SDNFILTR Keyword—Portion of DN for Filter

Keywords › SDNFILTR Keyword—Portion of DN for Filter

SDNFILTR Keyword—Portion of DN for Filter

Valid on z/OS.

Use the SDNFILTR keyword to specify the significant portion of the subject's distinguished name used as a filter when associating an ACID with a digital certificate on a TSS ADD CERTMAP command. The SDNFILTR data must match a portion of the subject's distinguished name extracted from the certificate. The distinguished name from the point of the match to the end of the name is used as the filter data.

When specified with DCDSN, the filter must correspond to a starting point within the subject's distinguished name found in the certificate contained in the data set. Specify enough of the name to precisely identify the starting point for the filter.

For example, if the certificate in the data set has
CN=Bob Smith.OU=BobsAccountingDept.O=BobsMart.L=internet as a subject and you want all certificates for anyone in Bob's Accounting Department selected by this filter, specify:

SDNFILTR('OU=BobsAcc')

Without the data set containing the certificate, enter the following to produce the same result:

SNFILTR('OU=BobsAccountingDept.O=BobsMart.L=internet')

SDNFILTR is optional if the issuer's distinguished name filter (IDNFILTR) is specified. If SDNFILTR is not specified, only the issuer's name is used as a filter. SDNFILTR must not be specified with IDNFILTR unless the value of IDNFILTR will result in the entire issuer's name being used in the filter. Note that the subject's name can be partial but cannot be used in a filter that contains only a partial issuer's name.

A maximum of 255 characters can be entered for SDNFILTR if SDNSIZE(255) control option is specified. A maximum of 1024 characters can be entered for SDNFILTR if SDNSIZE(1024) control option is specified. When a starting value is specified for a certificate contained in a data set, there cannot be more than 255/1024 characters between the starting point and the end of the issuer's name in the certificate.

This keyword has the following format:

The SDNFILTR value must be enclosed in quotes.

TSS ADDTO(acid) CERTMAP(recid)
                SDNFILTR('subject‑dist‑name‑filter')

'subject‑dist‑name‑filter'

Specifies the significant portion of the subject's distinguished name to be used as a filter. The value specified for SDNFILTR must begin with a prefix found in the following list, followed by an equal sign (X'7E'). Each component should be separated by a period (X'4B'). The case, blanks, and punctuation displayed when the digital certificate information is listed must be maintained in the SDNFILTR. Since digital certificates only contain characters available in the ASCII character set, the same characters should be used for the SDNFILTR value. Valid prefixes are:

COUNTRY (specified as C=)
STATE/PROVINCE (specified as ST=)
LOCALITY (specified as L=)
ORGANIZATION (specified as O=)
ORGANIZATIONAL UNIT (specified as OU=)
TITLE (specified as T=)
COMMON NAME (specified as CN=)
DOMAIN COMPONENT (specified as DC=)
POSTAL CODE (specified as PC=)
EMAIL (specified as E=)
STREET NAME (specified as STREET=)
USERID (specified as UID=)

This keyword is used with:

The commands ADDTO, LIST, and REMOVE
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) authority

Example: SDNFILTR keyword

This example assigns users who enter the system with a certificate subject of OU=Dept3.OU=NY.OU=Sales.O=ABC Co acid NYDEPT3.

TSS ADDTO(NJDEPT3) CERTMAP(NJMAP3)
                   LABLCMAP('NY Dept 3 Map')
                   TRUST
                   SDNFILTR('OU=Dept3.OU=NY.OU=Sales.O=ABC Co')