Chapter 7. Administration Considerations
This chapter summarizes the changes to administration procedures that the security
administrator should be aware of. For more information, see
OS/390 Security
Server (RACF) Security Administrator's Guide
.
OS/390 OpenEdition DCE
The interoperation of RACF with OS/390 OpenEdition DCE enables DCE
application servers on MVS to map a DCE user identity
(principal)
to a RACF user
ID. The mapping of a DCE principal to a RACF user ID is known as
cross-linking
.
The cross-linking information contained in the RACF database can be used by:
OS/390 OpenEdition DCE, for determining which MVS users are eligible for
OS/390 OpenEdition DCE single signon to DCE
Application servers residing on OS/390, to determine the RACF user ID of
clients. For more information on application servers and their use of identity
cross-linking contained in RACF, see “OS/390 OpenEdition DCE Application
Considerations” on page 39.
To support the
cross-linking
and
single signon to DCE
features, RACF provides:
The DCE segment for the RACF user profile
The DCEUUIDS general resource class
The DCE segment, defined to the RACF user profile, associates a DCE principal
with the RACF user profile. See Figure 17 on page 20 for the contents of the DCE
segment.
The DCEUUIDS general resource class contains the cross-linking information for
each RACF/DCE user. Profiles defined to the RACF DCEUUIDS class associate a
DCE principal with a RACF user ID on a particular system that is part of a DCE
cell.
The security administrator must work with the DCE administrator to define RACF
profiles to support the
cross-linking
and
single signon to DCE
features.
Cross-Linking Between RACF Users and DCE Principals
Profiles in the DCEUUIDS class establish a cross-link between a DCE principal
UUID and a RACF user ID. Two OpenEdition DCE utilities administer DCE
information in the RACF database and create the initial cross-link information
between the RACF user profile and the DCE principal registry:
mvsimpt is a two-pass utility that creates DCE principal entries in the DCE
registry for the set of RACF users chosen to be cross-linked, based on
the output from the RACF database unload utility. The unloaded RACF
database is sorted by the administrator according to RACF user IDs with
a RACF DCE segment and filtered by the utility according to processed
entries from previous mvsimpt and mvsexpt processing.
mvsexpt is a two-pass utility that populates a RACF database with information for
a set of DCE principals. It creates and updates the RACF DCE
segment for each DCE principal being cross-linked with the RACF
Copyright IBM Corp. 1994, 1996 37