Perform the following steps to set up a CNF. Refer to the SecureWay(R) Security Server RACF(R) Security Administrator's Guide for more information about the commands you use to manipulate CNFs.
SETROPTS CLASSACT(DIGTNMAP) RACLIST(DIGTNMAP)
RACDCERT ID(USER1) MAP WITHLABEL('filter1') TRUST SDNFILTER('O=IBM.C=UK') IDNFILTER('O=ExampleCA.L=Internet')where USER1 is the user ID to be used when:
SETROPTS RACLIST(DIGTNMAP) REFRESH
For example, consider the SDNFILTER 'O=IBM.C=UK'. A subject DN of 'CN=QM1.O=IBM.C=UK' matches that filter, but a subject DN of 'CN=QM1.O=IBM.L=Hursley.C=UK' does not match that filter.
Note that the least significant portion of some certificates can contain fields that do not match the DN filter. Consider excluding these certificates by specifying a DN pattern in the SSLPEER pattern on the DEFINE CHANNEL command.
You can define CNFs to ensure that the entity never sets the channel user ID to the default, which is the user ID under which the channel initiator is running. For each CA certificate in the key ring associated with the entity, define a CNF with an IDNFILTER that exactly matches the subject DN of that CA certificate. This ensures that all certificates that the entity might use match at least one of these CNFs. This is because all such certificates must either be connected to the key ring associated with the entity, or must be issued by a CA for which a certificate is connected to the key ring associated with the entity.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
sz6cnfsetup |