Previous Topic: CA Chorus for Security and Compliance Management PassTicket Configuration to Connect to CA LDAP ServerNext Topic: Configure CA LDAP Server Resource Authorizations for CA Compliance Manager Policies and Reports

Addressing Security RequirementsConfigure PassTickets to Connect to CA Datacom/AD or DB2CA Chorus for Security and Compliance Management PassTicket Configuration to Connect to CA LDAP ServerUse IBM RACF to Configure PassTickets to Connect to CA LDAP Server

Use IBM RACF to Configure PassTickets to Connect to CA LDAP Server

This example shows how to use IBM RACF to configure PassTickets to connect to CA LDAP Server from the Quick Links module in CA Chorus. An experienced security administrator must perform this procedure.

Note: Before you begin this procedure, verify that the PTKTDATA class and ownership for the PassTicket resource (IRRPTAUTH) have not been defined.

Follow these steps:

  1. Activate the PassTicket class by entering the following command: 
    SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
SETROPTS GENERIC(PTKTDATA)
  2. Define profiles for the application in the PTKTDATA class for the application and specify the session keys: 
    RDEFINE PTKTDATA applid SSIGNON(KEYMASKED(FEDCBA9876543210)) APPLDATA('NO REPLAY PROTECTION')

    applid

    Defines the application ID used for PassTicket validation to authenticate connections to the server. Replace applid with CALDAP.

    KEYMASKED

    Defines an encryption key for the application using values that are different from the values in the sample syntax.

    Note: The sample syntax demonstrates a complete key value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Each application key must be the same on all systems in the configuration and the values must be kept "secret."

    APPLDATA(‘NO REPLAY PROTECTION’)

    Lets you use the same PassTicket multiple times.

    The CA Chorus session keys are defined.

    Note: This example demonstrates a session key value of 16 hexadecimal digits (creating an 8-byte or 64-bit key). Use a different value when you define your session keys. Each application key must be the same on all systems in the configuration and the values must be kept "secret."

  3. Define profiles for PassTicket generation:
    1. Permit access to the applid PassTicket session key value for each user that is permitted to access the application. 
      RDEFINE PTKTDATA IRRPTAUTH.applid.* UACC(NONE)
PERMIT IRRPTAUTH.applid.* ID(stc-userid) ACCESS(UPDATE) CLASS(PTKTDATA)
      stc-userid

      Refers to the user ID created in Create a CA Chorus User ID. CHORADM by default. This user ID must be able to generate PassTickets for any user.

    2. Alternatively, you can create a group. For example: 
      ADDGROUP ETJDB2GR
CONNECT CHORUSR1 GROUP(ETJDB2GR)
CONNECT CHORUSR2 GROUP(ETJDB2GR)
...
CONNECT CHORUSRN GROUP(ETJDB2GR)

RDEFINE PTKTDATA IRRPTAUTH.applid.ETJDB2GR OWNER(installer-userid) UACC(NONE)
PERMIT  IRRPTAUTH.applid.ETJDB2GR ID(stc-user) AC(UPDATE) CLASS(PTKTDATA)

      In this example, ETJDB2GR defines the group for the CA Chorus Security and Compliance Discipline users; CHORUSRx defines the specific users to the group; the RDEFINE command defines the resource to enable PassTicket generation for the group members; the PERMIT command enables the CA Chorus Application Server user to generate PassTickets to the application for group members.

  4. Refresh the PTKTDATA class: 
    SETROPTS RACLIST(PTKTDATA) REFRESH