Previous Topic: Local Principals DefinitionNext Topic: Examples: Kerberos

KerberosLocal Server ConfigurationLocal Principals DefinitionDefine Kerberos Information

Define Kerberos Information

To define Kerberos information for the user enter:

TSS ADDTO(SDT) REALM(KERBDFLT)
               REALMNAME(‘Kerberos-realm-name’)
               MINTKTLF(Min-ticket-life) 
               MAXTKTLF(Max-ticket-life)
               DEFTKTLF(Default-ticket-life)
               ENCRYPT( ‘[DES | NODES] [,DESD | NODESD] [,DES3 | NODES3] 
                       [AES128|NOAES128] [AES256|NOAES256]‘)
               KERBPASS(Kerberos-password)
               CHKADDRS
ACID

Specifies the security ACID to be defined with Kerberos information.

principal_name

Specifies the Kerberos Principal Name associated with this user. This information is added to the KERB segment of the user’s security record. It is also added to the SDT KERBNAME record for high‑speed cross‑reference indexing. The KERBNAME specified must be unique for each user in the local realm. KERBNAME cannot be added to a PROFILE or GROUP ACID, nor can it be added to a hierarchy ACID. The fully qualified Kerberos principal name is formatted from the KERBDFLT REALMNAME and the KERBNAME principal_name.

The principal name cannot include spaces (x’40’) or the “at” sign (x’7F’).
Range: The combined length cannot exceed 240 characters. 

/…/local_realm/principal_name
ENCRYPT

Specifies the level of encryption defined for your local realm. This must correspond to the encryption level selected in the krb5.config file described in IBM SecureWay® Security Server Network Authentication Service Administration. The options are:

DES | NODES

Indicates that single-DES encryption is set or not set for this realm.

DESD | NODESD

Indicates that double-DES encryption is set or not set for this realm.

DES3 | NODES3

Indicates that triple-DES encryption is set or not set for this realm.

AES128 | NOAES128

Indicates that AES 128 bit encryption is set or not set for this realm.

AES256 | NOAES256

Indicates that AES 256 bit encryption is set or not set for this realm.

interval

Specifies the maximum ticket life associated with tickets for this user. Sensible values for this parameter should not exceed MAXTKTLF for the REALM, and should not be exceeded by the REALM DEFTKTLF.
Range: 1 to 2**31 – 1.

CHKADDRS

Enables address checking in tickets for the Kerberos server running on z/OS 1.13 and higher. This field can be enabled for the local realm only.

Default: NO CHKADDRS