Creating a certificate filter policy association

To create a certificate filter policy association, you must be connected to the Enterprise Identity Mapping (EIM) domain in which you want to work and you must have EIM access control as either a Registry administrator or EIM administrator.

A policy association describes a relationship between a source set of multiple user identities and a single target user identity in a specified target user registry. Policy associations use EIM mapping policy support to create many-to-one mappings between user identities without involving an EIM identifier.

Note: Because you can use policy associations in a variety of overlapping ways, you need to have a thorough understanding of EIM mapping policy support before you create and use policy associations. Also, to prevent potential problems with associations and how they map identities, you need to develop an overall identity mapping plan for your enterprise before you begin defining associations.
In a certificate filter policy association, you specify a set of certificates in a single X.509 registry as the source of the policy association. These certificates are mapped to a single target registry and target user that you specify. Unlike a default registry policy association in which all users in a single registry are the source of the policy association, the scope of a certificate filter policy association is more flexible. You can specify a subset of certificates in the registry as the source. The certificate filter that you specify for the policy association determines its scope.
Note: Create and use a default registry policy association when you want to map all certificates in an X.509 user registry to a single target user identity.

The certificate filter controls how a certificate filter policy association maps one source set of user identities, in this case digital certificates, to a specific target user identity. Therefore, the certificate filter that you want to use must exist before you can create a certificate filter policy association.

Before you can create a certificate filter policy association, you must first create a certificate filter to use as the basis of the policy association.

To create a certificate filter policy association, complete these steps:

  1. From IBM® Navigator for i, expand Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click the EIM domain in which you want to work and select Mapping Policy.
  4. Select Enable mapping lookups using policy associations for domain on the General page.
  5. Select the Certificate Filter page and click Add to display the Add Certificate Filter Policy Association dialog.
  6. Click ? for help, if necessary, for more details about how to complete this and subsequent dialogs.
  7. Specify the following required information to define the policy association:
    1. Enter the registry definition name of an X.509 user registry to use as the Source X.509 Registry for the policy association. Or, click Browse to select one from a list of registry definitions for the domain
    2. Click Select to display the Select Certificate Filter dialog and select an existing certificate filter to use as the basis for the new certificate filter policy association.
      Note: You must use an existing certificate filter. If the certificate filter that you want to use is note listed, click Add to create a new certificate filter.
    3. Specify the registry definition name of the Target registry or click Browse to select one from a list of existing registry definitions for the domain.
    4. Specify the name of the Target user to which to map all certificates in the Source X.509 Registry that match the certificate filter. Or, click Browse to select one from a list of users known to the domain.
    5. Optional. Click Advanced to display the Add Association - Advanced dialog. Specify Lookup information for target user identity and click OK to return to the Add Certificate Filter Policy Association dialog.
      Note: If two or more policy associations with the same source X.509 registry and the same certificate filter criteria refer to the same target registry, you must define unique lookup information for the target user identities in each of these policy associations. By defining lookup information for each target user identity in this situation, you ensure that mapping lookup operations can distinguish between them. Otherwise, mapping lookup operations may return multiple target user identities. As a result of these ambiguous results, applications that rely on EIM may not be able to determine the exact target identity to use.
  8. Click OK to create the certificate filter policy association and return to the Certificate Filter page. The new policy association displays in the list.
  9. Verify that the new policy association is enabled for the target registry.
  10. Click OK to save your changes and exit the Mapping Policy dialog.
Note: Verify that mapping policy support and the use of policy associations for target user registry are properly enabled. If it is not enabled, the policy association can not take effect.