Description:
What does an 8 8 40 on an R_DATALIB INITACEE IBM RACF callable mean?
Solution:
The 8 8 40 is received because both of the following conditions are true:
- There is no acid on the security file associated through Certificate Name Filtering with the digital certificate being passed on the R_DATALIB INITACEE IBM RACF callable service.
In this example, users enter the system with a certificate subject that starts with:
OU=NJ.OU=Sales.O=ABC Co
These users are assigned ACID NJDEPT1 if the certificate was issued by the VeriSign certificate authority. If the subject matched but the certificate was issued by another certificate authority the user is assigned ACID NJDFLT.
TSS ADD(NJDEPT1) CERTMAP(NJMAP1)
LABLCMAP('NJ Dept 1 Map')
TRUST
IDNFILTR('OU=VeriSign Class 1 Individual Subscriber.O=VeriSign, Inc.L=Internet')
SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
TSS ADD(NJDFLT) CERTMAP(NJDFLT)
LABLCMAP('NJ Default user')
TRUST
SDNFILTR('OU=NJ.OU=Sales.O=ABC Co')
- ***AND*** The certificate is not owned by any user on the CA Top Secret Security File.
To own a certificate created by CA Top Secret use the TSS GENCERT command.
Example:
TSS GENCERT(owing_acid) DIGICERT(digicertname) SUBJECTN(xxxxxxxxxxxxxxxxx).
To own a certificate not created by CA Top Secret use the TSS ADD command.
Example:
TSS ADD(owning_acid) DIGICERT(digicertname) DCDSN(certificate.dataset) TRUST
Please refer to the CA Top Secret Cookbook for more details about administering digital certificates and Certificate Name Filtering.