See Developing a Custom Policy Plug-in on page 5-24 for further explanation. You can also add a predicate, within a policy rule, to any of the default policies displayed on the edit page for the policy. (Predicates cannot be added to custom policies.) See Adding Predicates.
Predicates in Policy Rules
Policy rules are specified and enforced according to certain conventions, as explained briefly in the section Overview of Policy Management. This section explains the use of predicates in policy rules and supplies examples, in the following subsections:
■ Multiple Predicate Evaluation
■ Evaluation Example for Multiple Predicates
■ One Further Example of Evaluating Multiple Predicates ■ Reordering Predicates
■ Adding Predicates
A predicate specifies certain values and an expression used as a test of incoming certificate requests. The specified values are to be used instead of the policy’s defaults if the predicate expression is matched by the corresponding elements of a certificate request. When a match occurs, the values associated with that predicate expression are used to evaluate the request’s validity and set its parameters, instead of the policy’s default values.
Predicates are optional, and they cannot be used in custom policies.
You can specify predicates in the web interface for a rule within a default policy. Once specified, the predicates are matched with every incoming request for the particular certificate operation the policy applies to, i.e., request, revocation, or renewal. If an incoming certificate or certificate request matches no predicate expression, or if the rule has no predicates, then the default values, ranges, or actions specified for the policy are used to evaluate the request. For example, values in the request are checked to verify they are in the correct default range specified in the policy. If they are, the request will be honored. Values that do not match the specified defaults or are not in the specified ranges cause the request to be rejected with an informational error message.
If an incoming certificate or certificate request does match a type specified in a predicate, then the defaults or ranges in the rule are not applied to that certificate or certificate request. The only values that can be applied to it are those you specify as corresponding to that predicate.
Thus, as an administrator, you can enhance a rule in a default policy and configure it for different user populations. For example, you can set a longer validity period for the "Development" department that for the "Sales" department.
The predicate expression is a logical expression. You form the expression using variables and relational operators. For example, you could set up a predicate to set different validity dates for certificates for users in different groups.
The following are valid sample predicate expressions:
Note: Policy rules cannot be shared across request types, i.e., requests for certificate issuance, revocation, or renewal.
Type==client AND DN=="ou=Sales,o=oracle,c=us" Type==server AND DN=="o=Oracle,c=us"
Table lists the logical operators used in predicate expressions.
The following rules use the delimiter ":=" to separate the name of the policy expression and its valid syntax. They show what is valid in constructing policy expressions:
Predicate expression := Expression | AndExpression AndExpression := Expression AND Expression
Expression := Attribute op Value Attribute := <attrib_name> op: == or != Value := a string
Oracle Application Server Certificate Authority does not support operators such as OR, <, and >. You can implement the OR logical expression by splitting the predicate into multiple predicates and specifying the same value. (The policy plug-ins and APIs support multiple predicates.) In the predicates, values can be any string enclosed in double quotes. Attribute is always specified as <attrib_name>. All predicate
expressions and string values are case-insensitive. A Value in an Expression can be set to "*" to match every "attribute" under consideration, e.g., type=="*" matches all the certificate types. However, using "*" with any other string to form partial-pattern string matching is not supported.
Table describes the attributes and the values they can have.
Table 5–8 Logical Operators
Operator Description
== Equal to
!= Not equal to
AND Logical operator AND
Table 5–9 Predicate Attributes
Attributes Variable Name Description
type type Specifies the certificate type. Allowable
values include the following: ■ type=="client"
■ type=="server" ■ type=="ca "
Predicates in Policy Rules
Oracle Application Server Certificate Authority uses DNs as specified in RFC1779, with the most significant component last. For example, in the well-formed DN "cn=user31415,ou=security,ou=ST,o=Oracle,c=US", cn is the least significant component and c is the most significant one.
The term RDN stands for "relative distinguished name," meaning the most granular level local entry name that needs no further qualification to address an entry uniquely. If an RDN appears multiple times, then the least significant RDN, specified first, is understood to be a child of the RDN occurring next. In the above example, since "ou=security" appears before "ou=ST", "security" is understood as a sub-division under "ST" division.
A DN specified in the predicate can start at any RDN but should complete at the root. For example, "ou=ST,o=Oracle,c=US" is a valid partial DN that can be specified where as, "ou=ST,o=Oracle" is an invalid partial DN as it stops at "o=Oracle" and doesn't contain the root (i.e. "c=US").
To support the big-endian order, where the most significant component is first, OCA internally converts it to little-endian order before DN matching is done, for policy evaluations only.
When DN components are matched against a DN expression mentioned in a predicate expression, the following rules are applied:
The predicate matches the DN if the whole predicate is a last part of the DN. For example, if the predicate expression is
DN=="ou=ST,o=Oracle,c=US"
then it would match all of the following DNs: "cn=user31415,ou=ST,o=Oracle,c=US"
"cn=quser2787,ou=security,ou=ST,o=Oracle,c=US"
"cn=kuser987,ou=security, ou=DAS,ou=ST,o=Oracle,c=US" The above predicate expression fails to match the following DNs: "cn=user31415,ou=DAS,ou=ST,o=Oracle,c=IN"
"cn=quser2787,ou=ST, ou=pki, o=Oracle,c=US"
usage usage Specifies the type of certificate usage. Allowable values including the following: ■ usage=="ssl" ■ usage=="smime_enc" ■ usage=="smime_sign" ■ usage=="code_sign" ■ usage=="ca_sign"
DN DN Specifies the distinguished name. Valid
parameters include any valid partial or complete DN. (DN entries must be contiguous, and must be complete down to the "C=" entry, but need not
necessarily start with CN.) Table 5–9 (Cont.) Predicate Attributes
"cn=kuser987,ou=ST,o=Oracle, st=CA,c=US"