Authorized applications, such as servers, can invoke the
R_dcekey callable
service (IRRSDK00) to enable z/OS® DCE
to retrieve or set a DCE password (a key), or to retrieve an LDAP
bind password. The following functions are supported:
- Retrieve a DCE password from a user profile's DCE segment. (The
password is decrypted using the key that was stored in the user's
DCE segment when the password was encrypted.)
- Set the DCE password in a user profile's DCE segment. (The password
is encrypted using the key stored in the DCE.PASSWORD.KEY profile
in the KEYSMSTR class.)
- Retrieve the LDAP bind password from the PROXY segment of a general
resource profile in the LDAPBIND class or from the IRR.PROXY.DEFAULTS
profile in the FACILITY class. (The password is decrypted using the
key that was stored in the profile's PROXY segment when the password
was encrypted, for example when the RDEFINE or RALTER PROXY command
was issued.)
For detailed information about invoking the
R_dcekey callable
service, see
z/OS Security Server RACF Callable Services.
For callers not running in system key or supervisor state, all
of the following conditions must be met:
When authorizing applications using the BPX.SERVER resource,
the caller is defined as the user ID associated with the ACEE of the
address space. When authorizing applications using the IRR.RDCEKEY
resource, the caller is defined as the user ID associated with the
ACEE of the current TCB or, if no ACEE is associated with the current
TCB, then the ACEE associated with the address space is used to locate
the user ID.