Configuring RACF for Kerberos

You must configure an external security manager, such as RACF®, to enable support for Kerberos.

Note: These instructions apply only to the use of local principals.

Before you begin

Procedure

  1. Enable RACF protection for Kerberos. Activate RACF protection for the KERBLINK class by using the RACF SETROPTS command: 
    SETROPTS CLASSACT(KERBLINK)
    For more information about the SETROPTS command, see z/OS Security Server RACF Command Language Reference.
  2. To set up a CICS® region to use Kerberos, define a service principal name and associate it with a user ID, as follows:
    1. Specify the KERBEROSUSER system initialization parameter.
      This parameter enables support for the Kerberos service in the region and specifies a user ID to be associated with the Kerberos service principal. You should use a non-protected user ID.
    2. Use the ALTUSER command to associate the service principal name with the user ID you specify in KERBEROSUSER. 
      ALTUSER user_id KERB(KERBNAME(service_principal))
  3. Associate a RACF user ID with the client principal by using the ALTUSER command: 
    ALTUSER userid PASSWORD(password) NOEXPIRED KERB(KERBNAME(client_principal))
    Alternatively, you can associate a default user ID with all unassociated principals by using a command as follows:
    RDEFINE KERBLINK /.../realm APPLDATA('userid')

    where userid is the local user ID to be associated with all unmapped principals for the realm realm.

  4. In order for this to be activated, a Kerberos key must be created. This is done automatically when the user next changes their password.