Define REALM Records to the SDT

Maintaining Special Security Records › SDT Record › Define REALM Records to the SDT

Define REALM Records to the SDT

The REALM keyword is required when adding a REALM record to the SDT Record.

When used with local realm, this keyword has the following format:

TSS ADDTO(SDT) REALM(KERBDFLT)
               REALMNAME('kerberos-realm-name')
               MINTKTLF(min-ticket-life)
               MAXTKTLF(max-ticket-life)
               DEFTKTLF(default-ticket-life)
               KERBPASS(kerberos-password)
               CHKADDRS

When used with the foreign realm, this keyword has the following format:

TSS ADDTO(SDT) REALM(realm-label)
               REALMNAME('fully-qualified-name')
               KERBPASS(PASSWORD)

REALM

Specifies the identity of the SDT REALM record for foreign realms. The name must be unique and contain alphanumeric characters. KERBDFLT is reserved for the local realm. Any REALM name not equal to KERBDFLT is assumed to be a foreign realm. Specifies the identity of the SDT REALM record for foreign realms.

Range: Up to 8

REALMNAME

Specifies the fully qualified name of the foreign realm. Can be any character except the (X'61') character. Do not use any of the EBCDIC variant characters to avoid problems with different code pages. Use the single quotes if:

Parentheses, commas, blanks, or semicolons are entered as part of the name, the character string must be enclosed in single quotes.
Because, a single quote is part of the name, the entire character string is enclosed in single quotes. Use two single quotes together to represent each single quote in the string.
The first character of the name is a single quote. Enter the string within single quotes, with two single quotes entered for the single quote.

Regardless of the case used, CA Top Secret rolls the name to uppercase. However, changing the name to uppercase does not ensure that a valid REALMNAME has been specified.

Range: Up to 240 characters

MINTKTLF

The minimum ticket life in seconds. This keyword is only applicable when defining the KERBDFLT realm record (not foreign realms). If MINTKTLF is specified, then DEFTKTLF and MAXTKTLF must be specified.

Range: 1 - 2147483647

MAXTKTLF

The maximum ticket life in seconds. This keyword is only applicable when defining the KERBDFLT realm record (not foreign realms). If MAXTKTLF is specified, then DEFTKTLF and MINTKTLF must be specified.

Range: 1 to 2147483647

DEFTKTLF

The default ticket life in seconds. This keyword is only applicable when defining the KERBDFLT realm record (not foreign realms). If DEFTKTLF is specified, then MINTKTLF and MAXTKTLF must also be specified.

Range: 1 to 2147483647

Default: 300 (5 minutes)

KERBPASS

Specifies the value of the Kerberos password in the realm. You can use any character, but do not use any of the variant characters to avoid problems with different code pages. Use the single quotes, or not, depending on the following:

If parentheses, commas, blanks, or semicolons are entered as part of the name, the character string must be enclosed in single quotes.
Because a single quote is part of the name, the entire character string is enclosed in single quotes. Use two single quotes together to represent each single quote with the string.
If the first character of the name is a single quote, enter the string within single quotes. Use two single quotes for a single quote.

Limits: Maximum length is 8 characters. Both both uppercase and lowercase characters are accepted and maintained in the case entered.

CHKADDRS

Enables address checking in tickets for the Kerberos server running on z/OS 1.13 and higher. This field can be enabled for the local realm only.

Default: NO CHKADDRS

Example: Define REALM records

This example defines a local realm record:

TSS ADDTO(SDT) REALM(KERBDFLT)
               REALMNAME(LOCAL.CA.COM)
               MINTKTLF(30)
               MAXTKTLF(86400)
               DEFTKTLF(36000)
               KERBPASS(CHILDREN)
               CHKADDRS

This example defines a foreign realm record:

TSS ADDTO(SDT) REALM(KERBFOR1)

               KERBPASS(K_FOR1)

               ENCRYPT(‘DES DES3 NODESD NOAES128 NOAES256’)
               REALMNAME('/…/LOCAL.CA.COM/krbtgt/FOR1.CLIENT.COM’)

This is an example of output for the local realm:

TSS LIST(SDT) REALM(KERBDFLT)
REALM =      KERBDFLT
   ADMIN BY= BY(MASTER1 )    SMFID(XE15)   ON(04/01/2011)  AT(08:41:56)
TICKET LIFETIME: MIN(0000000010)  MAX(0000144000)  DEF(0000003600)
LOCAL REALMNAME:
             LOCAL.CA.COM
KEY ENCRYTION OPTIONS: NODES NODES3 NODESD NOAES128 NOAES256
CHKADDRS = ENABLED
TSS0300I  LIST     FUNCTION SUCCESSFUL

This is an example of output for the foreign realm:

TSS LIST(SDT) REALM(KERBFOR1)
REALM =      KERBFOR1                                                    
   ADMIN BY= BY(BURBE02 )    SMFID(XE14)   ON(05/05/2011)  AT(12:15:15)  
FOREIGN REALMNAME:                                                       
             /.../LOCAL.CA.COM/KRBTGT/FOR1.CLIENT.COM                    
KEY ENCRYTION OPTIONS: DES   DES3   NODESD NOAES128 NOAES256             
TSS0300I  LIST     FUNCTION SUCCESSFUL