Configuring Kerberos support on z/OS

1. Create the USER001 user that will own the KDC STARTED task, using the following command. (Substitute the appropriate DFLTGRP for your systems)
   
   ADDUSER USER001 DFLTGRP(SYS1) NOPASSWORD OMVS(UID(0)
   PROGRAM('/bin/sh') HOME('/etc/skrb/home/kdc'))
   
   ACF
   SET LID
   INSERT USER001 GROUP(SYS1) UID(0) OMVSPGM(/bin/sh) -
   HOME(/etc/skrb/home/kdc) STC
   
   
2. Activate the APPL class:   
   
   SETROPTS CLASSACT(APPL) RACLIST(APPL)
   
   ACF
   SET C(GSO)
   INSERT CLASMAP.APPL ENTITYLN(0) MUSID() RESOURCE(APPL) RSRCTYPE(APL)
   CHANGE INFODIR TYPES(R-RAPL)
   F ACF2,REFRESH(CLASMAP)
   F ACF2,REFRESH(INFODIR)
   
   
3. Define the USER001 application in the APPL class: 
   
   RDEFINE APPL USER001 UACC(READ)
   
   There is no translation for this in ACF2. ACF2 uses a default protection scheme, which assumes that the resource is protected.
   
   
4. Refresh the APPL class:
   
   SETROPTS RACLIST(APPL) REFRESH
   
   F ACF2,REBUILD(APL)
   
   
5. Activate the PTKTDATA class:   
   
   SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
   
   SET C(GSO)
   CHANGE INFODIR TYPES(R-PPTK)
   F ACF2,REFRESH(INFODIR)
   
   
6. Define a key to mask values for the USER001 application:     
   
   RDEFINE PTKTDATA USER001 UACC(NONE)
   SSIGNON(KEYMASKED(3734343237343131))
   
   Choose your own value for KEYMASKED here.
   Alternatively, you could use KEYENCRYPTED instead of KEYMASKED.
   
   ACF           
   SET PROFILE(PTKTDATA) DIVISION(SSIGNON)     
   INSERT USER001 SSKEY(3734343237343131)                 
   
   Review PTKTDATA Profile Record for details.
   
   
7. Refresh the PTKTDATA class:   
   
   SETROPTS RACLIST(PTKTDATA) REFRESH
   
   F ACF2,REBUILD(PTK),CLASS(P)
   
   
8. Define the IRR.RUSERMAP profile in the FACILITY class with READ access for USER001 and the CICS user ID that is used for Kerberos authentication, and refresh the FACILITY class:
   
   RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
   PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(USER001) ACCESS(READ)
   PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(XXXX) ACCESS(READ)
   
   ACF
   SET R(FAC)
   RECKEY IRR ADD(RUSERMAP UID(uid string for USER001) SERVICE(READ) ALLOW)
   RECKEY IRR ADD(RUSERMAP UID(uid string for XXXX) SERVICE(READ) ALLOW)
   
   SETROPTS RACLIST(FACILITY) REFRESH
   
   F ACF2,REBUILD(FAC)
   
   
9. Define the STARTED tasks for USER001 and refresh the STARTED class:
   
   RDEFINE STARTED USER001.** STDATA(USER(USER001))
   RDEFINE STARTED SKRBWTR.** STDATA(USER(USER001))
    
   SET C(GSO)
   INSERT STC.USER001 LOGONID(USER001) STCID(USER001*) 
   INSERT STC.SKRBWTR LOGONID(USER001) STCID(SKRBWTR)
   
   SETROPTS RACLIST(STARTED) REFRESH
   
   F ACF2, REFRESH(STC)
   
   
10. Define the KERBDFLT REALM for the KDC.
    
    RDEFINE REALM KERBDFLT KERB(KERBNAME(WINMVS2C.HURSLEY.IBM.COM)
    PASSWORD(long-non-obvious-password) MINTKTLFE(15) DEFTKTLFE(36000)
    MAXTKTLFE(86400))
    
    ACF
    SET C(GSO)
    INSERT REALM.KERBDFLT REALM(WINMVS2C.HURSLEY.IBM.COM) MINTKTLFE(15) -
    DEFTKTLFE(36000) MAXTKTLFE(86400) password(long-non-obvious-password)
    
    Review REALM GSO Record (REALM) for more details.
    
    
11. Refresh the REALM class:   
    
    SETROPTS RACLIST(REALM) REFRESH
    
    F ACF2,REFRESH(REALM)