Kerberos › Local Server Configuration › Preparing Local Principal ACIDs › Security Considerations

Security Considerations

The process to assure the capability for the Kerberos kinit function is:

• Give the ACID standard OMVS attributes:

  TSS ADD(local) UID(uid_number)
                 GROUP(omvsgrp)
                 DFLTGRP(omvsgrp)
                 HOME(home_directory)
                 OMVSPGM(program_directory)
  

• Give the ACID permission to change the mode of their own files:

  TSS PERMIT(local) IBMFAC(BPX.CAHFS.FILE.MODE)
  

• Permit the ACID to create, alter, execute and read files in the home directory. Kerberos credentials will be created in this directory:

  TSS PERMIT(local) HFSSEC(home_directory)
                    ACC(ALL)
  

• Permit the ACID must to READ and EXECUTE files in the program directory:

  TSS PERMIT(local) HFSSEC(program_directory)
                    ACC(READ,EXEC)
  

• Permit access to Kerberos command files at run‑time:

  TSS PER(useracid) HFSSEC(/usr.lpp.skrb.bin)
  

• Permit access to Kerberos EXEC files:

  TSS PER(useracid) DATASET(EUVF.SEUVFEXC)
                    ACC(READ)
  

Note: In these examples HFSSEC(ON) is set.