Using Certificate Name Filtering and noticed some acids with a CERTMAP dont have a matching certificate for that CERTMAP on their acid.

Does a certificate with a matching CN= is required to be on the acid? 

Release : 16.0

Component : COMMON SECURITY SERVICES

There are two way to signon a user with a digital certificate.

1. Signon security call with a digital certificate attached to the signon security call. The user being signed on requires the matching certificate attached/owned by their acid.

2. Signon security call with a digital certificate attached to the signon security call.but use Certificate Name Filtering who to associate the certificate and signon that user acid. This method doesnt require a certificate on their acid



Signon request with a digital certificate passed. TSS will search the security file for that certificate and see who has a copy of that certificate attached to their acid. If TSS finds a user with that same certificate attached to an acid, that user will be signed on.



The second method is a Certificate Name Filtering signon. This method is a little different. No certificate needs to be attached to an acid.

The way to associate a user to a certificate is through a certificate map or CERTMAP. When a Certificate Name Filtering Signon request is done, a certificate is passed on the signon request. TSS will search for a matching CERTMAP for the certificate. Based on the CERTMAP information on the security file, it will signon the appropriate user that has been mapped to the certificate's CN= information passed on the signon. This certificate signon method doesnt require the certificate to be actually present on the user and/or the security file. 

The use of each certificate signon method is dependent on what the vendor application. Please refer to your vendor's documentation to see which method of digital certificate signon is supported.