Support User Manuals

IBM GC28-1920-01 Server User Manual

Open as PDF

of 110

database. The mvsexpt utility takes a specified input file or the DCE

registry for each principal specified and creates the RACF DCE segment

and profiles in the RACF general resource class, DCEUUIDS.

For more information on these utilities, see

OpenEdition DCE Administration Guide

.

Although you can administer the DCEUUIDS profiles using the RACF RDEFINE

and RALTER commands, it is

strongly recommended

that you use the OS/390

OpenEdition DCE utilities.

Attention

Changing the UUID or HOMEUUID fields in a user profile DCE segment via

RACF commands (such as ADDUSER, ALTUSER, or DELUSER) does

not

update DCEUUIDS class profiles. It is strongly recommended that you use the

OS/390 OpenEdition DCE utilities to maintain the DCE information contained

within RACF.

The OS/390 OpenEdition DCE utilities maintain a file of users that have been

processed. If you perform subsequent administration, and do not use the

utilities, the processed entry file might not be accurate. Inaccuracies in this file

can cause unpredictable results the next time the OpenEdition DCE utilities are

used.

Activating the DCEUUIDS Class

Before OS/390 OpenEdition DCE can use profiles defined to the DCEUUIDS class,

the security administrator must activate the class. To activate the DCEUUIDS class

enter:

SETROPTS CLASSACT(DCEUUIDS)

Single Signon to DCE

RACF support for OS/390 OpenEdition DCE provides for a

single signon to DCE

.

OS/390 OpenEdition DCE single signon signs an MVS user on to DCE

automatically if that user has already been authenticated by RACF. To start single

signon to DCE processing, the following conditions must be met:

 The security administrator has requested single signon to DCE processing for

the user.

 The security administrator has defined the DCE encryption key.

 The user is not currently logged into DCE.

 The user invokes a DCE application.

 The user is defined as a DCE principal to the DCE registry.

Before OpenEdition DCE single signon support can be invoked for an MVS user,

the MVS user must be enrolled for single signon to DCE. To enroll:

 RACF setup procedures for DCE interoperability must be completed.

 A DCE segment must be created for the MVS user in the RACF user profile.

The user profile DCE segment must contain the user's DCE information.

 The AUTOLOGIN value in the user's DCE segment must be set to YES to

invoke single signon processing. If the value is set to NO, single signon to

DCE processing does not occur.

38 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

previous next