How RACF processes certificate name filters

When a user presents a digital certificate as identification and the initACEE callable service is called to associate the certificate with a user ID, initACEE first searches the DIGTCERT class using the certificate's serial number and issuer's distinguished name to see if the certificate was previously registered to RACF®. If no match is found in the DIGTCERT class, initACEE attempts to locate an appropriate certificate name filter by searching the DIGTNMAP class using a series of full and partial distinguished names until the most specific matching filter is found. If no match is found, and the certificate does not contain a hostIdMappings extension (see Using a hostIdMappings extension), the certificate cannot be used to identity the user to RACF.

The following values are used in sequence to search for a matching certificate name filter:
  1. subject's-full-name.issuer's-full-name
  2. subject's-partial-name.issuer's-full-name
  3. subject's-full-name
  4. subject's-partial-name
  5. issuer's-full-name
  6. issuer's-partial-name
As soon as a matching certificate name filter is found, the user ID associated with the filter is used to identify the user of the certificate. Note that searching is not done for the following values:
subject's-full-name.issuer's-partial-name
subject's-partial-name.issuer's-partial-name

Each step of the search using a partial name might actually involve a series of searches for partial name values based on the full name. Each partial name value in the series is determined by removing the next most specific node in the name. For details on searching for a series of partial name values, see the next example using Timo's certificate.