Top Secret Equivalents Of RACF Commands For ChangeMan Software

book

Article ID: 198838

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP CA Web Administrator for Top Secret

Issue/Introduction

The following RACF commands are provided to set up PTKTDATA for Pass Ticket for ChangeMan software. What are the Top Secret equivalents?  

RACF Administration Required

 Activate the PTKTDATA class by entering:

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)

 Refresh the PTKTDATA class by entering:

SETROPTS RACLIST(PTKTDATA) REFRESH

 Create a profile in the PTKTDATA class by entering:

RDEFINE PTKTDATA SERNET SSIGNON(user_must_choose) APPLDATA(’NO

REPLAY PROTECTION’)

For further information. refer to the appropriate IBM RACF manual for further information,

for example "Defining Profiles in the PTKTDATA Class", in the manual z/OS Security

Server RACF Security Administrator's Guide.

What should be placed in the SSIGNON field? 
Is there a way to tell if PTKTDATA has been defined to Top Secret?

Environment

Release : 15.0

Component : CA Top Secret for z/OS

Resolution

* TSS LIST(RDT) RESCLASS(PTKTDATA) can be issued to confirm whether or not the PTKTDATA resource class is defined to TSS. If it is not, you can use the following command to define it to the RDT:

TSS ADD(RDT) RESCLASS(PTKTDATA) ACLST(ALL,UPDATE=6000,READ,NONE) MAXLEN(37)

* For RDEFINE PTKTDATA SERNET SSIGNON(user_must_choose) APPLDATA(’NO REPLAY PROTECTION’), the Top Secret equivalent command is:

TSS ADD(NDT) PSTKAPPL(SERNET) SESSKEY(key-descr) SIGNMULTI

PSTKAPPL
Identifies an up to eight-character application that is assigned a session key for PassTicket processing, and allows one application per command that can be a letter, number, or special character.

SESSKEY
Specifies an up to 16-character hexadecimal "password" that is unique to each application defined by a PSTKAPPL keyword. You must supply a SESSKEY with PSTKAPPL. You can specify whatever you’d like for the SESSKEY as long as it’s not being used for SESSKEY in another application in the NDT.

* Normally with passtickets, there is a RACF REDEFINE and PERMIT command for a PTKTDATA resource. For example:

RDEFINE PTKTDATA IRRPTAUTH.SERNET.* UACC(NONE)
PERMIT IRRPTAUTH.SERNET.* CL(PTKTDATA) ID(xxxxxx) ACCESS(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH

For which the TSS equivalent commands are:
TSS ADD(dept) PTKTDATA(IRRPTAUTH) (if not already done)
TSS PER(acid) PTKTDATA(IRRPTAUTH.SERNET.) ACC(UPDATE)