Certificate filters

 

This information explains how to create a certificate filter policy association that maps any certificates with defined attributes in the X.509 user registry to a specific target user identity.

A certificate filter defines a set of similar distinguished name certificate attributes for a group of user certificates in an X.509 source user registry. You can use the certificate filter as the basis of a certificate filter policy association. The certificate filter in a policy association determines which certificates in the specified source X.509 registry to map to the specified target user. Those certificates that have Subject DN and Issuer DN information that satisfy the criteria of the filter are mapped to the specified target user during Enterprise Identity Mapping (EIM) mapping lookup operations.

For example, you create a certificate filter with a subject distinguished name (SDN) of o=ibm,c=us. All certificates with these DNs as part of their SDN information meet the criteria of the filter, such as a certificate with an SDN of cn=JohnDay,ou=LegalDept,o=ibm,c=us. If there is more than one certificate filter for which the certificate meets the criteria, the more specific certificate filter value that a certificate matches most closely takes precedence. For example, you have a certificate filter with an SDN of o=ibm,c=us and you have another certificate filter with an SDN of ou=LegalDept,o=ibm,c=us. If you have a certificate in the source X.509 registry with an SDN of cn=JohnDay,ou=LegalDept,o=ibm,c=us, then the second, or more specific certificate filter is used. If you have a certificate in the source X.509 registry with an SDN of cn=SharonJones,o=ibm,c=us, then the less specific certificate filter is used because the certificate matches its criteria more closely.

You can specify one or both of the following to define a certificate filter:

• Subject distinguished name (SDN). The full or partial DN that you specify for the filter must correspond to the subject DN portion of the digital certificate, which designates the owner of the certificate. You can provide the full subject DN string, or you can provide one or more partial DNs that might comprise the complete SDN.

• Issuer distinguished name (IDN). The full or partial DN that you specify for the filter must correspond to the issuer DN portion of the digital certificate, which designates the Certificate Authority who issued the certificate. You can provide the full issuer DN string, or you can provide one or more of partial DNs that might comprise the complete IDN.

There are a several methods that you can use to create a certificate filter, including the use of the Format EIM Policy Filter (eimFormatPolicyFilter) API to generate certificate filters by using a certificate as a template to create the necessary DNs in the correct order and format for the SDN and IDN.

 

Parent topic:

Certificate filter policy associations

 

Related concepts

Distinguished name

 

Related information

Format EIM Policy Filter (eimFormatPolicyFilter) API