If your installation has implemented automatic direction and you
want to define multiple realms, you should review your current RRSF
implementation in view of these important considerations:
- The
KERB segment of the RACF® user
profile defines a user as a local principal. If KERB segment information
is directed to a remote RRSF node, users will be defined as local
principals on all z/OS Network Authentication Service servers
that share that RACF database.
- RACF does not distinguish
between user passwords and passwords assigned to local principals
for key generation. The same is true for password phrases. If user
passwords and password phrases are synchronized with a remote RRSF
node, keys will be generated for those users on the remote node and
they will be recognized as local principals by all z/OS Network Authentication Service servers
that share that RACF database.
- REALM
class profiles define information about local and foreign realms.
If these profiles are propagated to a remote RRSF node, all z/OS Network Authentication Service servers
that share that RACF database
will have duplicate local and foreign realm definitions.
- KERBLINK
class profiles map foreign principals to local RACF user IDs, and control which users are authorized
to use the SKRBKDC started procedure to decrypt service tickets for
a given principal. If KERBLINK profiles are propagated to a remote
RRSF node, all z/OS Network Authentication Service servers
sharing that RACF database
will attempt to map those foreign principals to the same RACF user IDs, and allow the users authorized
by the KERBLINK profiles to use SKRBKDC to decrypt service tickets
for the given principal.
For more information, see z/OS Integrated Security Services Network Authentication Service Administration.