z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Example

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Jamal's Bank has contracted with VeriSign to provide certificates to its customers and its account representatives. Both customers and account representatives access the company's systems through SSL. Customer SSL connections go through system A (SYSID=SYSA) and are only allowed access to general information about the company's offerings. Account representatives connect through system B (SYSID=SYSB) and need access to confidential customer information. Both systems A and B share the RACF® database.

The application that serves the company's data invokes initACEE and passes user certificates with information about the SSL encryption level used by each user to connect to the system. This information is passed to initACEE as a variable called ENCRLVL, and the following values are assigned by the application based on the SSL encryption strength of the connection:
HIGH
SSL encryption strength using at least 128-bit encryption
LOW
SSL encryption strength using 40-bit encryption
The RACDCERT MAP and DIGTCRIT commands shown in Figure 1 set up an issuer's name filter that uses multiple user IDs based on SYSID and ENCRLVL. In this example, there is a certificate available for use as a model in data set 'JAMALDC'. The certificate contains the following issuer's name.
OU=Jamal's Bank General Subscriber.O=VeriSign, Inc.L=Internet
Figure 1. Sample RACDCERT MAP and RDEFINE commands using multiple criteria
RACDCERT MULTIID MAP('JAMALDC') WITHLABEL('All Jamal's Users') 
         IDNFILTER('OU') CRITERIA(SYSID=&SYSID.ENCRLVL=&ENCRLVL)
SETROPTS RACLIST(DIGTNMAP) REFRESH

SETROPTS GENERIC(DIGTCRIT)
RDEFINE  DIGTCRIT SYSID=SYSB.ENCRLVL=HIGH APPLDATA('ACCTREP')
RDEFINE  DIGTCRIT SYSID=SYSB.ENCRLVL=*    APPLDATA('GENERAL')
RDEFINE  DIGTCRIT SYSID=SYSA.ENCRLVL=*    APPLDATA('GENERAL')
SETROPTS RACLIST(DIGTCRIT) REFRESH
The issuer's name filter created in Figure 1 associates the following user IDs:
GENERAL
For all customers, and account representatives connecting with low-strength encryption.
ACCTREP
For account representatives connecting with high-strength encryption.
Parent topic: Using multiple criteria

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014