Filter
Top Products
The MVS user must have saved the current DCE password in the RACF DCE
segment by invoking the DCE storepw command.
Note: Users still need to maintain their passwords for RACF and OpenEdition
DCE separately, and must use the DCE storepw to keep the DCE
password that is stored in RACF current.
Single signon support is
not
intended to be used by application servers. Single
signon support should be enabled only for end users. For more information on
single signon restrictions see
OpenEdition DCE Administration Guide
.
Specifying the DCE Encryption Key
The RACF KEYSMSTR class is a general resource class that contains the
DCE.PASSWORD.KEY profile. This profile holds the encryption key that is used
for encrypting and decrypting a user's DCE password for use in OpenEdition DCE
single signon support. The profile defined to the KEYSMSTR class contains a
SSIGNON segment that holds either the masked or encrypted value for the key that
is used to encrypt DCE passwords stored in the RACF database. Before an
OS/390 user can save a DCE password in the RACF database or before the DCE
single signon feature can be used, the security administrator must define the profile
to the KEYSMSTR class that defines the encryption key, and activate the
KEYSMSTR class.
If a cryptographic product is present on the system, the security administrator can
specify the KEYENCRYPTED sub-operand on the SSIGNON operand of the
RDEFINE or RALTER command. If the KEYENCRYPTED sub-operand is
specified, the cryptographic product must be active when the security administrator
defines the profile to the KEYSMSTR class.
OS/390 OpenEdition DCE Application Considerations
OS/390 OpenEdition has two fundamental types of application servers:
Multithreaded applications
Single threaded applications
A
multithreaded
application has multiple sequential flows of control. In this type of
application, more than one unit of work at a time is processed by the server
application.
A
single threaded
application has one sequential flow of control. In this type of
application, one unit of work is processed at a time by the application server.
OS/390 OpenEdition provides an S/390 assembler callable service and support
through the C runtime library. This support enables
unauthorized
multithreaded
applications to create and delete a RACF ACEE in a fashion that is mediated and
controlled by the MVS OpenEdition kernel and RACF. The term
unauthorized
refers to applications that are not APF-authorized and do not run in supervisor state
or in a system storage protection key.
The pthread_security_np service enables multithreaded applications to customize
the security environment of a thread, meaning that the thread can execute under a
different RACF identity than the server. The use of the pthread_security_np
callable s000000000 the C runtime library pthread_security_np() API requires
administration by the security administrator. Administrative considerations of the
MVS OpenEdition pthread_security_np callable service are discussed in
OS/390
Chapter 7. Administration Considerations 39