You can define and store encryption keys that can be used to encrypt
and decrypt data stored in profiles in the RACF® database. These keys are stored in the
SSIGNON segment of profiles in the
KEYSMSTR class.
The following profiles in the
KEYSMSTR class
are used to hold the keys used to encrypt and decrypt the following
types of passwords:
Table 1. KEYSMSTR class
profilesProfile |
Purpose |
---|
DCE.PASSWORD.KEY |
Contains the key used to encrypt DCE user passwords
or Distributed File Service (DFS) Server Message Block (SMB) user
passwords that are stored in the DCE segment of a user profile. |
LDAP.BINDPW.KEY |
Contains the key used to encrypt LDAP BIND passwords
in the PROXY segments of USER or FACILITY class profiles for use by
the z/OS LDAP server when
acting as a proxy for a requester. |
Rules: - Each profile must be defined using a discrete profile named exactly
as shown.
- You must define an encryption key in the LDAP.BINDPW.KEY profile
before you can store an LDAP BIND password in the PROXY segment of
either of the following profile types:
- User profiles, by using the PROXY BINDPW operands of the ADDUSER
or ALTUSER commands
- Resource profiles, by using the PROXY BINDPW operands of the RDEFINE
or RALTER commands
Similarly, you must define an encryption key in the DCE.PASSWORD.KEY
profile before users can store DCE or DFS SMB user passwords in the RACF database, or before the DCE
single signon feature can be used.