eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
KerberosThe Kerberos password of this realm is children. The default ticket life is 10hours, a minimum ticket life of 30 seconds, and a maximum ticket life of 24hours.Defining Local PrincipalsLocal principals in Kerberos are user acids capable of activity on Unix SystemsServices, who are able to initiate Kerberos commands in the systemcorresponding to the local realm. Kerberos local principals clearly must possessat least the following with sufficient authority to allow access to the OMVS orISHELL shells.■■■■■UIDGROUPDFLTGRPHOMEOMVSPGMWhen a local principal is defined, the affected ACID receives a KERB segment tohold relevant information, some of which will not be available for display. Acorresponding KERBSEGM record will also be defined to the SDT. The label forthe KERBSEGM record is the ACID to which the new segment has been added.The administrator defines Kerberos information for the user as follows:TSS ADD(acid) KERBNAME(principal_name) acid —Specifies the security ACID to be defined with Kerberos information.principal_name—Specifies the Kerberos Principal Name associated with thisuser. This information is added to the KERB segment of the user’s securityrecord. It is also added to the SDT KERBNAME record for high-speedcross-reference indexing. The KERBNAME specified must be unique for eachuser in the local realm. KERBNAME cannot be added to a PROFILE or GROUPACID, nor can it be added to a hierarchy ACID. The fully qualified Kerberosprincipal name is formatted from the KERBDFLT REALMNAME and theKERBNAME principal_name. The combined length cannot exceed 240characters. The principal name cannot include spaces (x’40’) or the “at” sign(x’7F’)./…/local_realm/principal_nameinterval—Specifies the maximum ticket life associated with tickets for this user.The range of available values is 1 – (2**31 – 1). Sensible values for this parametershould not exceed MAXTKTLF for the REALM, and should not be exceeded bythe REALM DEFTKTLF.1–84 Cookbook
KerberosThe following command creates a KERBNAME field “boris_baddenof” within anew KERB segment on “useracid” Notice that no MAXTKTLF operand has beensupplied in this command.TSS ADD(useracid) KERBNAME(boris_baddenof)The KERB segment may be displayed by using the following LIST command:TSS LIST(useracid) SEGMENT(KERB)The corresponding KERBSEGM SDT record can be viewed with the followingcommand:TSS LIST(SDT) KERBSEGM(useracid)Password Change Server ACIDKerberos requires the creation of a Password Change Server ACID with areserved local principal name. There is no requirement on the characteristics ofthe ACID other than that the user have local principal name kadmin/changepw.During testing we defined a USS capable user as follows:TSS CREATE(KRBCHG) DEPT(sysdept) NAME(‘KERBEROS PSWD/CHG’) PASS(pswd,0)FAC(STC,BATCH)TSS ADD(KRBCHG) UID(…)TSS ADD(KRBCHG) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)TSS ADD(KRBCHG) HOME(/u/krbchg) OMVSPGM(/bin/sh)TSS PER(KRBCHG) HFSSEC(/u.krbchg) ACC(READ,UPDATE,EXEC)TSS PER(KRBCHG) HFSSEC(/BIN.SH) ACC(READ,EXEC)TSS ADD(KRBCHNG) KERBNAME(kadmin/changepw)Preparing Local Principal ACIDs for KerberosSYSEXEC changesThe following data set needs to be added to the TSO SYSEXEC DD statement ofthe Kerberos user’s TSO procedure:EUVF.SEUVFEXC.profile changesChanges are required for Kerberos user’s .profile file in their home directory.These changes may optionally be added to the /etc/.profile file. The followingdirectory must be placed as the first directory in the PATH variable, so that itoverrides DCE./usr/lpp/skrb/binImplementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–85
- Page 43 and 44: Using FTPHow to Secure FTPFTP runs
- Page 45 and 46: Using TELNETTerminal Source Restric
- Page 47 and 48: WebSphere Application Server for z/
- Page 49 and 50: WebSphere Application Server for z/
- Page 51 and 52: WebSphere Application Server for z/
- Page 53 and 54: WebSphere Application Server for z/
- Page 55 and 56: WebSphere Application Server for z/
- Page 57 and 58: Lotus Domino Go Webserver/* PERMITT
- Page 59 and 60: Lotus Domino Go WebserverTo disable
- Page 61 and 62: Lotus Notes and Novell Directory Se
- Page 63 and 64: Digital Certificate SupportGeneral
- Page 65 and 66: Digital Certificate SupportFOR|UNTI
- Page 67 and 68: Digital Certificate SupportDCDSN(re
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75 and 76: Digital Certificate SupportImportan
- Page 77 and 78: Digital Certificate SupportAdding a
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93: KerberosThe command syntax for this
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119 and 120: Securing HFS FunctionsFile Function
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE
- Page 133 and 134: HFSSEC Control OptionExample 1// JO
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
- Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE
- Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE
- Page 141: MessagesCAS2319ITRACEID=aaaaaaaa US
KerberosThe Kerberos password of this realm is children. The default ticket life is 10hours, a minimum ticket life of 30 seconds, <strong>and</strong> a maximum ticket life of 24hours.Defining Local PrincipalsLocal principals in Kerberos are user acids capable of activity on Unix SystemsServices, who are able to initiate Kerberos comm<strong>and</strong>s in the systemcorresponding to the local realm. Kerberos local principals clearly must possessat least the following with sufficient authority to allow access to the OMVS orISHELL shells.■■■■■UIDGROUPDFLTGRPHOMEOMVSPGMWhen a local principal is defined, the affected ACID receives a KERB segment tohold relevant in<strong>for</strong>mation, some of which will not be available <strong>for</strong> display. Acorresponding KERBSEGM record will also be defined to the SDT. The label <strong>for</strong>the KERBSEGM record is the ACID to which the new segment has been added.The administrator defines Kerberos in<strong>for</strong>mation <strong>for</strong> the user as follows:TSS ADD(acid) KERBNAME(principal_name) acid —Specifies the security ACID to be defined with Kerberos in<strong>for</strong>mation.principal_name—Specifies the Kerberos Principal Name associated with thisuser. This in<strong>for</strong>mation is added to the KERB segment of the user’s securityrecord. It is also added to the SDT KERBNAME record <strong>for</strong> high-speedcross-reference indexing. The KERBNAME specified must be unique <strong>for</strong> eachuser in the local realm. KERBNAME cannot be added to a PROFILE or GROUPACID, nor can it be added to a hierarchy ACID. The fully qualified Kerberosprincipal name is <strong>for</strong>matted from the KERBDFLT REALMNAME <strong>and</strong> theKERBNAME principal_name. The combined length cannot exceed 240characters. The principal name cannot include spaces (x’40’) or the “at” sign(x’7F’)./…/local_realm/principal_nameinterval—Specifies the maximum ticket life associated with tickets <strong>for</strong> this user.The range of available values is 1 – (2**31 – 1). Sensible values <strong>for</strong> this parametershould not exceed MAXTKTLF <strong>for</strong> the REALM, <strong>and</strong> should not be exceeded bythe REALM DEFTKTLF.1–84 Cookbook