Certificate filter policy associations

 

This information explains how to establish a mapping relationship for a set of user identities (in the form of digital certificates) in a single X.509 registry.

A certificate filter policy association is one type of policy association that you can use to create many-to-one mappings between user identities. You can use a certificate filter policy association to map a source set of certificates to a single target user identity in a specified target user registry. In a certificate filter policy association, you specify a set of certificates in a single X.509 registry as the source of the policy association. These certificates are mapped to a single target registry and target user that you specify. Unlike a default registry policy association in which all users in a single registry are the source of the policy association, the scope of a certificate filter policy association is more flexible. You can specify a subset of certificates in the registry as the source. The certificate filter that you specify for the policy association is what determines its scope.

When you want to map all the certificates in an X.509 user registry to a single target user identity, create and use a default registry policy association.

To use certificate filter policy associations, enable mapping lookups using policy associations for the domain. You must also enable mapping lookups for the source registry and enable mapping lookups and the use of policy associations for the target user registry of the policy association. When you configure this enablement, the user registries in the policy association can participate in mapping lookup operations.

When a digital certificate is the source user identity in an Enterprise Identity Mapping (EIM) mapping lookup operation (after the requesting application uses the eimFormatUserIdentity() EIM API to format the user identity name), EIM first checks to see if there is an identifier association between an EIM identifier and the specified user identity. If none exist, EIM then compares the DN information in the certificate against the DN or partial DN information specified in the filter for the policy association. If the DN information in the certificate satisfies the criteria of the filter, EIM returns the target user identity that the policy association specified. The result is that certificates in the source X.509 registry that satisfy the certificate filter criteria are mapped to the single target user identity as specified by the certificate filter policy association.

For example, you create a certificate filter policy association that has a source registry of certificates.x509. This registry contains the certificates for all company employees, including those that all managers in the human resources department use to access certain private internal Web pages and other resources that they access through an System i™ model. For this policy association, you also specify a target user identity of hr_managers in target registry system_abc which is a specific user profile in an i5/OS® user registry. To ensure that only the certificates that belong to the human resource managers are covered by this policy association, you specify a certificate filter with a subject distinguished name (SDN) of ou=hrmgr,o=myco.com,c=us.

In this case, you have not created any identifier associations or other certificate filter policy associations that apply to any of the user identities in the source registry. Therefore, when system_abc is specified as the target registry and certificates.x509 is specified as the source registry in lookup operations, the certificate filter policy association ensures that the target user identity of hr_managers is returned for all certificates in certificates.x509 registry that match the specified certificate filter and which do not have any specific identifier associations defined for them.

You specify the following information to define a certificate filter policy association:

Because you can use certificate policy associations and other associations in a variety of overlapping ways, you should have a thorough understanding of both EIM mapping policy support and how lookup operations work before you create and use certificate policy associations.

You might want to create a certificate filter policy association with a target user identity that exists within a group registry definition. Users in the source registry that meet the criteria specified by the certificate filter are the source of the policy association and are mapped to a target user identity in a target group registry definition. The user identity that you define in the certificate filter policy association exists within the members of the group registry definition.

For example, John Day uses the same i5/OS user profile, John_Day, on five different systems: System B, System C, System D, System E, and System F. To reduce the amount of work that he must perform to configure EIM mapping, the EIM administrator creates a group registry definition. Members of the group registry definition include the registry definition names of System_B, System_C, System_D, System_E, and System_F. Grouping members together enables the administrator to create a single target association to the group registry definition and user identity, rather than multiple associations to the individual registry definitions.

The EIM administrator creates a certificate filter policy association where he defines a subset of certificates within a single X.509 registry as the source of the policy association. He specifies a target user identity of John_Day in target registry Group_1. In this case, no other specific identifier associations or other certificate filter policy associations apply. Therefore, when Group_1 is specified as the target registry in lookup operations, all certificates in the source X.509 registry that match the certificate filter criteria are mapped to the specified target user identity.

 

Parent topic:

Policy associations