Table of Contents
Advertisement
If the request passes all the policy rules (that is, all policy rules returned a
3.
PolicyResult.ACCEPTED
certificate is issued or renewed.
Using Predicates in Policy Rules
You can use predicates in a policy rule. A predicate indicates whether the rule that
contains the predicate applies to a request. If you specify a predicate as part of the
rule configuration, the policy rule applies that predicate based on request attributes
to determine whether the rule is applicable for a request.
The policy predicate is a logical expression. You form the expression using
variables and relational operators (
predicate to put the CRL Distribution Point extension only in SSL client certificates,
or set different validity dates for certificates for users in different groups.
The following are sample predicates:
HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering
HTTP_PARAMS.certType==server AND HTTP_PARAMS.o==Netscape OR
HTTP_PARAMS.certType==ca
Expression Support for Predicates
You form an expression using an attribute, its value, and one or more of the
operators listed in Table 11-1. For a list of attributes, see "Attributes for Predicates"
on page 487.
Table 11-1 Predicates in policy: supported comparison and logical operators
Operator
Description
Equal to
==
Not equal to
!=
Logical operator AND
AND
Logical operator OR
OR
Note that the expression parsing support currently supports only two comparison
operators (
,
) and two relational operators (
==
!=
value), the request gets serviced—for example the
or
). For example, you could set up a
AND
OR
AND
Introduction to Policy
,
).
OR
Chapter 11
Policies
485
Advertisement
Table of Contents
