database. The mvsexpt utility takes a specified input file or the DCE
registry for each principal specified and creates the RACF DCE segment
and profiles in the RACF general resource class, DCEUUIDS.
For more information on these utilities, see
OpenEdition DCE Administration Guide
.
Although you can administer the DCEUUIDS profiles using the RACF RDEFINE
and RALTER commands, it is
strongly recommended
that you use the OS/390
OpenEdition DCE utilities.
Attention
Changing the UUID or HOMEUUID fields in a user profile DCE segment via
RACF commands (such as ADDUSER, ALTUSER, or DELUSER) does
not
update DCEUUIDS class profiles. It is strongly recommended that you use the
OS/390 OpenEdition DCE utilities to maintain the DCE information contained
within RACF.
The OS/390 OpenEdition DCE utilities maintain a file of users that have been
processed. If you perform subsequent administration, and do not use the
utilities, the processed entry file might not be accurate. Inaccuracies in this file
can cause unpredictable results the next time the OpenEdition DCE utilities are
used.
Activating the DCEUUIDS Class
Before OS/390 OpenEdition DCE can use profiles defined to the DCEUUIDS class,
the security administrator must activate the class. To activate the DCEUUIDS class
enter:
SETROPTS CLASSACT(DCEUUIDS)
Single Signon to DCE
RACF support for OS/390 OpenEdition DCE provides for a
single signon to DCE
.
OS/390 OpenEdition DCE single signon signs an MVS user on to DCE
automatically if that user has already been authenticated by RACF. To start single
signon to DCE processing, the following conditions must be met:
The security administrator has requested single signon to DCE processing for
the user.
The security administrator has defined the DCE encryption key.
The user is not currently logged into DCE.
The user invokes a DCE application.
The user is defined as a DCE principal to the DCE registry.
Before OpenEdition DCE single signon support can be invoked for an MVS user,
the MVS user must be enrolled for single signon to DCE. To enroll:
RACF setup procedures for DCE interoperability must be completed.
A DCE segment must be created for the MVS user in the RACF user profile.
The user profile DCE segment must contain the user's DCE information.
The AUTOLOGIN value in the user's DCE segment must be set to YES to
invoke single signon processing. If the value is set to NO, single signon to
DCE processing does not occur.
38 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration