Using External Security › Defining External Signon Security

Defining External Signon Security

Defining SRTT Entries

To secure system signon externally, add an entry to the SRTT for the signon (SGON) resource type.

The applicable resource name for the signon resource type is system-identifier; it matches the value in the SYSTEM ID parameter of the system generation SYSTEM statement. Thus, the name of the resource defined in the external system must match the system identifier.

The following examples for CA TSS and CA ACF2 show the relationships that must exist between the system identifier in system generation and the resource identifier in the external security definition; and between the resource class in the external security definition and the external class in the SRTT entry.

Example for CA Top Secret (TSS)

SYSGEN syntax
 
MOD SYSTEM 120 SYSTEM ID IS IDMSD
                              ▲
                              │
CA TSS for z/OS syntax        │
                              └──┐
                                 ▼
TSS PERMIT(user-identifier) SGO(IDMSD) 
                             ▲          
                             │
                             │
#SECRTT syntax               │
                             │
       #SECRTT TYPE=ENTRY,   │                              X
               RESTYPE=SGON, │                              X
               EXTCLS='SGO',◄┘                              X
               EXTNAME=(RESNAME)

Example for CA ACF2

SYSGEN syntax
MOD SYSTEM 120 SYSTEM ID IS IDMSD
                              ▲
                              │
CA ACF2 for z/OS syntax       │
       ┌──────────────────────┘
       ▼
$KEY(IDMSD) TYPE(SGO)◄──────────────────┐
     UID(user-identifier)   ALLOW       │
                                        │
                                        │
#SECRTT syntax                          │
                                        │
       #SECRTT TYPE=ENTRY,              │                              X
               RESTYPE=SGON,            │                              X
               EXTCLS='SGO', ◄──────────┘                              X
               EXTNAME=(RESNAME)

Optionally Defining PassTickets

PassTickets can be used as an alternative to a password.

Note: For more information about PassTickets, see Signon Processing.

To use PassTickets for externally secured signon, add PassTicket definitions to the particular external security system being used. Depending on the external security system in use, these definitions can include:

• Defining a resource class for PassTickets.
• Granting ownership of the resource used for PassTickets.
• Defining a session key for each application for which PassTickets are used.
• Granting permission to a user to the resource used for PassTicket validation.

Determining Applid

The applid specified in the definition of the PassTicket to the external security system is a unique identifier for the IDMS CV system. It is composed of the first VTAM line defined to the system. If no VTAM lines exist, it is composed of the system nodename.

See the following sections for examples of the external security definitions needed to allow PassTicket use.

Example for CA Top Secret (CA TSS)

This CA TSS example shows the external security definitions needed to allow PassTicket use:

1. Define the resource class PTKTDATA:

   TSS ADDTO(RDT) RESCLASS(PTKTDATA) ACLIST(ALL,READ,UPDATE) MAXLEN(37)
   

2. Add IDMSDEPT department ownership for resources of class PTKTDATA:

   TSS ADDTO(IDMSDEPT) PTKTDATA(IRRPTAUTH)
   

3. Add a session key for each applid (PSTKAPPL):

   TSS ADDTO(NDT) PSTKAPPL(IDMSSY73) SESSKEY(0123456789ABCDEF)
   TSS ADDTO(NDT) PSTKAPPL(IDMSSY74) SESSKEY(ABCDEF0123456789)
   

4. Add permission for JOHN_SMITH to generate and use a PassTicket for SYSTEM 73:

   TSS PERMIT(JOHN_SMITH) PTKTDATA(IRRPTAUTH.IDMSSY73.JOHN_SMITH) ACCESS(READ,UPDATE)
   

Example for CA ACF2

This CA ACF2 example shows the external security definitions needed to allow PassTicket use:

1. Define the CA IDMS PassTicket session key(s) and assign them to IDMS application IDs (or CV nodenames):

   SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
   INSERT IDMSSY73 SSKEY(0123456789ABCDEF)
   INSERT IDMSSY74 SSKEY(ABCDEF0123456789)
   F ACF2,REBUILD(PTK),CLASS(P) 
   END
   

2. Issue the following commands to assign PassTicket session key(s) for specific user(s) (here: JOHN_SMITH):

   ACFNRULE KEY(IRRPTAUTH) TYPE(PTK) ADD(IDMSSY73.JOHN_SMITH) UID(JOHN_SMITH) SERVICE(READ,UPDATE) ALLOW)
   F ACF2,REBUILD(PTK)
   

Example for IBM RACF

This IBM RACF example shows the external security definitions needed to allow PassTicket use:

1. Issue the following commands to activate the PassTicket class:

   SETROPTS CLASSACT(PTKTDATA)
   SETROPTS RACLIST(PTKTDATA)
   SETROPTS GENERIC(PTKTDATA)
   

2. Issue the following commands to define profile(s) for the IDMS application IDs (or CV nodenames) and specify the session key(s):

   RDEFINE PTKTDATA IDMSSY73 SSIGNON(KEYMASKED(0123456789ABCDEF)) UACC(NONE)
   RDEFINE PTKTDATA IDMSSY74 SSIGNON(KEYMASKED(ABCDEF0123456789)) UACC(NONE)
   

3. Issue the following commands to define profile(s) and enable UPDATE access to the IDMS PassTicket resource for specific user(s) (here: JOHN_SMITH):

   RDEFINE PTKTDATA IRRPTAUTH.IDMSSY73.JOHN_SMITH UACC(NONE)
   PERMIT IRRPTAUTH.IDMSSY73.JOHN_SMITH CLASS(PTKTDATA) ID(JOHN_SMITH) ACCESS(READ,UPDATE)
   RDEFINE PTKTDATA IRRPTAUTH.IDMSSY74.JOHN_SMITH UACC(NONE)
   PERMIT IRRPTAUTH.IDMSSY74.JOHN_SMITH CLASS(PTKTDATA) ID(JOHN_SMITH) ACCESS(READ,UPDATE)
   

4. Issue the following command to refresh the PTKTDATA class:

   SETROPTS RACLIST(PTKTDATA) REFRESH
   

External Signon Security Checking

External signon security checking consists of two phases:

1. Validation of the executing user in the external security system.
2. If the first phase is successful, a check on the user's authority to access the system identified in the current request.

Note: For more information, see Signon Processing.