z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Storing encryption keys using the KEYSMSTR class

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can define and store encryption keys that can be used to encrypt and decrypt data stored in profiles in the RACF® database. These keys are stored in the SSIGNON segment of profiles in the KEYSMSTR class. The following profiles in the KEYSMSTR class are used to hold the keys used to encrypt and decrypt the following types of passwords:
Table 1. KEYSMSTR class profiles
Profile Purpose
DCE.PASSWORD.KEY Contains the key used to encrypt DCE user passwords or Distributed File Service (DFS) Server Message Block (SMB) user passwords that are stored in the DCE segment of a user profile.
LDAP.BINDPW.KEY Contains the key used to encrypt LDAP BIND passwords in the PROXY segments of USER or FACILITY class profiles for use by the z/OS LDAP server when acting as a proxy for a requester.
Rules:
  1. Each profile must be defined using a discrete profile named exactly as shown.
  2. You must define an encryption key in the LDAP.BINDPW.KEY profile before you can store an LDAP BIND password in the PROXY segment of either of the following profile types:
    1. User profiles, by using the PROXY BINDPW operands of the ADDUSER or ALTUSER commands
    2. Resource profiles, by using the PROXY BINDPW operands of the RDEFINE or RALTER commands

    Similarly, you must define an encryption key in the DCE.PASSWORD.KEY profile before users can store DCE or DFS SMB user passwords in the RACF database, or before the DCE single signon feature can be used.

Parent topic: Protecting general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014