Top Secret Equivalent Commands For IBM MultiFactor OIDC SSO Capability
Article ID: 389952
Updated On:
Products
Issue/Introduction
The IBM Multi Factor OIDC SSO Capability documentation has the following RACF commands:
Procedure
1. Add the Certificate Authority (CA) certificate of the OIDC domain as a CERTAUTH certificate in the z/OS server keyring:
a) Allocate a data set on the z/OS system for the certificate. You must specify a cataloged data set, and it cannot be a PDS or a PDS member. The record format (RECFM) expected by RACDCERT is variable-block (VB).
b) Add the certificate to the RACF database as a trusted CERTAUTH with a label of your choice.
RACDCERT ADD('cert-data-set') CERTAUTH TRUST
WITHLABEL('Cert Label')
c) Connect the certificate to the keyring you created in “Configure an AT-TLS profile”.
RACDCERT ID(ID of the web services started task) CONNECT(CERTAUTH
LABEL('OIDC root CA label') RING(server ring name))
d) Refresh the DIGTCERT class:
SETROPTS RACLIST(DIGTCERT) REFRESH
What are the Top Secret equivalent commands?
Resolution
The Top Secret equivalent commands are (in red):
Procedure
1. Add the Certificate Authority (CA) certificate of the OIDC domain as a CERTAUTH certificate in the z/OS server keyring:
a) Allocate a data set on the z/OS system for the certificate. You must specify a cataloged data set, and it cannot be a PDS or a PDS member. The record format (RECFM) expected by RACDCERT is variable-block (VB).
b) Add the certificate to the RACF database as a trusted CERTAUTH with a label of your choice.
RACDCERT ADD('cert-data-set') CERTAUTH TRUST
WITHLABEL('Cert Label')
Top Secret Equivalent
TSS ADD(CERTAUTH) DIGICERT(digicert) DCDSN('cert-data-set') LABLCERT('Cert Label') TRUST
c) Connect the certificate to the keyring you created in “Configure an AT-TLS profile”.
RACDCERT ID(ID of the web services started task) CONNECT(CERTAUTH
LABEL('OIDC root CA label') RING(server ring name))
Top Secret Equivalent
TSS ADD(ID of the web services started task) KEYRING(server ring name) RINGDATA(CERTAUTH, digicert) USAGE(CERTAUTH)
Where:
‘server ring name’ is the keyring you created in “Configure an AT-TLS profile”.
‘digicert’ is the digicert name used in the TSS ADD(CERTAUTH) … command in step b above.
d) Refresh the DIGTCERT class:
SETROPTS RACLIST(DIGTCERT) REFRESH
No Top Secret Equivalent
Feedback
