Use the ADD, REMOVE, REPLACE, and LIST commands to manage certificate name filters. The ACID specified on the command identifies the user to be assigned if the filter is matched. The MULTIID ACID indicates that additional criteria select the ACID.
To add a name filter, enter the command:
TSS ADD(userid) CERTMAP(recid)
SDNFILTR(subject‑dist‑name‑filter)
IDNFILTR(issuer‑dist‑name‑filter)
CRITERIA(criteria‑name‑template)
LABLCMAP(32 byte label)
DCDSN(data set name)
PKCSPASS('PKCSPASS PASSWORD')
TRUST|NOTRUST
Specifies a unique record identifier.
Specifies the significant portion of the subject's distinguished name that is to be used as a filter when associating an ACID with a certificate. The value specified for SDNFILTR must begin with a prefix found in the following list, followed by an equal sign (X'7E'). Each component should be separated by a period (X'4B'). The case, blanks, and punctuation displayed when the digital certificate information is listed must be maintained in the SDNFILTR. Since digital certificates only contain characters available in the ASCII character set, the same characters should be used for the SDNFILTR value.
For example: SDNFILTR('OU=BobsAcc')
Valid prefixes for SDNFILTR and IDNFILTR are:
Specifies the significant portion of the issuer's distinguished name that is to be used as a filter when associating an ACID with a certificate. The value specified for IDNFILTR should begin with a prefix found in the list above and must be followed by an equal sign (X'7E'). Each component should be separated by a period (X'4B'). The case, blanks, and punctuation displayed when the digital certificate information is listed must be maintained in the IDNFILTR. Since digital certificates only contain characters available in the ASCII character set, the same characters should be used for the IDNFILTR value.
For example: IDNFILTR('OU=Class 1 Certificate.0=BobsCertAuth')
Is specified with the MULTIID ACID to identify variable data in addition to SDNFILTR and IDNFILTR. Criteria defined by CA Top Secret are CNFAPP and SYSID. Users can also define their own variables.
Specifies the label to be associated with the certificate name filter. It can contain embedded blanks and mixed‑case characters, and is stripped of leading and trailing blanks. If a single quotation is intended to be part of the label‑name, you must use two single quotation marks together for each single quotation mark within the string, and the entire string must then be enclosed within single quotation marks.
Range: Up to 32 characters.
Specifies the name of a data set that contains a digital certificate. The SDNFILTR or IDNFILTR data must match a portion of the subject/issuer's distinguished name extracted from the certificate. The distinguished name from the point of the match to the end of the name is used as the filter data.
The PKCS‑password is case sensitive and can contain blanks.
Range: Up to 255 characters
Important! The password associated with PKCS#12 certificates are not viewable. It is the CA Top Secret administrator's responsibility to keep track of the PKCS#12 password that is assigned to the digital certificate.
When specified it indicates whether this mapping can be used to associate a userid to a certificate presented by a user accessing the system. If neither TRUST nor NOTRUST is specified, the default is NOTRUST.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|