Configuring LDAP for CICS use

You can use LDAP for storing CRLs (certificate revocation lists) or Basic Authentication credentials. When certificate revocation lists or credentials are stored in the LDAP server, you must authorize CICS® to access them.

About this task

Certificate revocation lists and passwords are stored in the LDAP server with an access class of critical and can only be accessed by a user who has provided authentication credentials at LDAP bind time. These credentials are a user's distinguished name and an associated password. You can save these details in a specialized profile in the LDAPBIND RACF® class. To set up the profile, follow these steps:

1. The password that is used in the profile must be encrypted before it is stored in the RACF database. To encrypt the password, you must store a password encryption key in the KEYSMSTR RACF class by issuing one of the following RACF commands:

   • RDEFINE KEYSMSTR LDAP.BINDPW.KEY OWNER(userid) 
             SSIGNON(KEYENCRYPTED(keyvalue))

     Use this command when the password encryption key is stored by the integrated cryptographic service facility (ICSF).

   • RDEFINE KEYSMSTR LDAP.BINDPW.KEY OWNER(userid) 
             SSIGNON(KEYMASKED(keymask))

     Use this command when ICSF is not active.
2. Create the profile using the following RACF command:

   RDEFINE LDAPBIND profile-name
                    PROXY(LDAPHOST(ldap-url)
                          BINDDN('ldap-distinguished-name')
                          BINDPW(password))
                    UACC(NONE)
   

   where:

   profile-name

   is the name of the RACF profile whose PROXY segment contains the following LDAP bind parameters.

   ldap-url

   is a fully qualified URL of the LDAP server to be accessed; for example, LDAP://EXAMPLE.COM:3389.

   ldap-distinguished-name

   is the distinguished name of an LDAP user authorized to inquire on certificate revocation list attributes from the server; for example, CN=LDAPADMIN.

   password

   is the password that authenticates the LDAP user. The password is case-sensitive.

3. Authorize each CICS region user ID to access appropriate bind credentials in the LDAPBIND class by issuing one or more commands of the following form:

   PERMIT profile-name CLASS(LDAPBIND)
                       ACCESS(READ)
                       ID(region-userid)

4. Specify the profile name in the system initialization parameter CRLPROFILE for each applicable CICS region.

Results

When you start a CICS region with the profile name specified in the CRLPROFILE system initialization parameter, the bind information for the LDAP server is cached in the SSL environment for the CICS region, which is managed by z/OS® System SSL. When you issue the PERFORM SSL REBUILD command for the CICS region, the bind information for the LDAP server is refreshed from the external security manager.

What to do next

If the CRLPROFILE parameter is specified for a CICS region but is invalid, or if the specified profile contains invalid data, or if the LDAP server identified by the profile is unavailable when the CICS region starts, the CICS region disables its own access to the LDAP server. Messages DFHSO0128 and DFHSO0129 report this problem.

To restore access, you must fix the error and restart the CICS region. The PERFORM SSL REBUILD command cannot restore access to the LDAP server if the CICS region has disabled it. The refresh only takes place for an LDAP server that was available to the CICS region at the time when the command was issued.