6.7. Mapping Resolver Configuration
The Token Processing System provides a single mapping resolver by default. The resolver is called
FilterMappingResolver
. This section will cover its configuration.
Note
See the Mapping Resolver section of the Red Hat Certificate System Planning, Installation, and Deployment Guide for general information about the Mapping Resolver.
6.7.1. Key Set Mapping Resolver
During External Registration, the key set must be resolved using the resolver before a user can authenticate.
The key set mapping resolver name is defined as follows:
externalReg.mappingResolver=<keySet mapping resolver name>
For example:
externalReg.mappingResolver=keySetMappingResolver
The following configuration example shows a full instance configuration:
mappingResolver.keySetMappingResolver.class_id=filterMappingResolverImpl mappingResolver.keySetMappingResolver.mapping.0.filter.appletMajorVersion=0 mappingResolver.keySetMappingResolver.mapping.0.filter.appletMinorVersion=0 mappingResolver.keySetMappingResolver.mapping.0.filter.keySet= mappingResolver.keySetMappingResolver.mapping.0.filter.tokenATR= mappingResolver.keySetMappingResolver.mapping.0.filter.tokenCUID.end=a1000000000000000000 mappingResolver.keySetMappingResolver.mapping.0.filter.tokenCUID.start=a0000000000000000000 mappingResolver.keySetMappingResolver.mapping.0.target.keySet=defKeySet mappingResolver.keySetMappingResolver.mapping.1.filter.appletMajorVersion=1 mappingResolver.keySetMappingResolver.mapping.1.filter.appletMinorVersion=1 mappingResolver.keySetMappingResolver.mapping.1.filter.keySet= mappingResolver.keySetMappingResolver.mapping.1.filter.tokenATR=1234 mappingResolver.keySetMappingResolver.mapping.1.filter.tokenCUID.end= mappingResolver.keySetMappingResolver.mapping.1.filter.tokenCUID.start= mappingResolver.keySetMappingResolver.mapping.1.target.keySet=defKeySet mappingResolver.keySetMappingResolver.mapping.2.filter.appletMajorVersion= mappingResolver.keySetMappingResolver.mapping.2.filter.appletMinorVersion= mappingResolver.keySetMappingResolver.mapping.2.filter.keySet= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenATR= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenCUID.end= mappingResolver.keySetMappingResolver.mapping.2.filter.tokenCUID.start= mappingResolver.keySetMappingResolver.mapping.2.target.keySet=jForte mappingResolver.keySetMappingResolver.mapping.order=0,1,2
The above example defines three mappings named
0
, 1
, and 2
. They are ordered in ascending order using the mappingResolver.keySetMappingResolver.mapping.order=0,1,2
line in the example. This order means the input parameters will be run against the mapping filter 0
first; only if they do not match that filter, the next one in the mapping order will be tried. For example, if a token with the following characteristics is evaluated:
CUID=a0000000000000000011 appletMajorVersion=0 appletMinorVersion=0
Then it would pass mapping
0
and be assigned its target, which is configured to defKeySet
, because the applet version matches and the CUID falls within the CUID start and end range for that mapping.
On the other hand, if a token has the following parameters:
CUID=b0000000000000000000 ATR=2222 appletMajorVersion=1 appletMinorVersion=1
In this case this token fails mapping
0
because it is outside the specified CUID range. It also fails mapping 1
because while the applet versions match, the ATR does not. The above token will be assigned to mapping 2
and its target, jForte
.
Note how mapping
2
has no assignments for any of its filters. This causes the mapping to match all tokens, effectively making it a "default" value. Mappings like this must be specified last in the mapping order, because any other mappings after it will never be evaluated.
6.7.2. Token Type (TPS) Mapping Resolver
There are three default
tokenType
mapping resolvers defined in the Token Processing System: formatProfileMappingResolver
, enrollProfileMappingResolver
, and pinResetProfileMappingResolver
. Compared to the External Registration case discussed in the previous section, in the Internal Registration case token types are actually calculated from the defined mapping resolver.
The token type mapping resolver names are defined as follows:
op.<op>.mappingResolver=<mapping resolver name>
For example:
op.enroll.mappingResolver=enrollProfileMappingResolver
The following configuration example describes the
enrollProfileMappingResolver
:
mappingResolver.enrollProfileMappingResolver.class_id=filterMappingResolverImpl mappingResolver.enrollProfileMappingResolver.mapping.0.filter.appletMajorVersion=1 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenCUID.end=b1000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenCUID.start=b0000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.0.filter.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.0.target.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.1.filter.appletMajorVersion=1 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenCUID.end=a0000000000000001000 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenCUID.start=a0000000000000000000 mappingResolver.enrollProfileMappingResolver.mapping.1.filter.tokenType=soKey mappingResolver.enrollProfileMappingResolver.mapping.1.target.tokenType=soKey mappingResolver.enrollProfileMappingResolver.mapping.2.filter.appletMajorVersion= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.appletMinorVersion= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenATR= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenCUID.end= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenCUID.start= mappingResolver.enrollProfileMappingResolver.mapping.2.filter.tokenType= mappingResolver.enrollProfileMappingResolver.mapping.2.target.tokenType=userKey mappingResolver.enrollProfileMappingResolver.mapping.order=1,0,2
Three mappings are defined for the
enrollProfileMappingResolver
in the above example. The mappings are named 0
, 1
, and 2
. The mappingResolver.enrollProfileMappingResolver.mapping.order=1,0,2
line defines the order in which the mappings will be processed. If a token matches a mapping, no further mappings in the order will be evaluated; if it does not match a mapping, the next one in the order will be tried.
In case of a token with the following parameters:
CUID=a0000000000000000011 appletMajorVersion=1 appletMinorVersion=0 extension: tokenType=soKey
A token with this configuration will match the filters for mapping
1
because the applet version matches, the CUID fails within the specified start and end range, and the extension tokenType
matches. Therefore, this token will be assigned the target for that mapping - soKey
.
In another case, if the token has the following parameters:
CUID=b0000000000000000010 appletMajorVersion=1 appletMinorVersion=1
In this case, the token will fail mapping
1
because the CUID is outside the specified range. Then it will also fail mapping 0
, because the tokenType
extension is missing. This token will then match mapping 2
, because it has no specified filters in order to match all tokens which did not match any of the previous filters.