IDNFILTR Keyword—Specify a Distinguished Name Filter

Keywords › IDNFILTR Keyword—Specify a Distinguished Name Filter

IDNFILTR Keyword—Specify a Distinguished Name Filter

Valid on z/OS.

Use the IDNFILTR keyword to specify the significant portion of the issuer's distinguished name used as a filter when associating an ACID with a digital certificate. The IDNFILTR data must match a portion of the issuer's distinguished name extracted from the certificate. The distinguished name from the point of the match to the end of the name is used as the filter data.

When specified with DCDSN, the filter must correspond to a starting point within the issuer's distinguished name found in the certificate contained in the data set. Specify enough of the name to precisely identify the starting point for the filter. For example, the certificate in the data set has an issuer as shown below and you want all certificates issued by BobsCertAuth selected by this filter:

OU=Class 1 Cerificate.O=BobsCertAuth,Inc.L=internet.C=US

Specify:

IDNFILTR('O=BobsCertAuth')

Without the data set containing the certificate, enter the following to produce the same result:

IDNFILTR('O=BobsCertAuth,Inc.L=internet.C=US')

IDNFILTR is optional if the subject's distinguished name filter (SDNFILTR) is specified. If IDNFILTR is not specified, only the subject's name is used as the filter. If IDNFILTR is specified and only a portion of the issuer's name is used as the filter, SDNFILTR must not be specified. If both IDNFILTR and SDNFILTR are specified, the IDNFILTR value does not need to begin with a valid prefix. This allows the use of certificates from a certificate authority that chooses to include non‑standard data in the issuer's distinguished name.

A maximum of 255 characters can be entered for IDNFILTR if SDNSIZE(255) control option is specified. A maximum of 1024 characters can be entered for IDNFILTR if SDNSIZE(1024) control option is specified. When a starting value is specified for a certificate contained in a data set, there cannot be more than 255/1024 characters between the starting point and the end of the issuer's name in the certificate.

This keyword has the following format:

The IDNFILTR value must be enclosed in quotes.

TSS ADDTO(acid) CERTMAP(recid)
                IDNFILTR('issuer‑dist‑name‑filter')

'issuer‑dist‑name‑filter'

Specifies the significant portion of the issuer's distinguished name used as a filter. The value specified for IDNFILTR must begin with a prefix found in the following list, followed by an equal sign (X'7E'). Each component should be separated by a period (X'4B'). The case, blanks, and punctuation displayed when the digital certificate information is listed must be maintained in the IDNFILTR. Since digital certificates only contain characters available in the ASCII character set, the same characters should be used for the IDNFILTR value. Valid prefixes are:

COUNTRY (specified as C=)
STATE/PROVINCE (specified as ST=)
LOCALITY (specified as L=)
ORGANIZATION (specified as O=)
ORGANIZATIONAL UNIT (specified as OU=)
TITLE (specified as T=)
COMMON NAME (specified as CN=)
DOMAIN COMPONENT (specified as DC=)
POSTAL CODE (specified as PC=)
EMAIL (specified as E=)
STREET NAME (specified as STREET=)
USERID (specified as UID=)

This keyword is used with:

The commands ADDTO, LIST, REMOVE, and REPLACE
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
ACID(MAINTAIN) authority

Example: IDNFILTR keyword

In this example, users who enter the system with a certificate subject's distinguished name that starts with 'OU=NJ.OU=Sales.O=ABC Co' are assigned acid NJDEPT1 if the certificate was issued by the VeriSign certificate authority.

TSS ADDTO(NJDEPT1) CERTMAP(NJMAP1)
                   IDNFILTR('OU=VeriSIgn Class 1 Individual subscriber.
                             O=Verisign,Inc.
                             L=Internet')
                   SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')