Digital certificates and Enterprise Identity Mapping (EIM)

Using Enterprise Identity Mapping (EIM) and Digital Certificate Mangers (DCM) together allows you to apply a certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.

EIM is an eServer technology that allows you to manage user identities in your enterprise, including user profiles and user certificates. A user name and password is the most common form of user identity; certificates are another form of user identity. Some applications are configured to allow users to be authenticated by means of a user certificate rather than by means of a user name and password.

You can use EIM to create mappings between user identities, which allows a user to authenticate with one user identity and access resources of another user identity without the user having to supply the needed user identity. You accomplish this in EIM by defining an association between one user identity and another user identity. User identities can be in various forms, including user certificates. You can either create individual associations between an EIM identifier and the various user identities that belong to a user represented by that EIM identifier. Or, you can create policy associations, which map a group of user identities to a single target user identity. User identities can be in various forms, including user certificates. When you create these associations, user certificates can be mapped to the appropriate EIM identifiers thereby making it easier for the certificates to be used for authentication.

To take advantage of this EIM feature for managing user certificates, you need to perform these EIM configuration tasks before performing any DCM configuration tasks:

Use the EIM Configuration wizard in iSeries Navigator to configure EIM.
Create an EIM identifier for each user that you want to have participate in EIM.
Create a target association between each EIM identifier and that user's user profile in the local i5/OS™ user registry so that any user certificates that the user assigns through DCM or creates in DCM can be mapped to the user profile. Use the EIM registry definition name for the local i5/OS user registry that you specified in the EIM Configuration wizard.

After you complete the necessary EIM configuration tasks, you must use the Manage LDAP Location task to configure Digital Certificate Manager (DCM) to store user certificates in a Lightweight Directory Access Protocol (LDAP) location instead of with a user profile. When you configure EIM and DCM to work together, the Create Certificate task for user certificates and the Assign a user certificate task process certificates for EIM usage rather than assigning the certificate to a user profile. DCM stores the certificate in the configured LDAP directory and uses the certificate's distinguished name (DN) information to create a source association for the appropriate EIM identifier. This allows operating systems and applications to use the certificate as the source of an EIM mapping lookup operation to map from the certificate to a target user identity associated with the same EIM identifier.

Additionally, when you configure EIM and DCM to work together you can use DCM to check user certificate expiration at the enterprise level rather than just at the system level.