Previous Topic: Define Your Local RealmNext Topic: Example: identify REALM name

KerberosLocal Server ConfigurationDefine Your Local RealmSyntax

Syntax

This command has the following format:

TSS ADDTO(SDT) REALM(KERBDFLT)
               REALMNAME(default_realm)
               MINTKTLF(Min‑ticket‑life)
               MAXTKTLF(Max‑ticket‑life)
               DEFTKTLF(Default‑ticket‑life)
               KERBPASS(Kerberos‑password)
               CHKADDRS
REALM

KERBDFLT (required)

REALMNAME

Must be identical to configuration file default_realm.

CA Top Secret has simplified the REALMNAME specification. This is internally expanded to the following when used for run‑time security checks:

/…/default_realm/krbtgt/default_realm

The REALMNAME is generally specified in the form of a first order web‑address. Cannot include spaces (x’40’) or the at‑sign (x’7F’).
Range: Up to 117 characters.

Note: Because the relationship between the REALMNAME and generating Kerberos tickets for principal users is based, in part, on the local REALMNAME, care must be taken when choosing a REALMNAME. Renaming the REALM should be avoided at all costs during Kerberos operations, trust relations in flight cause unpredictable effects.

MINTKTLF

Specifies the maximum ticket life in seconds, and is represented by a numeric value. Note that 0 is not a valid value. This keyword is only applicable when defining the KERBDFLT realm record. If MAXTKTLF is specified, DEFTKTLF and MINTKTLF must also be specified.

Range: 1 to 247483647

DEFTKTLF

Specifies the time intervals (in seconds) that a Kerberos generated ticket will remain active in the realm. If any of these intervals is specified, all must be specified. If no intervals are specified, tickets are not limited. MAXTKTLF >= DEFTKTLF >= MINTKTLF is enforced.
Range: 1 to 2**31‑1 (2147483647)

KERBPASS

Specifies a password (alphanumeric) for the local realm. When the same realm name is used as a foreign realm in a foreign Kerberos system, the passwords must be identical. Passwords are case‑sensitive and are maintained in the case in which they are entered. The KERBPASS bears no relationship to the password of the SKRBKDC region ACID.

Range: 1 to 8 characters

CHKADDRS

Enables address checking in tickets for the Kerberos server running on z/OS 1.13 and higher. This field can be enabled for the local realm only.

Default: NO CHKADDRS