private enterprise numbers, which are OIDs, in the arc 1.3.6.1.4.1. IANA has assigned arcs to over 7500 companies to date. The application page is located at http://www.iana.org/cgi-bin/enterprise.pl Link outside Information Center, under Private Enterprise Numbers. The IANA usually takes about one week. An OID from IANA is free. IANA will assign a number (NEWNUM) so that the new OID arc will be 1.3.6.1.4.1.NEWNUM.
  • The U.S. Federal Government maintains the Computer Security Objects Registry (CSOR). The CSOR is the naming authority for the arc 2.16.840.1.101.3, and is currently registering objects for security labels, cryptographic algorithms, and certificate policies. The certificate policy OIDs are defined in the arc 2.16.840.1.101.3.2.1. The CSOR provides policy OIDs to agencies of the U.S. Federal Government. For more information about the CSOR, review http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/ Link outside Information Center.