Valid on z/OS.
Use the CERTMAP keyword to associate a certificate name filter with an ACID and define the filter. The TSS ADDTO CERTMAP command identifies the ACID assigned to a user if a user's digital certificate matches the subject's distinguished name filter and/or the issuer's distinguished name filter specified in the command.
When the MULTIID special ACID is used with the CRITERIA keyword, additional criteria select the ACID. The additional criteria is defined using the TSS ADDTO CRITMAP command.
CERTMAP specifies a unique eight‑byte record identifier. When a certificate name filter is defined, the filter map information is stored in a CERTMAP record in the SDT on the security file.
This keyword has the following format:
TSS ADDTO(acid) CERTMAP(recid)
SDNFILTR('subject‑dist‑name‑filter')
IDNFILTR('issuer‑dist‑name‑filter')
[LABLCMAP('32‑byte label')]
[DCDSN(data set name)]
[TRUST|NOTRUST]
When criteria in addition to the distinguished name is used to assign an ACID to a user, this keyword has the following format:
TSS ADDTO(MULTIID) CERTMAP(recid)
SDNFILTR('subject‑dist‑name‑filter')
IDNFILTR('issuer‑dist‑name‑filter')
CRITERIA(criteria‑name‑template)
[LABLCMAP('32‑byte label')]
[DCDSN(data set name)]
[TRUST|NOTRUST]
Specifies the significant portion of the issuer's distinguished name. In order for a match, when IDNFILTR is specified with DCDSN, the filter must correspond to a starting point within the issuer's distinguished name found in the certificate contained in the data set. The distinguished name from the point of the match to the end of the name is used as the filter data. If DCDSN is not specified, the entire portion of the issuer's distinguished name must be specified in full. The value must be enclosed in single quotes.
IDNFILTR is optional if SDNFILTR is specified. If IDNFILTR is not specified, only the subject's name is used as the filter. If IDNFILTR is specified and only a portion of the issuer's name is used as the filter, SDNFILTR must not be specified. If both IDNFILTR and SDNFILTR are specified, the IDNFILTR value does not need to begin with a valid prefix. This allows the use of certificates from a certificate authority that chooses to include non‑standard data in the issuer's distinguished name.
A maximum of 1024 characters can be entered for IDNFILTR. When a starting value is specified for a certificate contained in a data set, there cannot be more than 1024 characters between the starting point and the end of the issuer's name in the certificate.
Specifies the significant portion of the subject's distinguished name. In order for a match, when SDNFILTR is specified with DCDSN, the filter must correspond to a starting point within the subject's distinguished name found in the certificate contained in the data set. The distinguished name from the point of the match to the end of the name is used as the filter data. If DCDSN is not specified, the entire portion of the subject's distinguished name must be specified in full. The value must be enclosed in single quotes.
SDNFILTR is optional if IDNFILTR is specified. If SDNFILTR is not specified, only the issuer's name is used as filter. SDNFILTR must not be specified with IDNFILTR unless the value of IDNFILTR will result in the entire issuer's name being used in the filter. The subject's name can be partial but cannot be used in a filter that contains only a partial issuer's name.
A maximum of 1024 characters can be entered for SDNFILTR. When a starting value is specified for a certificate contained in a data set, there cannot be more than 1024 characters between the starting point and the end of the issuer's name in the certificate.
Specifies the MVS data set containing the digital certificate. The data set must be defined as physical sequential (DSORG=PS) and variable blocked (RECFM=VB). The data set name is entered as a fully qualified name without enclosed quotes. The data set must be cataloged and up to 44 characters long.
The certificate contained in the data set must be BER-encoded, PKCS-7 BER-encoded, or Privacy Enhanced Mail (PEM)-encoded. PEM certificates must be transported to MVS as TEXT; the other formats must be transported as BINARY. The length of the serial number and certificate authority distinguished name must be less than 246.
This is a sample DCDSN command:
TSS ADD(USER01) DIGICERT(DIGI0001)
DCDSN(USER01.CERTIF.001)
Indicates that criteria in addition to the distinguished name is used to assign an ACID to a user. The CRITERIA keyword is used only with MULTIID. If MULTIID is not specified, any CRITERIA field is ignored.
(Optional) If it is not included in the command, the record identifier name entered for CERTMAP is automatically used for LABLCMAP.
A filter can be used to associate an acid with a certificate only when TRUST is specified.
Default: NOTRUST
This keyword is used with:
In this example, users who enter the system with a certificate subject that starts with 'OU=NJ.OU=Sales.O=ABC Co' are assigned the accessor id NJDEPT1 if the certificate was issued by the VeriSign certificate authority.
If the subject matched, but the certificate was issued by another certificate authority, the user is assigned NJDFLT.
TSS ADDTO(NJDEPT1) CERTMAP(NJMAP1)
LABLCMAP('NJ Dept 1 Map')
TRUST
IDNFILTR('OU=VeriSign Class 1 Individual
Subscriber.O=VeriSign,
Inc.L=Internet')
SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
TSS ADDTO(NJDFLT) CERTMAP(NJDFLT)
LABLCMAP('NJ Dept 1 User')
TRUST
SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
In this example, users who enter the system with a certificate subject that starts with 'OU=Dept3.OU=NY.OU=Sales.O=ABC Co' are assigned to NJDEPT3:
TSS ADDTO(NYDEPT3) CERTMAP(NJMAP3)
LABLCMAP('NY Dept 3 Map')
TRUST
SDNFILTR('OU=Dept3.OU=NY.OU=Sales.O=ABC Co')
In this example, the application id criteria in addition to the distinguished name are used to determine which ACID to assign. Users in NY sales department Dept2 that handle corporate accounts using application BUSINESS to access the system, are assigned accessor id NYDEPT2B. Users that handle retail accounts using application RETAIL to access the system, is assigned to NYDEPT2R.
The special acid name of MULTIID along with the CRITERIA parameter tells CA Top Secret that if the subject and/or the issuer name information matches, then search the CRITMAP records for a match on application name before assigning an ACID to the user.
TSS ADDTO(MULTIID) CERTMAP(NYMAP2)
LABLCMAP('NY Dept 2 Map')
TRUST
SDNFILTR('OU=Dept2.OU=NY.OU=Sales.O=ABCCo')
CRITERIA(CNFAPP=&CNFAPP)
TSS ADDTO(NYDEPT2B) CRITMAP(NYCRIT2B)
CNFAPP(BUSINESS)
TSS ADDTO(NYDEPT2R) CRITMAP(NYCRIT2R)
10CNFAPP(RETAIL)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|