Attributes For Predicates - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual

Introduction to Policy
Be aware that if the same name is in a HTTP form input and authentication token
(authentication result) the authentication result can override the HTTP form input.
For example, if
email
authentication module will override the
request. A predicate using
the authentication instead of the HTTP input value.
The following are sample predicates:
HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering
HTTP_PARAMS.certType==server AND HTTP_PARAMS.o==Netscape OR
HTTP_PARAMS.certType==ca

Attributes for Predicates

Attributes for predicates can come from any of the following:
• Input form—that is, the HTML form that end entities use for submitting
certificate requests.
• Authentication token—what the authentication subsystem returns after
successfully authenticating an end entity.
• A service—for example, a Certificate Manager, Registration Manager, or Data
Recovery Manager service can add certain attributes to the end-entity request.
• Policy processor—what the policy subsystem returns after subjecting the
end-entity request to policy checking. For example, an extension-based policy
can set an appropriate extension in the certificate.
Table 18-2 lists default attributes that are supported by various request object
implementations.
Table 18-2 Attributes supported by request object implementations
Request type Variable name
Default attributes from an input form:
Enrollment
requestFormat
564 Netscape Certificate Management System Installation and Setup Guide • May 2002
is in a HTTP input and an authentication module also puts
email
in the authentication result (that is, authtoken) the
email
Description
Specifies the certificate request format. Default values
include the following:
• keygen
• pkcs10
• clientAuth
value from the HTTP input in the
email
in an expression will be evaluated to the value of
value from the
email