Defining your local realm

You must define your local realm to RACF before you define local principals. This is because the local realm name is used to generate keys for local principals. You define your local realm by creating a profile in the REALM class called KERBDFLT. Using the KERB option of the RDEFINE and RALTER commands, you can specify the following information about your local realm:
KERBNAME
Name of the local realm.
MINTKTLFE
Minimum ticket lifetime for the local realm.
DEFTKTLFE
Default ticket lifetime for the local realm.
MAXTKTLFE
Maximum ticket lifetime for the local realm.
CHECKADDRS
KDC to check addresses in tickets as part of ticket validation processing. This should be disabled (default) if your requests pass through routers or firewalls using Network Address Translation (NAT).
ENCRYPT
Specifies which keys the realm is allowed to use. The supported key types are DES, DES3, DESD, AES128, AES 256, Start of changeAES128SHA2 and AES256SHA2End of change.
PASSWORD
Value of the password for the local realm.
Notes:
  1. This password is not a RACF user password. Therefore, it is not constrained by SETROPTS password rules that can be specified to control user passwords. In addition, the installation-defined new-password exit (ICHPWX01) is not invoked.
  2. A password value must be supplied. A 1-128 character password can be specified.
  3. Uppercase and lowercase letters are accepted and maintained in the case in which they are entered.
  4. ICSF must be available to set or change the password as the encryption keys for a REALM class profiles are generated using ICSF callable services. In addition, the user issuing the command may need to be permitted to the CSFOWH resource of the CSFSERVE class.
See z/OS Security Server RACF Command Language Reference for detailed information about using the KERB option of the RDEFINE and RALTER commands to administer profiles in the REALM class.

Important: If your installation shares the RACF database with systems running different releases of z/OS, administer local Network Authentication Service realms from only the highest level z/OS system. If you alter local realms from a lower level z/OS system, the realms might lose the use of z/OS Network Authentication Service keys supported on higher levels of z/OS. In addition, if you list realm information using the RLIST command on a lower level z/OS system, you might receive inconsistent information.