Certificate Mapping in DCAS

Provides information about certificate mapping in DCAS and provides instructions for enabling this feature for DCAS.
Note: This is a technology preview feature only. It is being made available to allow you to test and provide feedback on this new capability; however, this feature is not intended for production use and it is not supported as such.

Certificate mapping is the mechanism that enables DCAS to convert the information provided by a user certificate into a user ID that can be used by Enterprise Server for .NET security. A mapping is an association defined between a certificate and a user ID.

Certificate mapping types

In Enterprise Server for .NET, you can enable either or both of these two types of certificate mapping:

LDAP certificate mapping
To use LDAP certificate mapping, define an object of the LdapEsm module's configured user class with a userCertificate attribute set to a value in binary DER encoding that matches the certificate.
Default certificate mapper
To enable the default certificate mapper, add the following text to the custom configuration information for the region's security configuration: 
[Map]
certificate cn=yes
Note: Be sure to set this in the security configuration, not the security manager configuration.

Certificate mapping process

When DCAS receives a certificate mapping request, it:

  • Invokes the Enterprise Server External Security Facility (ESF).
  • ESF invokes each configured Security Manager to determine whether or not it uses the LdapEsm module.
  • If ESF finds a Security Manager that uses the LdapEsm module, LdapEsm searches its LDAP repository for an object of its configured user class with a userCertificate attribute set to a value in binary DER encoding that matches the certificate. If the LDAP server returns a match, that user's name is returned as the user ID. Processing is complete at that point.
    Notes:
    • Active Directory normally stores a user certificate in binary DER encoding when the certificate is associated with a Windows user.
    • Currently, only the LdapEsm ESM module supplied with Enterprise Server for .NET supports certificate mapping, so other Security Managers ignore mapping requests.
  • If ESF does not find a Security Manager to map the certificate, and the ESF default certificate mapper is enabled, the default mapper is invoked. The default mapper extracts the Subject Distinguished Name from the certificate and finds its first (most specific) CN element, if any. The value of that CN is used as the user ID. This is a simple way to map certificates to user IDs when using user certificates that are issued with appropriate Subject CNs. Processing is then complete at that point.
  • If ESF does not find a Security Manager to map the certificate, and the ESF default certificate mapper is not enabled, the certificate mapping process fails.
Parent topic: Configuring the Digital Certificate Authentication Service
Related concepts
Configuration and Test Sequence - Express Logon Facility
CICS Region Security for DCAS
DCAS Transaction Configuration
Configuring the Digital Certificate Authentication Service