eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Certificate Name Filtering SupportValid prefixes for SDNFILTR and IDNFILTR are:ValuesCOUNTRY C=STATE/PROVINCELOCALITY L=Specified asST=ORGANIZATION O=ORGANIZATIONAL UNITTITLE T=COMMON NAMEDOMAIN COMPONENTPOSTAL CODEEMAIL E=STREET NAMEUSERIDOU=CN=DC=PC=STREET=UID=IDNFILTR—Specifies the significant portion of the issuer’s distinguished namethat is to be used as a filter when associating an acid with a certificate. The valuespecified for IDNFILTR should begin with a prefix found in the list above andmust be followed by an equal sign (X'7E'). Each component should be separatedby a period (X'4B'). The case, blanks, and punctuation displayed when the digitalcertificate information is listed must be maintained in the IDNFILTR. Sincedigital certificates only contain characters available in the ASCII character set, thesame characters should be used for the IDNFILTR value.For example: IDNFILTR('OU=Class 1 Certificate.0=BobsCertAuth')CRITERIA—Is specified with the MULTIID acid to identify variable data inaddition to SDNFILTR and IDNFILTR. Criteria defined by eTrust CA-Top Secretare CNFAPP and SYSID. Users can also define their own variables.LABLCMAP—Specifies the label to be associated with the certificate name filter.Up to 32 characters can be specified. It can contain embedded blanks andmixed-case characters, and is stripped of leading and trailing blanks. If a singlequotation is intended to be part of the label-name, you must use two singlequotation marks together for each single quotation mark within the string, andthe entire string must then be enclosed within single quotation marks.1–76 Cookbook
Certificate Name Filtering SupportDCDSN—Specifies the name of a data set that contains a digital certificate. TheSDNFILTR or IDNFILTR data must match a portion of the subject/issuer’sdistinguished name extracted from the certificate. The distinguished name fromthe point of the match to the end of the name is used as the filter data.TRUST/NOTRUST—When specified it indicates whether this mapping can beused to associate a userid to a certificate presented by a user accessing thesystem. If neither TRUST nor NOTRUST is specified, the default is NOTRUST.Managing Criteria MapsWhen the acid is MULTIID and the CRITERIA keyword was specified on the TSS ADDCERTMAP command, criteria data must be defined in CRITMAP records to identify theacid to be associated with a certificate. The acid name on the CRITMAP record identifiesthe user when the filter that matched the certificate was for acid MULTIID. The TSSADD|REM|REPL|LIST commands is used to manage criteria maps. The syntax of theADD command follows:TSS ADD(userid) CRITMAP(recid){SYSID(system identifier)}{CNFAPP(application name)}{CNFUVAR(site variable list)}Userid—Name of the acid to be associated with this filter.CRITMAP—Unique 8-byte record identifier.SYSID—The system identifier. A maximum of 4 characters can be specified andthe value can contain an asterisk (*) for masking.CNFAPP—The application variable. A maximum of 8 characters can be specifiedand the value can contain an asterisk (*) for masking.CNFUVAR—A list of application-defined variables that are defined asCRITERIA keyword data. This field can contain up to 255 uppercase characters.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–77
- Page 35 and 36: Tracing UNIX System Services (OMVS)
- Page 37 and 38: Tracing UNIX System Services (OMVS)
- Page 39 and 40: Using TCP/IPFILE AUDIT OPTIONS—Th
- Page 41 and 42: Using TCP/IPwheresysname is the nam
- Page 43 and 44: Using FTPHow to Secure FTPFTP runs
- Page 45 and 46: Using TELNETTerminal Source Restric
- Page 47 and 48: WebSphere Application Server for z/
- Page 49 and 50: WebSphere Application Server for z/
- Page 51 and 52: WebSphere Application Server for z/
- Page 53 and 54: WebSphere Application Server for z/
- Page 55 and 56: WebSphere Application Server for z/
- Page 57 and 58: Lotus Domino Go Webserver/* PERMITT
- Page 59 and 60: Lotus Domino Go WebserverTo disable
- Page 61 and 62: Lotus Notes and Novell Directory Se
- Page 63 and 64: Digital Certificate SupportGeneral
- Page 65 and 66: Digital Certificate SupportFOR|UNTI
- Page 67 and 68: Digital Certificate SupportDCDSN(re
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75 and 76: Digital Certificate SupportImportan
- Page 77 and 78: Digital Certificate SupportAdding a
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85: Certificate Name Filtering SupportI
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119 and 120: Securing HFS FunctionsFile Function
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE
- Page 133 and 134: HFSSEC Control OptionExample 1// JO
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
Certificate Name Filtering SupportValid prefixes <strong>for</strong> SDNFILTR <strong>and</strong> IDNFILTR are:ValuesCOUNTRY C=STATE/PROVINCELO<strong>CA</strong>LITY L=Specified asST=ORGANIZATION O=ORGANIZATIONAL UNITTITLE T=COMMON NAMEDOMAIN COMPONENTP<strong>OS</strong>TAL CODEEMAIL E=STREET NAMEUSERIDOU=CN=DC=PC=STREET=UID=IDNFILTR—Specifies the significant portion of the issuer’s distinguished namethat is to be used as a filter when associating an acid with a certificate. The valuespecified <strong>for</strong> IDNFILTR should begin with a prefix found in the list above <strong>and</strong>must be followed by an equal sign (X'7E'). Each component should be separatedby a period (X'4B'). The case, blanks, <strong>and</strong> punctuation displayed when the digitalcertificate in<strong>for</strong>mation is listed must be maintained in the IDNFILTR. Sincedigital certificates only contain characters available in the ASCII character set, thesame characters should be used <strong>for</strong> the IDNFILTR value.For example: IDNFILTR('OU=Class 1 Certificate.0=BobsCertAuth')CRITERIA—Is specified with the MULTIID acid to identify variable data inaddition to SDNFILTR <strong>and</strong> IDNFILTR. Criteria defined by <strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong>are CNFAPP <strong>and</strong> SYSID. Users can also define their own variables.LABLCMAP—Specifies the label to be associated with the certificate name filter.Up to 32 characters can be specified. It can contain embedded blanks <strong>and</strong>mixed-case characters, <strong>and</strong> is stripped of leading <strong>and</strong> trailing blanks. If a singlequotation is intended to be part of the label-name, you must use two singlequotation marks together <strong>for</strong> each single quotation mark within the string, <strong>and</strong>the entire string must then be enclosed within single quotation marks.1–76 Cookbook