KERBLINK Keyword—Define Foreign Kerberos Users

Keywords › KERBLINK Keyword—Define Foreign Kerberos Users

KERBLINK Keyword—Define Foreign Kerberos Users

Valid on z/OS.

Use the KERBLINK keyword to:

Define Kerberos foreign principal users to the Secureway Server Network Authentication Service
Map foreign principal names to CA Top Secret user IDs on your local z/OS system by defining an entry in the KERBLINK SDT record

You can map each principal in a foreign realm to its own user ID on your local z/OS system, or you can map all principals in a foreign realm to the same user ID on your system.

User IDs that map to foreign principals do not require KERB segments.

To define foreign‑principal‑name create an SDT KERBLINK record. The KERBNAME contains the principal name, fully qualified with the name of the foreign realm.

/…/foreign_realm/[foreign-principal-name]

To map a unique CA Top Secret User ID to each foreign principal, specify the foreign realm name and the foreign principal name. To map the same CA Top Secret User ID to every foreign principal in the foreign realm, specify the foreign realm name. In each case, you specify the local User ID using the KERBUSER option.

This keyword has the following format:

TSS ADDTO(SDT) KERBLINK(link_name) 
               LINKNAME(fully—qualified—name)
               KERBUSER(local_acid)

link_name

Identifies the record. Must be a unique name within the KERBLINK SDT record type.

Range: 1 to 8 alphanumeric characters

fully-qualified-name

A string which specifies the URL of the foreign realm in which the foreign principal user is defined. The KERBNAME under which the associated (foreign) ACID is defined. The format of this string is:

/ /foreign_realm_URL/Ýforeign_principal_KERBNAME

Note: If the foreign_principal_KERBNAME is not supplied, the definition refers to all Kerberos principal users defined in that specific foreign realm.

local_acid

The ACID in the local system to which requested activities is assigned in the local system.

This keyword is used with:

The commands ADDTO, DELETE, REMOVE, REPLACE, and LIST
The ACID types User, DCA, VCA, ZCA, LSCA, and SCA
The SDT Record and on the definition of Kerberos Foreign Principal Users
MISC3(SDT) authority to ADDTO or REMOVE records or REPLACE fields in the SDT
MISC8(LISTSDT) authority to list realms in the SDT
ACID(MAINTAIN) and MISC4(KERBUSER) authority

Examples: KERBLINK keyword

This example lists all KERBLINK records in the SDT:

TSS LIST(SDT) KERBLINK(ALL)

This example authenticates the KERBNAME('kal-el') defined on foreign URL www.krypton.org and assigns that KERBNAME to local acid CKENT01:

TSS ADD(SDT) KERBLINK(SUPERMAN)
             LINKNAME('/…/www.krypton.org/kal—el')
             KERBUSER(CKENT01)

This example assigns all Kerberos principal users from the same URL to CKENT01:

TSS ADD(SDT) KERBLINK(SUPERMAN)
             LINKNAME('/…/www.krypton.org/')
             KERBUSER(CKENT01)

This example maps USER01 and USER02 foreign principal names to their individual user IDs on the local z/OS system:

TSS ADDTO(SDT) KERBLINK(KERBLK1)
               LINKNAME('/…/KERB.CA.COM/USER01')
               KERBUSER(PAUL01)
TSS ADDTO(SDT) KERBLINK(KERBLK2)
               LINKNAME('/…/KERB.CA.COM/USER02')
               KERBUSER(NADIA01)

This example maps other foreign principals presenting tickets from the KERB.CA.COM server to the PUBLIC01 user ID on the local z/OS system:

TSS ADDTO(SDT) KERBLINK(KERBLK3) 
               LINKNAME('/…/KERB.CA.COM/')
               KERBUSER(PUBLIC01)