[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Mapping certificates and criteria
From:       Walt Farrell <walt.farrell () GMAIL ! COM>
Date:       2013-11-29 18:22:40
Message-ID: 5298DB70.3020204 () gmail ! com
[Download RAW message or body]

On 11/29/2013 8:58 AM, Pople, Dave (GE Capital, consultant) wrote:
> Walt Farrell wrote:
> <<
> Use of the APPL in mapping was intended, as I recall, to allow one user to get \
> different identities when connecting to different applications. But in your case I \
> think you really do have different users, some for test and others for prod, and so \
> the mapping should be based on what user presented the certificate (i.e., the CN) \
> and not based on the application he presented it to. Yes - this is the problem. The \
> RACDCERT MAP MULTIID command does not provide a way to add other CRITERIA \
> parameters than APPLID & SYSID - both of which are dependent on the address space \
> that is validating the certificate. I want to be able to pass criteria based on the \
> certificate itself.

I may be totally misunderstanding your issue, but what I'm saying is
that your test environment needs a separate set of certificates from
your prod environment. You can distinguish them by some part of the
subject's DN, for example.

In simple terms, it sounds like you have one certificate that you're
using for both environments, and mapping it to a test ID when it's
presented to a test region, or to a prod ID when presented to a prod
region. Instead you should have two certificates. One that the test
programs (servers?) will present to the test regions and that maps only
to a test ID. And you would have one that prod programs (servers?) will
present to the prod region and that maps to a prod ID.

If a test program/server presents its certificate to a prod CICS region,
it will still map to a test ID, and will fail the APPL check that occurs
during the signon to the CICS region, because the test user won't have
access to that APPL resource. Similarly a prod certificate presented to
a test CICS region would fail the APPL check because the prod user ID
would not have access to the test region.

If that doesn't seem feasible then perhaps you could explain your
certificate setup and usage in more detail.

--
Walt


[prev in list] [next in list] [prev in thread] [next in thread]