What does an 8 8 40 on an R_DATALIB INITACEE IBM RACF callable service mean?

book

Article ID: 17635

calendar_today

Updated On:

Products

CA Cleanup CA Datacom CA DATACOM - AD CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

What does an 8 8 40 on an R_DATALIB INITACEE IBM RACF callable mean?

Solution:

The 8 8 40 is received because both of the following conditions are true:

  1. There is no acid on the security file associated through Certificate Name Filtering with the digital certificate being passed on the R_DATALIB INITACEE IBM RACF callable service.

    In this example, users enter the system with a certificate subject that starts with:

    OU=NJ.OU=Sales.O=ABC Co

    These users are assigned ACID NJDEPT1 if the certificate was issued by the VeriSign certificate authority. If the subject matched but the certificate was issued by another certificate authority the user is assigned ACID NJDFLT.

    TSS ADD(NJDEPT1) CERTMAP(NJMAP1)
    LABLCMAP('NJ Dept 1 Map')
    TRUST
    IDNFILTR('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
    SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
    TSS ADD(NJDFLT) CERTMAP(NJDFLT)
    LABLCMAP('NJ Default user')
    TRUST
    SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')

  2. ***AND*** The certificate is not owned by any user on the CA Top Secret Security File.

    To own a certificate created by CA Top Secret use the TSS GENCERT command.

    Example:

    TSS GENCERT(owing_acid) DIGICERT(digicertname) SUBJECTN(xxxxxxxxxxxxxxxxx).

    To own a certificate not created by CA Top Secret use the TSS ADD command.

    Example:

    TSS ADD(owning_acid) DIGICERT(digicertname) DCDSN(certificate.dataset) TRUST

Please refer to the CA Top Secret Cookbook for more details about administering digital certificates and Certificate Name Filtering.

Environment

Release:
Component: AWAGNT