Creating a certificate filter policy association
To create a certificate filter policy association, be connected to the Enterprise Identity Mapping (EIM) domain in which you want to work and have EIM access control as either a Registry administrator or EIM administrator.
A policy association describes a relationship between a source set of multiple user identities and a single target user identity in a specified target user registry. Policy associations use EIM mapping policy support to create many-to-one mappings between user identities without involving an EIM identifier.
Because you can use policy associations in a variety of overlapping ways, have a thorough understanding of EIM mapping policy support before you create and use policy associations. Also, to prevent potential problems with associations and how they map identities, develop an overall identity mapping plan for your enterprise before you begin defining associations. In a certificate filter policy association, you specify a set of certificates in a single X.509 registry as the source of the policy association. These certificates are mapped to a single target registry and target user that you specify. Unlike a default registry policy association in which all users in a single registry are the source of the policy association, the scope of a certificate filter policy association is more flexible. You can specify a subset of certificates in the registry as the source. The certificate filter that you specify for the policy association determines its scope.
Create and use a default registry policy association when you want to map all certificates in an X.509 user registry to a single target user identity.
The certificate filter controls how a certificate filter policy association maps one source set of user identities, in this case digital certificates, to a specific target user identity. Therefore, the certificate filter that you want to use must exist before you can create a certificate filter policy association.
Before you can create a certificate filter policy association, first create a certificate filter to use as the basis of the policy association.
To create a certificate filter policy association, complete these steps:
- Expand Network > Enterprise Identity Mapping > Domain Management.
- Right-click the EIM domain in which you want to work and select Mapping Policy...
- If the EIM domain you want to work with is not listed under Domain Management, see Adding an EIM domain to the Domain Management folder.
- If you are not currently connected to the EIM domain in which you want to work, see Connect to the EIM domain controller.
- Select Enable mapping lookups using policy associations for domain on the General page.
- Select the Certificate Filter page and click Add... to display the Add Certificate Filter Policy Association dialog.
- Click Help, if necessary, for more details about how to complete this and subsequent dialogs.
- Specify the following required information to define the policy association:
- Enter the registry definition name of an X.509 user registry to use as the Source X.509 Registry for the policy association. Or, click Browse... to select one from a list of registry definitions for the domain
- Click Select to display the Select Certificate Filter dialog and select an existing certificate filter to use as the basis for the new certificate filter policy association.
You must use an existing certificate filter. If the certificate filter that you want to use is note listed, click Add... to create a new certificate filter.
- Specify the registry definition name of the Target registry or click Browse... to select one from a list of existing registry definitions for the domain.
- Specify the name of the Target user to which to map all certificates in the Source X.509 Registry that match the certificate filter. Or, click Browse... to select one from a list of users known to the domain.
- Optional. Click Advanced... to display the Add Association - Advanced dialog. Specify Lookup information for target user identity and click OK to return to the Add Certificate Filter Policy Association dialog.
If two or more policy associations with the same source X.509 registry and the same certificate filter criteria refer to the same target registry, you must define unique lookup information for the target user identities in each of these policy associations. By defining lookup information for each target user identity in this situation, you ensure that mapping lookup operations can distinguish between them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.
- Click OK to create the certificate filter policy association and return to the Certificate Filter page. The new policy association displays in the list.
- Verify that the new policy association is enabled for the target registry.
- Click OK to save your changes and exit the Mapping Policy dialog.
Verify that mapping policy support and the use of policy associations for target user registry are properly enabled. If it is not enabled, the policy association can not take effect.
- Creating a certificate filter
A certificate filter defines a set of similar distinguished name certificate attributes for a group of user certificates in an X.509 source user registry. You can use the certificate filter as the basis of a certificate filter policy association.
Parent topic:
Creating a policy association